b6e733ab666b1da84873a1d50a0b82a81c813675139dfd861c2f17ac2821c8f2

General

Target

USpPWZaRkFLuDM6.exe
Size

493KB
MD5

e6b1adea3e2f52660db88c0bf8cd7549
SHA1

b8697dd1d2ac11f5639bfe9cad858a56704e3451
SHA256

b6e733ab666b1da84873a1d50a0b82a81c813675139dfd861c2f17ac2821c8f2
SHA512

2baee2e15a1f21861116a901054a89b6f772d1b2d3e2bc0329ebb39479847d01688db63ac0892aecfec2a3794f929a0e5a2f6dada1933915ea974df0066bfc97

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1152 1896 WerFault.exe USpPWZaRkFLuDM6.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1792 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

WerFault.exepowershell.exe

pid process

1152 WerFault.exe
1152 WerFault.exe
1152 WerFault.exe
1152 WerFault.exe
1152 WerFault.exe
916 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WerFault.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1152 WerFault.exe
Token: SeDebugPrivilege 916 powershell.exe

pid	pid_target	process	target process
1152	1896	WerFault.exe	USpPWZaRkFLuDM6.exe

pid	process
1792	schtasks.exe

pid	process
1152	WerFault.exe
1152	WerFault.exe
1152	WerFault.exe
1152	WerFault.exe
1152	WerFault.exe
916	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1152	WerFault.exe
Token: SeDebugPrivilege	916	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

USpPWZaRkFLuDM6.exe

description	pid	process	target process
PID 1896 wrote to memory of 916	1896	USpPWZaRkFLuDM6.exe	powershell.exe
PID 1896 wrote to memory of 916	1896	USpPWZaRkFLuDM6.exe	powershell.exe
PID 1896 wrote to memory of 916	1896	USpPWZaRkFLuDM6.exe	powershell.exe
PID 1896 wrote to memory of 916	1896	USpPWZaRkFLuDM6.exe	powershell.exe
PID 1896 wrote to memory of 1792	1896	USpPWZaRkFLuDM6.exe	schtasks.exe
PID 1896 wrote to memory of 1792	1896	USpPWZaRkFLuDM6.exe	schtasks.exe
PID 1896 wrote to memory of 1792	1896	USpPWZaRkFLuDM6.exe	schtasks.exe
PID 1896 wrote to memory of 1792	1896	USpPWZaRkFLuDM6.exe	schtasks.exe
PID 1896 wrote to memory of 1152	1896	USpPWZaRkFLuDM6.exe	WerFault.exe
PID 1896 wrote to memory of 1152	1896	USpPWZaRkFLuDM6.exe	WerFault.exe
PID 1896 wrote to memory of 1152	1896	USpPWZaRkFLuDM6.exe	WerFault.exe
PID 1896 wrote to memory of 1152	1896	USpPWZaRkFLuDM6.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\USpPWZaRkFLuDM6.exe
"C:\Users\Admin\AppData\Local\Temp\USpPWZaRkFLuDM6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\whGVdnTblOsvRu.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\whGVdnTblOsvRu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9AB9.tmp"
2⤵
- Creates scheduled task(s)
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 988
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9AB9.tmp
MD5
4c056683cd46c5cea84f8abf8eee5a9c

SHA1
e183222fb6c30836e3928b45dd8c9dd8735d3136

SHA256
275f20d578f202432dd38830fcf7c994ff3cb252669644403696b44a48f302fc

SHA512
585f59a065d790640142ef3b7210538a5483627de38f3ae1b1a06bc7ec7d40660d56d232f86b9cbb713ea347e029a21b0d15ba28d635fa3f8a65578b2ffc47af

Download Submit
memory/916-69-0x00000000023F0000-0x000000000303A000-memory.dmp

Filesize
12.3MB

Download
memory/916-68-0x00000000023F0000-0x000000000303A000-memory.dmp

Filesize
12.3MB

Download
memory/916-66-0x00000000023F0000-0x000000000303A000-memory.dmp

Filesize
12.3MB

Download
memory/916-61-0x0000000000000000-mapping.dmp

Download
memory/1152-67-0x0000000001D60000-0x0000000001DE2000-memory.dmp

Filesize
520KB

Download
memory/1152-65-0x0000000000000000-mapping.dmp

Download
memory/1792-62-0x0000000000000000-mapping.dmp

Download
memory/1896-55-0x0000000001230000-0x0000000001231000-memory.dmp

Filesize
4KB

Download
memory/1896-60-0x0000000005DC0000-0x0000000005E2F000-memory.dmp

Filesize
444KB

Download
memory/1896-59-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download
memory/1896-58-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/1896-57-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads