dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78

General

Target

stage2.exe
Size

209KB
MD5

14c8482f302b5e81e3fa1b18a509289d
SHA1

16525cb2fd86dce842107eb1ba6174b23f188537
SHA256

dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
SHA512

fdaaac4ee73db90f69dc43a20f24d8f80a2f659288d28538c6fd1946b8861bb161b41ad3bcd65d16843cd21350e95c606f991a990110e100029b58abce978353

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1468 732 WerFault.exe stage2.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exeWerFault.exe

pid process

268 powershell.exe
1812 powershell.exe
1468 WerFault.exe
1468 WerFault.exe
1468 WerFault.exe
1468 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1468 WerFault.exe

pid	pid_target	process	target process
1468	732	WerFault.exe	stage2.exe

pid	process
268	powershell.exe
1812	powershell.exe
1468	WerFault.exe
1468	WerFault.exe
1468	WerFault.exe
1468	WerFault.exe

pid	process
1468	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exestage2.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	732	stage2.exe
Token: SeDebugPrivilege	1468	WerFault.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

stage2.exe

description	pid	process	target process
PID 732 wrote to memory of 268	732	stage2.exe	powershell.exe
PID 732 wrote to memory of 268	732	stage2.exe	powershell.exe
PID 732 wrote to memory of 268	732	stage2.exe	powershell.exe
PID 732 wrote to memory of 268	732	stage2.exe	powershell.exe
PID 732 wrote to memory of 1812	732	stage2.exe	powershell.exe
PID 732 wrote to memory of 1812	732	stage2.exe	powershell.exe
PID 732 wrote to memory of 1812	732	stage2.exe	powershell.exe
PID 732 wrote to memory of 1812	732	stage2.exe	powershell.exe
PID 732 wrote to memory of 1468	732	stage2.exe	WerFault.exe
PID 732 wrote to memory of 1468	732	stage2.exe	WerFault.exe
PID 732 wrote to memory of 1468	732	stage2.exe	WerFault.exe
PID 732 wrote to memory of 1468	732	stage2.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\stage2.exe
"C:\Users\Admin\AppData\Local\Temp\stage2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1720
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
79f921c3a53d86fb815c84d8960cb2c5

SHA1
5af2a6ab317e6e2d95c8c897d9a3e8e5bc9b4582

SHA256
a4a8c483bf9059048be051c26a0291839c5a032cdeb0a6de15dbe3b22c517673

SHA512
9ec5887573bc8c7e0f10171b05ecbe59bbe1873e8627b97c8cfe61b5e5924ed3c229b07e5b537125f0d3ce040cc1d0f11665e655ecde18c082a4972f7d0212f0

Download Submit
memory/268-58-0x0000000000000000-mapping.dmp

Download
memory/268-60-0x0000000002350000-0x0000000002F9A000-memory.dmp

Filesize
12.3MB

Download
memory/732-55-0x0000000000E70000-0x0000000000EA0000-memory.dmp

Filesize
192KB

Download
memory/732-56-0x0000000000E70000-0x0000000000EA0000-memory.dmp

Filesize
192KB

Download
memory/732-57-0x00000000763B1000-0x00000000763B3000-memory.dmp

Filesize
8KB

Download
memory/732-64-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/1468-65-0x0000000000000000-mapping.dmp

Download
memory/1468-66-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1812-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing