c004cf20f130b80a6a52e8999ed94795d1fd9f8ae35ccda173bcb2cbeccf3888

General

Target

d1279da0ffbc04887863ac95a894f275.exe
Size

543KB
MD5

d1279da0ffbc04887863ac95a894f275
SHA1

b0e8eccb61fd44315e03101ee0084367a8379295
SHA256

c004cf20f130b80a6a52e8999ed94795d1fd9f8ae35ccda173bcb2cbeccf3888
SHA512

8e723b67cb0fdfd2273b44e04c38ab5fe0c7297153cd3296786cd2dae05cd01ab891086d40f5a21e44e9e4d51f81a7d78be7ab538447d53168ec316156c8bde6

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1880 1100 WerFault.exe d1279da0ffbc04887863ac95a894f275.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1436 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

WerFault.exepowershell.exe

pid process

1880 WerFault.exe
1880 WerFault.exe
1880 WerFault.exe
1880 WerFault.exe
1880 WerFault.exe
1924 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1880 WerFault.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WerFault.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1880 WerFault.exe
Token: SeDebugPrivilege 1924 powershell.exe

pid	pid_target	process	target process
1880	1100	WerFault.exe	d1279da0ffbc04887863ac95a894f275.exe

pid	process
1436	schtasks.exe

pid	process
1880	WerFault.exe
1880	WerFault.exe
1880	WerFault.exe
1880	WerFault.exe
1880	WerFault.exe
1924	powershell.exe

pid	process
1880	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1880	WerFault.exe
Token: SeDebugPrivilege	1924	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d1279da0ffbc04887863ac95a894f275.exe

description	pid	process	target process
PID 1100 wrote to memory of 1924	1100	d1279da0ffbc04887863ac95a894f275.exe	powershell.exe
PID 1100 wrote to memory of 1924	1100	d1279da0ffbc04887863ac95a894f275.exe	powershell.exe
PID 1100 wrote to memory of 1924	1100	d1279da0ffbc04887863ac95a894f275.exe	powershell.exe
PID 1100 wrote to memory of 1924	1100	d1279da0ffbc04887863ac95a894f275.exe	powershell.exe
PID 1100 wrote to memory of 1436	1100	d1279da0ffbc04887863ac95a894f275.exe	schtasks.exe
PID 1100 wrote to memory of 1436	1100	d1279da0ffbc04887863ac95a894f275.exe	schtasks.exe
PID 1100 wrote to memory of 1436	1100	d1279da0ffbc04887863ac95a894f275.exe	schtasks.exe
PID 1100 wrote to memory of 1436	1100	d1279da0ffbc04887863ac95a894f275.exe	schtasks.exe
PID 1100 wrote to memory of 1880	1100	d1279da0ffbc04887863ac95a894f275.exe	WerFault.exe
PID 1100 wrote to memory of 1880	1100	d1279da0ffbc04887863ac95a894f275.exe	WerFault.exe
PID 1100 wrote to memory of 1880	1100	d1279da0ffbc04887863ac95a894f275.exe	WerFault.exe
PID 1100 wrote to memory of 1880	1100	d1279da0ffbc04887863ac95a894f275.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\d1279da0ffbc04887863ac95a894f275.exe
"C:\Users\Admin\AppData\Local\Temp\d1279da0ffbc04887863ac95a894f275.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VfZFoFXb.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfZFoFXb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8141.tmp"
2⤵
- Creates scheduled task(s)
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 980
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1880

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8141.tmp
MD5
1d5246bfe8c721e9a5266ce09d63cc12

SHA1
8d470171907643efe071e7e77eb9df09d2881c19

SHA256
7d0963a0db1672b3e7f01936df3ff090c3bcf5a8ce71fa0273e43172a2442d80

SHA512
fc2c8ea5a69369cdfd166252ba1d17582c16aaa57c956eebf95afb4ec51887278cd15bb8d90a7f7dcd420edfbab17b1a06b73815772ed7ad861b0329a94e8b1a

Download Submit
memory/1100-55-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1100-57-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1100-58-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/1100-59-0x0000000000740000-0x0000000000748000-memory.dmp

Filesize
32KB

Download
memory/1100-60-0x0000000004380000-0x00000000043F0000-memory.dmp

Filesize
448KB

Download
memory/1436-63-0x0000000000000000-mapping.dmp

Download
memory/1880-65-0x0000000000000000-mapping.dmp

Download
memory/1880-69-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1924-61-0x0000000000000000-mapping.dmp

Download
memory/1924-66-0x00000000024A0000-0x00000000030EA000-memory.dmp

Filesize
12.3MB

Download
memory/1924-68-0x00000000024A0000-0x00000000030EA000-memory.dmp

Filesize
12.3MB

Download
memory/1924-67-0x00000000024A0000-0x00000000030EA000-memory.dmp

Filesize
12.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads