99a897c5b8f53e1d04e51107c748a4f385b754a852ca6b605559f5b50820a64f

General

Target

df330ab2a2e5aa4ac947315ee3f93992.exe
Size

230KB
MD5

df330ab2a2e5aa4ac947315ee3f93992
SHA1

76b5d1eee342b47fe58e2136a067712cbd210351
SHA256

99a897c5b8f53e1d04e51107c748a4f385b754a852ca6b605559f5b50820a64f
SHA512

e65f573d68e8f198024028d553210095173d1551e6074b60d9543977116a0286f75641f4692049a49e6cd03729b001027136419d6cf0c71645e800d5522ed895

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

df330ab2a2e5aa4ac947315ee3f93992.exe

pid process

792 df330ab2a2e5aa4ac947315ee3f93992.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

288 1148 WerFault.exe df330ab2a2e5aa4ac947315ee3f93992.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

288 WerFault.exe
288 WerFault.exe
288 WerFault.exe
288 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

288 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 288 WerFault.exe

pid	process
792	df330ab2a2e5aa4ac947315ee3f93992.exe

pid	pid_target	process	target process
288	1148	WerFault.exe	df330ab2a2e5aa4ac947315ee3f93992.exe

pid	process
288	WerFault.exe
288	WerFault.exe
288	WerFault.exe
288	WerFault.exe

pid	process
288	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	288	WerFault.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

df330ab2a2e5aa4ac947315ee3f93992.exedf330ab2a2e5aa4ac947315ee3f93992.exe

C:\Users\Admin\AppData\Local\Temp\df330ab2a2e5aa4ac947315ee3f93992.exe
"C:\Users\Admin\AppData\Local\Temp\df330ab2a2e5aa4ac947315ee3f93992.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Local\Temp\df330ab2a2e5aa4ac947315ee3f93992.exe
"C:\Users\Admin\AppData\Local\Temp\df330ab2a2e5aa4ac947315ee3f93992.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 148
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:288

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsiC7B3.tmp\oxtrp.dll
MD5
c2c405109b51233def2b5bf15ffd2308

SHA1
14debd98b26edba7788aafcaa41f1d32e8fe1cbc

SHA256
7e16ed39ba05c887e6d1b470b6cc8de06fd67ed81fb2da85f645cfbc643ca154

SHA512
1c209d4110dc5295d5ba951cf5a22d62ab1bf65d9b5bf66f4c6a2e8e2f2cfd339f06cddf6b956d5f9a567ec8206d607753833ce94e14149d5bbc1b596c91b80b

Download Submit
memory/288-66-0x0000000000000000-mapping.dmp

Download
memory/288-68-0x0000000000840000-0x000000000086E000-memory.dmp

Filesize
184KB

Download
memory/792-54-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1148-56-0x0000000000000000-mapping.dmp

Download
memory/1148-57-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download
memory/1148-61-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download

description	pid	process	target process
PID 792 wrote to memory of 1148	792	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 792 wrote to memory of 1148	792	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 792 wrote to memory of 1148	792	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 792 wrote to memory of 1148	792	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 792 wrote to memory of 1148	792	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 792 wrote to memory of 1148	792	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 792 wrote to memory of 1148	792	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 792 wrote to memory of 1148	792	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 792 wrote to memory of 1148	792	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 792 wrote to memory of 1148	792	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 792 wrote to memory of 1148	792	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 792 wrote to memory of 1148	792	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 792 wrote to memory of 1148	792	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 792 wrote to memory of 1148	792	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 1148 wrote to memory of 288	1148	df330ab2a2e5aa4ac947315ee3f93992.exe	WerFault.exe
PID 1148 wrote to memory of 288	1148	df330ab2a2e5aa4ac947315ee3f93992.exe	WerFault.exe
PID 1148 wrote to memory of 288	1148	df330ab2a2e5aa4ac947315ee3f93992.exe	WerFault.exe
PID 1148 wrote to memory of 288	1148	df330ab2a2e5aa4ac947315ee3f93992.exe	WerFault.exe

Analysis

Sharing