8397681fb127b7050397870b95f23d310f2e62ee5c2e3a7410d2daeec99e9e06

General

Target

8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
Size

234KB
MD5

8d97ea0aeb6dbb5bfe61a2a45809dd90
SHA1

c2abdfefadc76b9f78b500f5b3aba9321a5d42e1
SHA256

8397681fb127b7050397870b95f23d310f2e62ee5c2e3a7410d2daeec99e9e06
SHA512

b199abfc0abe5f46873ceaccd287e973a6285d40caeb9320f126bfdc081f4bbd8dc706a2a2ca74a305fd5666772db877cb6bc1ea35448585941b1f191405779e

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

8d97ea0aeb6dbb5bfe61a2a45809dd90.exe

pid process

972 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

984 568 WerFault.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

984 WerFault.exe
984 WerFault.exe
984 WerFault.exe
984 WerFault.exe
984 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

984 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 984 WerFault.exe

pid	process
972	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe

pid	pid_target	process	target process
984	568	WerFault.exe	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe

pid	process
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe

pid	process
984	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	984	WerFault.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

8d97ea0aeb6dbb5bfe61a2a45809dd90.exe8d97ea0aeb6dbb5bfe61a2a45809dd90.exe

C:\Users\Admin\AppData\Local\Temp\8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
"C:\Users\Admin\AppData\Local\Temp\8d97ea0aeb6dbb5bfe61a2a45809dd90.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:972

C:\Users\Admin\AppData\Local\Temp\8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
"C:\Users\Admin\AppData\Local\Temp\8d97ea0aeb6dbb5bfe61a2a45809dd90.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 148
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:984

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsyC775.tmp\vskgzcgvn.dll
MD5
879fe70b7d9b58770c4c5ff43b6af498

SHA1
f9fd57ae071014e5ccb32440ee52d2c51166a0c3

SHA256
cabc6346c99a2f74c7cac1d4c1f83538cce9b0047c8437e240af03338b73f192

SHA512
49a6740fea7f230da9808b46b6f2f896c05894b4dad923cbdd1fec0859e4bd4afc2fddca4655b7d2e3553e5e36605f73db2b64fde9a509a4fcf957eec87d3773

Download Submit
memory/568-56-0x0000000000000000-mapping.dmp

Download
memory/568-57-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download
memory/568-61-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download
memory/972-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/984-66-0x0000000000000000-mapping.dmp

Download
memory/984-68-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 972 wrote to memory of 568	972	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
PID 972 wrote to memory of 568	972	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
PID 972 wrote to memory of 568	972	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
PID 972 wrote to memory of 568	972	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
PID 972 wrote to memory of 568	972	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
PID 972 wrote to memory of 568	972	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
PID 972 wrote to memory of 568	972	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
PID 972 wrote to memory of 568	972	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
PID 972 wrote to memory of 568	972	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
PID 972 wrote to memory of 568	972	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
PID 972 wrote to memory of 568	972	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
PID 972 wrote to memory of 568	972	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
PID 972 wrote to memory of 568	972	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
PID 972 wrote to memory of 568	972	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
PID 568 wrote to memory of 984	568	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe	WerFault.exe
PID 568 wrote to memory of 984	568	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe	WerFault.exe
PID 568 wrote to memory of 984	568	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe	WerFault.exe
PID 568 wrote to memory of 984	568	8d97ea0aeb6dbb5bfe61a2a45809dd90.exe	WerFault.exe

Analysis

Sharing