ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307

General

Target

ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307.exe
Size

363KB
MD5

e994f3f5e18e7b0ef95f1642aba62333
SHA1

56a394dd005af54587a913e495d6b2ef3e3f4278
SHA256

ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307
SHA512

daab466ab5b748f8fa79b48f10df717283daa6c376fc14f3d86e6196e32f0c8083ccc5a0b69269ac8c5b6b7eaea2d555ff9f8ac460d94a7ef91cd4d7a324b455

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1224	server v2.exe
1396	ReduceMemory.exe
2004	ReduceMemory.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000014aef-59.dat	upx
behavioral1/files/0x0008000000014aef-61.dat	upx
behavioral1/files/0x0008000000014aef-63.dat	upx
behavioral1/files/0x0008000000014aef-65.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
284	ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307.exe
284	ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
588	1224	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1396	ReduceMemory.exe
2004	ReduceMemory.exe
2004	ReduceMemory.exe
1396	ReduceMemory.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1396	ReduceMemory.exe
Token: SeIncBasePriorityPrivilege	2004	ReduceMemory.exe
Token: SeDebugPrivilege	1224	server v2.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 284 wrote to memory of 1224	284	ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307.exe	27
PID 284 wrote to memory of 1224	284	ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307.exe	27
PID 284 wrote to memory of 1224	284	ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307.exe	27
PID 284 wrote to memory of 1224	284	ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307.exe	27
PID 284 wrote to memory of 1396	284	ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307.exe	28
PID 284 wrote to memory of 1396	284	ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307.exe	28
PID 284 wrote to memory of 1396	284	ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307.exe	28
PID 284 wrote to memory of 1396	284	ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307.exe	28
PID 1224 wrote to memory of 588	1224	server v2.exe	30
PID 1224 wrote to memory of 588	1224	server v2.exe	30
PID 1224 wrote to memory of 588	1224	server v2.exe	30

C:\Users\Admin\AppData\Local\Temp\ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307.exe
"C:\Users\Admin\AppData\Local\Temp\ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:284
- C:\Users\Admin\AppData\Local\Temp\server v2.exe
  "C:\Users\Admin\AppData\Local\Temp\server v2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1224 -s 1036
    3⤵
    - Program crash
    PID:588
- C:\Users\Admin\AppData\Local\Temp\ReduceMemory.exe
  "C:\Users\Admin\AppData\Local\Temp\ReduceMemory.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1396

C:\Users\Admin\AppData\Local\Temp\ReduceMemory.exe
"C:\Users\Admin\AppData\Local\Temp\ReduceMemory.exe" /S
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ReduceMemory.exe

Filesize
313KB

MD5
879007aa82419d86b66648f4a38e7850

SHA1
a85b4295e65a96e32580bda391c0c1af0d02b30a

SHA256
ba2af21b6d0fed46085d38bad2a6e87821b95998f07710fb0edec53d8fa43e00

SHA512
98b1f1910a444b227af47d439a40e74f49193e894a313b8069d7ac29c73df341a9913cd357ed8c3e5d9481887fca61394dd2143117b4785d30fd54e6aed06ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ReduceMemory.exe

Filesize
313KB

MD5
879007aa82419d86b66648f4a38e7850

SHA1
a85b4295e65a96e32580bda391c0c1af0d02b30a

SHA256
ba2af21b6d0fed46085d38bad2a6e87821b95998f07710fb0edec53d8fa43e00

SHA512
98b1f1910a444b227af47d439a40e74f49193e894a313b8069d7ac29c73df341a9913cd357ed8c3e5d9481887fca61394dd2143117b4785d30fd54e6aed06ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ReduceMemory.exe

Filesize
313KB

MD5
879007aa82419d86b66648f4a38e7850

SHA1
a85b4295e65a96e32580bda391c0c1af0d02b30a

SHA256
ba2af21b6d0fed46085d38bad2a6e87821b95998f07710fb0edec53d8fa43e00

SHA512
98b1f1910a444b227af47d439a40e74f49193e894a313b8069d7ac29c73df341a9913cd357ed8c3e5d9481887fca61394dd2143117b4785d30fd54e6aed06ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\server v2.exe

Filesize
9KB

MD5
74e9f40026618822a263410fa4f45fc6

SHA1
ef5259d0f4b920cf69f608467ccdee285e31fc8e

SHA256
a04430655909bdb60d4442d4601d380e28ab26bc022c3ddef17a156136fe015e

SHA512
6c67c239e9581365d6082b9a42a42698178e6583a5e95d8bdcedfe13bd3f12ac43418308849326fe7ae6c8b39340d2b998540a5c502ce22071dcea73d4f0c23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\server v2.exe

Filesize
9KB

MD5
74e9f40026618822a263410fa4f45fc6

SHA1
ef5259d0f4b920cf69f608467ccdee285e31fc8e

SHA256
a04430655909bdb60d4442d4601d380e28ab26bc022c3ddef17a156136fe015e

SHA512
6c67c239e9581365d6082b9a42a42698178e6583a5e95d8bdcedfe13bd3f12ac43418308849326fe7ae6c8b39340d2b998540a5c502ce22071dcea73d4f0c23e

Download Submit
\Users\Admin\AppData\Local\Temp\ReduceMemory.exe

Filesize
313KB

MD5
879007aa82419d86b66648f4a38e7850

SHA1
a85b4295e65a96e32580bda391c0c1af0d02b30a

SHA256
ba2af21b6d0fed46085d38bad2a6e87821b95998f07710fb0edec53d8fa43e00

SHA512
98b1f1910a444b227af47d439a40e74f49193e894a313b8069d7ac29c73df341a9913cd357ed8c3e5d9481887fca61394dd2143117b4785d30fd54e6aed06ab9

Download Submit
\Users\Admin\AppData\Local\Temp\server v2.exe

Filesize
9KB

MD5
74e9f40026618822a263410fa4f45fc6

SHA1
ef5259d0f4b920cf69f608467ccdee285e31fc8e

SHA256
a04430655909bdb60d4442d4601d380e28ab26bc022c3ddef17a156136fe015e

SHA512
6c67c239e9581365d6082b9a42a42698178e6583a5e95d8bdcedfe13bd3f12ac43418308849326fe7ae6c8b39340d2b998540a5c502ce22071dcea73d4f0c23e

Download Submit
memory/284-54-0x00000000763E1000-0x00000000763E3000-memory.dmp

Filesize
8KB

Download
memory/1224-64-0x0000000000050000-0x0000000000058000-memory.dmp

Filesize
32KB

Download
memory/1224-67-0x000000001B080000-0x000000001B082000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing