91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94

General

Target

91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe
Size

181KB
MD5

a115d8a1ec2c5e1a95de6e5174234620
SHA1

488b8136823221cedf7749ebd27a296441d022f6
SHA256

91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94
SHA512

983457e5de16fb9d5bbb0e4629aac76b08057da5d3742b644f4e9ac4f96f56f83532a0155f39d14b0e4254b7b8c95e94b38ffe08f9fca958d511118bdae8923c

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Wmwzygtmuexmtrashhold.exe

pid process

1356 Wmwzygtmuexmtrashhold.exe
Loads dropped DLL 1 IoCs

Processes:

WScript.exe

pid process

1748 WScript.exe

pid	process
1356	Wmwzygtmuexmtrashhold.exe

pid	process
1748	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe

description	pid	process	target process
PID 2012 set thread context of 1332	2012	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
1540	1332	WerFault.exe	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe
1660	1356	WerFault.exe	Wmwzygtmuexmtrashhold.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe

pid process

2012 91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe

pid	process
2012	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exeWmwzygtmuexmtrashhold.exe

description	pid	process
Token: SeDebugPrivilege	2012	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe
Token: SeDebugPrivilege	1356	Wmwzygtmuexmtrashhold.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exeWScript.exe91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exeWmwzygtmuexmtrashhold.exe

description	pid	process	target process
PID 2012 wrote to memory of 1748	2012	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe	WScript.exe
PID 2012 wrote to memory of 1748	2012	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe	WScript.exe
PID 2012 wrote to memory of 1748	2012	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe	WScript.exe
PID 2012 wrote to memory of 1748	2012	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe	WScript.exe
PID 2012 wrote to memory of 1332	2012	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe
PID 2012 wrote to memory of 1332	2012	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe
PID 2012 wrote to memory of 1332	2012	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe
PID 2012 wrote to memory of 1332	2012	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe
PID 2012 wrote to memory of 1332	2012	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe
PID 2012 wrote to memory of 1332	2012	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe
PID 2012 wrote to memory of 1332	2012	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe
PID 2012 wrote to memory of 1332	2012	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe
PID 2012 wrote to memory of 1332	2012	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe
PID 2012 wrote to memory of 1332	2012	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe
PID 2012 wrote to memory of 1332	2012	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe
PID 1748 wrote to memory of 1356	1748	WScript.exe	Wmwzygtmuexmtrashhold.exe
PID 1748 wrote to memory of 1356	1748	WScript.exe	Wmwzygtmuexmtrashhold.exe
PID 1748 wrote to memory of 1356	1748	WScript.exe	Wmwzygtmuexmtrashhold.exe
PID 1748 wrote to memory of 1356	1748	WScript.exe	Wmwzygtmuexmtrashhold.exe
PID 1332 wrote to memory of 1540	1332	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe	WerFault.exe
PID 1332 wrote to memory of 1540	1332	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe	WerFault.exe
PID 1332 wrote to memory of 1540	1332	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe	WerFault.exe
PID 1332 wrote to memory of 1540	1332	91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe	WerFault.exe
PID 1356 wrote to memory of 1660	1356	Wmwzygtmuexmtrashhold.exe	WerFault.exe
PID 1356 wrote to memory of 1660	1356	Wmwzygtmuexmtrashhold.exe	WerFault.exe
PID 1356 wrote to memory of 1660	1356	Wmwzygtmuexmtrashhold.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe
"C:\Users\Admin\AppData\Local\Temp\91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lgfmyvtomp.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Users\Admin\AppData\Local\Temp\Wmwzygtmuexmtrashhold.exe
    "C:\Users\Admin\AppData\Local\Temp\Wmwzygtmuexmtrashhold.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1356 -s 1104
      4⤵
      Program crash
      PID:1660
- C:\Users\Admin\AppData\Local\Temp\91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe
  C:\Users\Admin\AppData\Local\Temp\91f0ea31d908f46e89dcc0257c517c876194f9688fd9a2d5b2f9e82074ce0f94.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 36
    3⤵
    - Program crash
    PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Lgfmyvtomp.vbs

MD5
2597ba8c41de7c64404be78b80bcd1fe

SHA1
a4ff33327baf1ccc9ee259c9b7f64b4e5b4028d5

SHA256
fb7ec71a3b53fe26ad73845f9a89b41402a08a7dfaeae8e76c5eace13881c1af

SHA512
8cc54b4c3c5850d2c7c5a226192836f953953b5a50b106cb1c2fec0a28142174ecf7697ccd1e4e360bfee8361d532b09f9de7b831833463025a493f46c92d103

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wmwzygtmuexmtrashhold.exe

MD5
6908f63bb5041265f3b16027d49a701c

SHA1
ad52889f12842366abdd4399c0e8331f73757b7a

SHA256
23ecd17d27fed46a9b78f884086c54ed3f5ee9994ee3fcf2cd037b4db623d63b

SHA512
e0de9150dcf60c29db12108cca59d5a284eed6107563d1159b0e1a1cf2407ddaf4f5a46d3f1c3c936989b13dc4489dd5e15b8cefc095a06a5b7bf5e0886b6d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wmwzygtmuexmtrashhold.exe

MD5
6908f63bb5041265f3b16027d49a701c

SHA1
ad52889f12842366abdd4399c0e8331f73757b7a

SHA256
23ecd17d27fed46a9b78f884086c54ed3f5ee9994ee3fcf2cd037b4db623d63b

SHA512
e0de9150dcf60c29db12108cca59d5a284eed6107563d1159b0e1a1cf2407ddaf4f5a46d3f1c3c936989b13dc4489dd5e15b8cefc095a06a5b7bf5e0886b6d57

Download Submit
\Users\Admin\AppData\Local\Temp\Wmwzygtmuexmtrashhold.exe

MD5
6908f63bb5041265f3b16027d49a701c

SHA1
ad52889f12842366abdd4399c0e8331f73757b7a

SHA256
23ecd17d27fed46a9b78f884086c54ed3f5ee9994ee3fcf2cd037b4db623d63b

SHA512
e0de9150dcf60c29db12108cca59d5a284eed6107563d1159b0e1a1cf2407ddaf4f5a46d3f1c3c936989b13dc4489dd5e15b8cefc095a06a5b7bf5e0886b6d57

Download Submit
memory/1332-60-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1332-63-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1332-65-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1332-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1332-67-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1332-72-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1332-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1356-79-0x000000001AE40000-0x000000001AE42000-memory.dmp

Filesize
8KB

Download
memory/1356-78-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/1356-77-0x0000000001340000-0x000000000137A000-memory.dmp

Filesize
232KB

Download
memory/1748-62-0x0000000075751000-0x0000000075753000-memory.dmp

Filesize
8KB

Download
memory/2012-54-0x0000000000EE0000-0x0000000000F12000-memory.dmp

Filesize
200KB

Download
memory/2012-55-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download
memory/2012-57-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/2012-56-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2012-58-0x0000000000E70000-0x0000000000E9C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads