511f5c0a9946188ad3dbbb58c2e2e5564402d83dd77379a39c8a17c660a737da

General

Target

8efc94a68d078ed67459403c868aa9f0.exe
Size

238KB
MD5

8efc94a68d078ed67459403c868aa9f0
SHA1

64da6737b14dc11fb68fe4aef22981219ecbfd9f
SHA256

511f5c0a9946188ad3dbbb58c2e2e5564402d83dd77379a39c8a17c660a737da
SHA512

5fd1f0fb7113d11e5ee7921581da43a4b04c2afeecca9fbd623cae5ef2b19955cd456fd7ac230eeab344e12e6452b780f616b90a00ccc1f1606a443a54f5a9f6

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

8efc94a68d078ed67459403c868aa9f0.exe

pid process

852 8efc94a68d078ed67459403c868aa9f0.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1548 1612 WerFault.exe 8efc94a68d078ed67459403c868aa9f0.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1548 WerFault.exe
1548 WerFault.exe
1548 WerFault.exe
1548 WerFault.exe
1548 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1548 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1548 WerFault.exe

pid	process
852	8efc94a68d078ed67459403c868aa9f0.exe

pid	pid_target	process	target process
1548	1612	WerFault.exe	8efc94a68d078ed67459403c868aa9f0.exe

pid	process
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe

pid	process
1548	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1548	WerFault.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

8efc94a68d078ed67459403c868aa9f0.exe8efc94a68d078ed67459403c868aa9f0.exe

C:\Users\Admin\AppData\Local\Temp\8efc94a68d078ed67459403c868aa9f0.exe
"C:\Users\Admin\AppData\Local\Temp\8efc94a68d078ed67459403c868aa9f0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852

C:\Users\Admin\AppData\Local\Temp\8efc94a68d078ed67459403c868aa9f0.exe
"C:\Users\Admin\AppData\Local\Temp\8efc94a68d078ed67459403c868aa9f0.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 148
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1548

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nst57E.tmp\edjaxef.dll
MD5
91b963a246288264ddf484d3b69741a1

SHA1
15168c8dd766c2046f891e085e08fae5a368665d

SHA256
8477871a37fc72bdc5eaec5d690e67421209e6fbeb3b6d278044de3686df650c

SHA512
99fd9259be65abef388a7763cbd7b3de5252bcd3827a36bf970989a73e87b76c35cfab6bc6c035057b5e1a78f924585577ffb9f88500fc300ed727955de72652

Download Submit
memory/852-54-0x00000000768C1000-0x00000000768C3000-memory.dmp

Filesize
8KB

Download
memory/1548-66-0x0000000000000000-mapping.dmp

Download
memory/1548-68-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1612-57-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download
memory/1612-56-0x0000000000000000-mapping.dmp

Download
memory/1612-61-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download

description	pid	process	target process
PID 852 wrote to memory of 1612	852	8efc94a68d078ed67459403c868aa9f0.exe	8efc94a68d078ed67459403c868aa9f0.exe
PID 852 wrote to memory of 1612	852	8efc94a68d078ed67459403c868aa9f0.exe	8efc94a68d078ed67459403c868aa9f0.exe
PID 852 wrote to memory of 1612	852	8efc94a68d078ed67459403c868aa9f0.exe	8efc94a68d078ed67459403c868aa9f0.exe
PID 852 wrote to memory of 1612	852	8efc94a68d078ed67459403c868aa9f0.exe	8efc94a68d078ed67459403c868aa9f0.exe
PID 852 wrote to memory of 1612	852	8efc94a68d078ed67459403c868aa9f0.exe	8efc94a68d078ed67459403c868aa9f0.exe
PID 852 wrote to memory of 1612	852	8efc94a68d078ed67459403c868aa9f0.exe	8efc94a68d078ed67459403c868aa9f0.exe
PID 852 wrote to memory of 1612	852	8efc94a68d078ed67459403c868aa9f0.exe	8efc94a68d078ed67459403c868aa9f0.exe
PID 852 wrote to memory of 1612	852	8efc94a68d078ed67459403c868aa9f0.exe	8efc94a68d078ed67459403c868aa9f0.exe
PID 852 wrote to memory of 1612	852	8efc94a68d078ed67459403c868aa9f0.exe	8efc94a68d078ed67459403c868aa9f0.exe
PID 852 wrote to memory of 1612	852	8efc94a68d078ed67459403c868aa9f0.exe	8efc94a68d078ed67459403c868aa9f0.exe
PID 852 wrote to memory of 1612	852	8efc94a68d078ed67459403c868aa9f0.exe	8efc94a68d078ed67459403c868aa9f0.exe
PID 852 wrote to memory of 1612	852	8efc94a68d078ed67459403c868aa9f0.exe	8efc94a68d078ed67459403c868aa9f0.exe
PID 852 wrote to memory of 1612	852	8efc94a68d078ed67459403c868aa9f0.exe	8efc94a68d078ed67459403c868aa9f0.exe
PID 852 wrote to memory of 1612	852	8efc94a68d078ed67459403c868aa9f0.exe	8efc94a68d078ed67459403c868aa9f0.exe
PID 1612 wrote to memory of 1548	1612	8efc94a68d078ed67459403c868aa9f0.exe	WerFault.exe
PID 1612 wrote to memory of 1548	1612	8efc94a68d078ed67459403c868aa9f0.exe	WerFault.exe
PID 1612 wrote to memory of 1548	1612	8efc94a68d078ed67459403c868aa9f0.exe	WerFault.exe
PID 1612 wrote to memory of 1548	1612	8efc94a68d078ed67459403c868aa9f0.exe	WerFault.exe

Analysis

Sharing