921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316

General

Target

921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
Size

184KB
MD5

1c43b6c7834535beaaaba7d0c17074e2
SHA1

12c7b40ea9b29e5c0df5e8c97b7228fcccd317a5
SHA256

921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316
SHA512

81d2c1940fce734a1d2e3686dfb8c56e8630db7134f4d747910c47ac925132762284554f984d4d8bcd354d64fab50073d640419b41612ca8ea1a88c79eb6cc31

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Pjtwurqbviaetrashhold.exe

pid process

1144 Pjtwurqbviaetrashhold.exe
Loads dropped DLL 1 IoCs

Processes:

WScript.exe

pid process

820 WScript.exe

pid	process
1144	Pjtwurqbviaetrashhold.exe

pid	process
820	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe

description	pid	process	target process
PID 1932 set thread context of 1720	1932	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
1780	1720	WerFault.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
852	1144	WerFault.exe	Pjtwurqbviaetrashhold.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe

pid	process
1932	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
1932	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exePjtwurqbviaetrashhold.exe

description	pid	process
Token: SeDebugPrivilege	1932	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
Token: SeDebugPrivilege	1144	Pjtwurqbviaetrashhold.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exeWScript.exe921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exePjtwurqbviaetrashhold.exe

description	pid	process	target process
PID 1932 wrote to memory of 820	1932	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	WScript.exe
PID 1932 wrote to memory of 820	1932	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	WScript.exe
PID 1932 wrote to memory of 820	1932	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	WScript.exe
PID 1932 wrote to memory of 820	1932	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	WScript.exe
PID 1932 wrote to memory of 1720	1932	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
PID 1932 wrote to memory of 1720	1932	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
PID 1932 wrote to memory of 1720	1932	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
PID 1932 wrote to memory of 1720	1932	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
PID 1932 wrote to memory of 1720	1932	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
PID 1932 wrote to memory of 1720	1932	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
PID 1932 wrote to memory of 1720	1932	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
PID 1932 wrote to memory of 1720	1932	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
PID 820 wrote to memory of 1144	820	WScript.exe	Pjtwurqbviaetrashhold.exe
PID 820 wrote to memory of 1144	820	WScript.exe	Pjtwurqbviaetrashhold.exe
PID 820 wrote to memory of 1144	820	WScript.exe	Pjtwurqbviaetrashhold.exe
PID 820 wrote to memory of 1144	820	WScript.exe	Pjtwurqbviaetrashhold.exe
PID 1932 wrote to memory of 1720	1932	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
PID 1932 wrote to memory of 1720	1932	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
PID 1932 wrote to memory of 1720	1932	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
PID 1720 wrote to memory of 1780	1720	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	WerFault.exe
PID 1720 wrote to memory of 1780	1720	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	WerFault.exe
PID 1720 wrote to memory of 1780	1720	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	WerFault.exe
PID 1720 wrote to memory of 1780	1720	921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe	WerFault.exe
PID 1144 wrote to memory of 852	1144	Pjtwurqbviaetrashhold.exe	WerFault.exe
PID 1144 wrote to memory of 852	1144	Pjtwurqbviaetrashhold.exe	WerFault.exe
PID 1144 wrote to memory of 852	1144	Pjtwurqbviaetrashhold.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
"C:\Users\Admin\AppData\Local\Temp\921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Eccxgvlylxal.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Users\Admin\AppData\Local\Temp\Pjtwurqbviaetrashhold.exe
    "C:\Users\Admin\AppData\Local\Temp\Pjtwurqbviaetrashhold.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1144 -s 1112
      4⤵
      Program crash
      PID:852
- C:\Users\Admin\AppData\Local\Temp\921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
  C:\Users\Admin\AppData\Local\Temp\921a0c1a7ca84f0308f4738dd8d2c1e6e3d7861e7fd15e46db6bb78f1f9f2316.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 36
    3⤵
    - Program crash
    PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Eccxgvlylxal.vbs

MD5
f9813a5a9147bf802d215050d774bbc8

SHA1
651ff39e3399593e2b404ca2a86afe44e4aac4ce

SHA256
f459d914778338db0b43f3de45edbbc23c80b71f875b5dc440769d1a212049ef

SHA512
98ea6ef51953f00c9a7df6bb089cd58a75ac91d49d3880da8fdfdf5e9ca23daafd18e00923be047aa234587b6f64e8038cebe7926aabbd4c2880a8c1e0f04eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pjtwurqbviaetrashhold.exe

MD5
6908f63bb5041265f3b16027d49a701c

SHA1
ad52889f12842366abdd4399c0e8331f73757b7a

SHA256
23ecd17d27fed46a9b78f884086c54ed3f5ee9994ee3fcf2cd037b4db623d63b

SHA512
e0de9150dcf60c29db12108cca59d5a284eed6107563d1159b0e1a1cf2407ddaf4f5a46d3f1c3c936989b13dc4489dd5e15b8cefc095a06a5b7bf5e0886b6d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pjtwurqbviaetrashhold.exe

MD5
6908f63bb5041265f3b16027d49a701c

SHA1
ad52889f12842366abdd4399c0e8331f73757b7a

SHA256
23ecd17d27fed46a9b78f884086c54ed3f5ee9994ee3fcf2cd037b4db623d63b

SHA512
e0de9150dcf60c29db12108cca59d5a284eed6107563d1159b0e1a1cf2407ddaf4f5a46d3f1c3c936989b13dc4489dd5e15b8cefc095a06a5b7bf5e0886b6d57

Download Submit
\Users\Admin\AppData\Local\Temp\Pjtwurqbviaetrashhold.exe

MD5
6908f63bb5041265f3b16027d49a701c

SHA1
ad52889f12842366abdd4399c0e8331f73757b7a

SHA256
23ecd17d27fed46a9b78f884086c54ed3f5ee9994ee3fcf2cd037b4db623d63b

SHA512
e0de9150dcf60c29db12108cca59d5a284eed6107563d1159b0e1a1cf2407ddaf4f5a46d3f1c3c936989b13dc4489dd5e15b8cefc095a06a5b7bf5e0886b6d57

Download Submit
memory/820-60-0x00000000759B1000-0x00000000759B3000-memory.dmp

Filesize
8KB

Download
memory/1144-79-0x000000001AE80000-0x000000001AE82000-memory.dmp

Filesize
8KB

Download
memory/1144-78-0x000007FEF56F0000-0x000007FEF60DC000-memory.dmp

Filesize
9.9MB

Download
memory/1144-77-0x0000000000100000-0x000000000013A000-memory.dmp

Filesize
232KB

Download
memory/1720-61-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1720-68-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1720-73-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1720-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1720-76-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1720-66-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1720-64-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1932-56-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/1932-55-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/1932-54-0x0000000000AD0000-0x0000000000B04000-memory.dmp

Filesize
208KB

Download
memory/1932-58-0x0000000000560000-0x000000000058E000-memory.dmp

Filesize
184KB

Download
memory/1932-57-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads