6b869d8825516d0b977d48043d1d56d233de7b128074b068566dc33e0ff9fdb7

General

Target

dd6f97becdd24e1c2c1b7662bb3760aa.exe
Size

745KB
MD5

dd6f97becdd24e1c2c1b7662bb3760aa
SHA1

a2894d09e5fc6f0a5ee5ec27119b02ecbc2d9a79
SHA256

6b869d8825516d0b977d48043d1d56d233de7b128074b068566dc33e0ff9fdb7
SHA512

f352c4cfc3d878287e0f6a783ab803eccba5aee872321e18f2c6c15bca9aad6a47c441e52cb03b88f77cc853ee33988198703cdfbbc0bff0097163125c7e3cda

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1568 1496 WerFault.exe dd6f97becdd24e1c2c1b7662bb3760aa.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

976 schtasks.exe

pid	pid_target	process	target process
1568	1496	WerFault.exe	dd6f97becdd24e1c2c1b7662bb3760aa.exe

pid	process
976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

dd6f97becdd24e1c2c1b7662bb3760aa.exeWerFault.exepowershell.exepowershell.exe

pid	process
1496	dd6f97becdd24e1c2c1b7662bb3760aa.exe
1568	WerFault.exe
1568	WerFault.exe
1568	WerFault.exe
1568	WerFault.exe
1568	WerFault.exe
1340	powershell.exe
1560	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1568 WerFault.exe

pid	process
1568	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

dd6f97becdd24e1c2c1b7662bb3760aa.exeWerFault.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1496	dd6f97becdd24e1c2c1b7662bb3760aa.exe
Token: SeDebugPrivilege	1568	WerFault.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

dd6f97becdd24e1c2c1b7662bb3760aa.exe

description	pid	process	target process
PID 1496 wrote to memory of 1340	1496	dd6f97becdd24e1c2c1b7662bb3760aa.exe	powershell.exe
PID 1496 wrote to memory of 1340	1496	dd6f97becdd24e1c2c1b7662bb3760aa.exe	powershell.exe
PID 1496 wrote to memory of 1340	1496	dd6f97becdd24e1c2c1b7662bb3760aa.exe	powershell.exe
PID 1496 wrote to memory of 1340	1496	dd6f97becdd24e1c2c1b7662bb3760aa.exe	powershell.exe
PID 1496 wrote to memory of 1560	1496	dd6f97becdd24e1c2c1b7662bb3760aa.exe	powershell.exe
PID 1496 wrote to memory of 1560	1496	dd6f97becdd24e1c2c1b7662bb3760aa.exe	powershell.exe
PID 1496 wrote to memory of 1560	1496	dd6f97becdd24e1c2c1b7662bb3760aa.exe	powershell.exe
PID 1496 wrote to memory of 1560	1496	dd6f97becdd24e1c2c1b7662bb3760aa.exe	powershell.exe
PID 1496 wrote to memory of 976	1496	dd6f97becdd24e1c2c1b7662bb3760aa.exe	schtasks.exe
PID 1496 wrote to memory of 976	1496	dd6f97becdd24e1c2c1b7662bb3760aa.exe	schtasks.exe
PID 1496 wrote to memory of 976	1496	dd6f97becdd24e1c2c1b7662bb3760aa.exe	schtasks.exe
PID 1496 wrote to memory of 976	1496	dd6f97becdd24e1c2c1b7662bb3760aa.exe	schtasks.exe
PID 1496 wrote to memory of 1568	1496	dd6f97becdd24e1c2c1b7662bb3760aa.exe	WerFault.exe
PID 1496 wrote to memory of 1568	1496	dd6f97becdd24e1c2c1b7662bb3760aa.exe	WerFault.exe
PID 1496 wrote to memory of 1568	1496	dd6f97becdd24e1c2c1b7662bb3760aa.exe	WerFault.exe
PID 1496 wrote to memory of 1568	1496	dd6f97becdd24e1c2c1b7662bb3760aa.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\dd6f97becdd24e1c2c1b7662bb3760aa.exe
"C:\Users\Admin\AppData\Local\Temp\dd6f97becdd24e1c2c1b7662bb3760aa.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\dd6f97becdd24e1c2c1b7662bb3760aa.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PssjBtDrVeeF.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PssjBtDrVeeF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp650A.tmp"
2⤵
- Creates scheduled task(s)
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 1036
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1568

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp650A.tmp
MD5
23e60a934bbd0e7eef2f602052ac1938

SHA1
79d7fb8a11e0e3ff3f0243d0335f80fbe8a3c3d8

SHA256
c64a259d20536a4c89220115caeadeb62d9f38f5b8ff12ee065691bc23bdd3fa

SHA512
b85caac91981bf4d45de839b50acd8c09e3f8c7bc6a42047eaec6e079871b2ee5c705929af291237e760ccb792ad2a2561f356321bcbf050e4624b4688557488

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
a681b8fa56301f5bade1db6bd09f182e

SHA1
04f5496b31109ce7fd5a91a979a15166db166620

SHA256
e7d69529795ec42d9cdd51be9b05885388d2a3cbf966694f761fe56676fda0bb

SHA512
249b643db2125bf83538b2064dd990210d64c051826e93c0732d6ae0c5e6d40de673c92491ad7a5d2e3bfd1e11fe9f021ed3ff0f65809a9c3c40bc7d3523f84f

Download Submit
memory/976-63-0x0000000000000000-mapping.dmp

Download
memory/1340-60-0x0000000000000000-mapping.dmp

Download
memory/1340-69-0x00000000023D0000-0x000000000301A000-memory.dmp

Filesize
12.3MB

Download
memory/1340-61-0x0000000074E51000-0x0000000074E53000-memory.dmp

Filesize
8KB

Download
memory/1340-73-0x00000000023D0000-0x000000000301A000-memory.dmp

Filesize
12.3MB

Download
memory/1340-72-0x00000000023D0000-0x000000000301A000-memory.dmp

Filesize
12.3MB

Download
memory/1496-59-0x00000000082D0000-0x000000000835A000-memory.dmp

Filesize
552KB

Download
memory/1496-57-0x0000000007340000-0x0000000007341000-memory.dmp

Filesize
4KB

Download
memory/1496-58-0x0000000000430000-0x0000000000436000-memory.dmp

Filesize
24KB

Download
memory/1496-55-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/1560-68-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1560-70-0x0000000000391000-0x0000000000392000-memory.dmp

Filesize
4KB

Download
memory/1560-71-0x0000000000392000-0x0000000000394000-memory.dmp

Filesize
8KB

Download
memory/1560-62-0x0000000000000000-mapping.dmp

Download
memory/1568-67-0x0000000000000000-mapping.dmp

Download
memory/1568-74-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads