8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595

General

Target

8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe
Size

964KB
MD5

9cf33a9d11e1a0eddb2481e862487bb2
SHA1

4db6d3e61cd201bf855a1e50300d01496a231de7
SHA256

8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595
SHA512

14e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

chrome.exe

pid process

1756 chrome.exe

pid	process
1756	chrome.exe

Drops startup file 5 IoCs

Processes:

cmd.execmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe\:Zone.Identifier:$DATA	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe:Zone.Identifier	cmd.exe

Loads dropped DLL 6 IoCs

Processes:

cmd.exeWerFault.exe

pid process

1820 cmd.exe
992 WerFault.exe
992 WerFault.exe
992 WerFault.exe
992 WerFault.exe
992 WerFault.exe

pid	process
1820	cmd.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\chrome.exe -boot"	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

992 1756 WerFault.exe chrome.exe

pid	pid_target	process	target process
992	1756	WerFault.exe	chrome.exe

NTFS ADS 2 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

992 WerFault.exe
992 WerFault.exe
992 WerFault.exe
992 WerFault.exe

pid	process
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exechrome.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	816	8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe
Token: SeDebugPrivilege	1756	chrome.exe
Token: SeDebugPrivilege	992	WerFault.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.execmd.exechrome.exe

description	pid	process	target process
PID 816 wrote to memory of 1636	816	8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe	cmd.exe
PID 816 wrote to memory of 1636	816	8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe	cmd.exe
PID 816 wrote to memory of 1636	816	8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe	cmd.exe
PID 816 wrote to memory of 1636	816	8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe	cmd.exe
PID 816 wrote to memory of 964	816	8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe	cmd.exe
PID 816 wrote to memory of 964	816	8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe	cmd.exe
PID 816 wrote to memory of 964	816	8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe	cmd.exe
PID 816 wrote to memory of 964	816	8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe	cmd.exe
PID 816 wrote to memory of 1120	816	8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe	cmd.exe
PID 816 wrote to memory of 1120	816	8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe	cmd.exe
PID 816 wrote to memory of 1120	816	8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe	cmd.exe
PID 816 wrote to memory of 1120	816	8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe	cmd.exe
PID 816 wrote to memory of 1820	816	8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe	cmd.exe
PID 816 wrote to memory of 1820	816	8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe	cmd.exe
PID 816 wrote to memory of 1820	816	8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe	cmd.exe
PID 816 wrote to memory of 1820	816	8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe	cmd.exe
PID 1820 wrote to memory of 1756	1820	cmd.exe	chrome.exe
PID 1820 wrote to memory of 1756	1820	cmd.exe	chrome.exe
PID 1820 wrote to memory of 1756	1820	cmd.exe	chrome.exe
PID 1820 wrote to memory of 1756	1820	cmd.exe	chrome.exe
PID 1756 wrote to memory of 1080	1756	chrome.exe	cmd.exe
PID 1756 wrote to memory of 1080	1756	chrome.exe	cmd.exe
PID 1756 wrote to memory of 1080	1756	chrome.exe	cmd.exe
PID 1756 wrote to memory of 1080	1756	chrome.exe	cmd.exe
PID 1756 wrote to memory of 1160	1756	chrome.exe	cmd.exe
PID 1756 wrote to memory of 1160	1756	chrome.exe	cmd.exe
PID 1756 wrote to memory of 1160	1756	chrome.exe	cmd.exe
PID 1756 wrote to memory of 1160	1756	chrome.exe	cmd.exe
PID 1756 wrote to memory of 992	1756	chrome.exe	WerFault.exe
PID 1756 wrote to memory of 992	1756	chrome.exe	WerFault.exe
PID 1756 wrote to memory of 992	1756	chrome.exe	WerFault.exe
PID 1756 wrote to memory of 992	1756	chrome.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe
"C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe:Zone.Identifier"
2⤵
- NTFS ADS
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe:Zone.Identifier"
2⤵
- NTFS ADS
PID:964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"
2⤵
- Drops startup file
PID:1120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe:Zone.Identifier"
4⤵
- Drops startup file
PID:1080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe:Zone.Identifier"
4⤵
- Drops startup file
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 888
4⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe

MD5
9cf33a9d11e1a0eddb2481e862487bb2

SHA1
4db6d3e61cd201bf855a1e50300d01496a231de7

SHA256
8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595

SHA512
14e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe

MD5
9cf33a9d11e1a0eddb2481e862487bb2

SHA1
4db6d3e61cd201bf855a1e50300d01496a231de7

SHA256
8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595

SHA512
14e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe

MD5
9cf33a9d11e1a0eddb2481e862487bb2

SHA1
4db6d3e61cd201bf855a1e50300d01496a231de7

SHA256
8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595

SHA512
14e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe

MD5
9cf33a9d11e1a0eddb2481e862487bb2

SHA1
4db6d3e61cd201bf855a1e50300d01496a231de7

SHA256
8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595

SHA512
14e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe

MD5
9cf33a9d11e1a0eddb2481e862487bb2

SHA1
4db6d3e61cd201bf855a1e50300d01496a231de7

SHA256
8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595

SHA512
14e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe

MD5
9cf33a9d11e1a0eddb2481e862487bb2

SHA1
4db6d3e61cd201bf855a1e50300d01496a231de7

SHA256
8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595

SHA512
14e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe

MD5
9cf33a9d11e1a0eddb2481e862487bb2

SHA1
4db6d3e61cd201bf855a1e50300d01496a231de7

SHA256
8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595

SHA512
14e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe

MD5
9cf33a9d11e1a0eddb2481e862487bb2

SHA1
4db6d3e61cd201bf855a1e50300d01496a231de7

SHA256
8f04027c2a95366ba904688bbffa6894496495019bf00848990a892d1275c595

SHA512
14e741a79d2dc7812250d753d3567f3623c2eb20466ac6c370911125ce62b302da3c75331bf4da39f2166ec5a4205185ea08a2e8e47cf732eac90569c75570ec

Download Submit
memory/816-57-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/816-55-0x0000000000DE0000-0x0000000000ED8000-memory.dmp

Filesize
992KB

Download
memory/816-56-0x00000000002F0000-0x0000000000318000-memory.dmp

Filesize
160KB

Download
memory/816-59-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/816-58-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download
memory/816-60-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/992-74-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/1756-64-0x0000000000D20000-0x0000000000E18000-memory.dmp

Filesize
992KB

Download
memory/1756-66-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/1756-67-0x0000000000B20000-0x0000000000B2C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads