b7dfe331c6260d43efacb7ca54ce480d64c832209d4c013371d76590bedc0ba4

General

Target

b7dfe331c6260d43efacb7ca54ce480d64c832209d4c013371d76590bedc0ba4.exe
Size

158KB
MD5

fc48281921537737b4e8f6a13e234c6f
SHA1

49572865abff97bafc25256452b2e2e3c692dc5d
SHA256

b7dfe331c6260d43efacb7ca54ce480d64c832209d4c013371d76590bedc0ba4
SHA512

2142d2eeadbf0616fda2585ff06916a3e990d3ca90a89f0695bbf086ece3db99677463075e2f6c2c61eae9949d28537e4f056d0d2ae3f271aaea0fc18f7bbd84

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

fweqz.exe

pid process

2216 fweqz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2216	fweqz.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b7dfe331c6260d43efacb7ca54ce480d64c832209d4c013371d76590bedc0ba4.exefweqz.exe

description	pid	process	target process
PID 3708 wrote to memory of 2216	3708	b7dfe331c6260d43efacb7ca54ce480d64c832209d4c013371d76590bedc0ba4.exe	fweqz.exe
PID 3708 wrote to memory of 2216	3708	b7dfe331c6260d43efacb7ca54ce480d64c832209d4c013371d76590bedc0ba4.exe	fweqz.exe
PID 3708 wrote to memory of 2216	3708	b7dfe331c6260d43efacb7ca54ce480d64c832209d4c013371d76590bedc0ba4.exe	fweqz.exe
PID 2216 wrote to memory of 1476	2216	fweqz.exe	fweqz.exe
PID 2216 wrote to memory of 1476	2216	fweqz.exe	fweqz.exe
PID 2216 wrote to memory of 1476	2216	fweqz.exe	fweqz.exe

C:\Users\Admin\AppData\Local\Temp\b7dfe331c6260d43efacb7ca54ce480d64c832209d4c013371d76590bedc0ba4.exe
"C:\Users\Admin\AppData\Local\Temp\b7dfe331c6260d43efacb7ca54ce480d64c832209d4c013371d76590bedc0ba4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Users\Admin\AppData\Local\Temp\fweqz.exe
  C:\Users\Admin\AppData\Local\Temp\fweqz.exe C:\Users\Admin\AppData\Local\Temp\fkauqdsiir
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\fweqz.exe
    C:\Users\Admin\AppData\Local\Temp\fweqz.exe C:\Users\Admin\AppData\Local\Temp\fkauqdsiir
    3⤵
    PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fkauqdsiir

Filesize
5KB

MD5
64e0957b219d4139b08d8b0f9ae54a25

SHA1
e3a43ccbab03a619d4c85a9994c92941d336f66b

SHA256
b45c5f65ddee397bc18bb0dbdb4205b53f6fd731f7d5be8faeb9ab91f860e6de

SHA512
c8a6a1be2f4f410fc9657a2822cbb946d07e52a64bdb99b6ec04b610959acd837f5491848abf10f1b1b9c22847a11eb81b204a673a815b8d846fa80c4ccf39e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fweqz.exe

Filesize
79KB

MD5
b7f1ea2238a66e30e34894fd2fc81876

SHA1
62f16d11a681ba91cdf8f1acd81f562113d87529

SHA256
1759959a3241bb47b897b29913e0a56a42c51051bc81a69adb22bdfe5db158be

SHA512
81a962a941249a60118507df12e811ad64fd3dd67f29a32cd6e8fcc997a0728e4876336b8e1178131a2f26719510142850166597b9e62ba4d4fe838963b56d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\fweqz.exe

Filesize
79KB

MD5
b7f1ea2238a66e30e34894fd2fc81876

SHA1
62f16d11a681ba91cdf8f1acd81f562113d87529

SHA256
1759959a3241bb47b897b29913e0a56a42c51051bc81a69adb22bdfe5db158be

SHA512
81a962a941249a60118507df12e811ad64fd3dd67f29a32cd6e8fcc997a0728e4876336b8e1178131a2f26719510142850166597b9e62ba4d4fe838963b56d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\sr2bbrtjwe

Filesize
103KB

MD5
a9c38f10c2e854d16bd364c47b9aa68e

SHA1
f16e00511c381bf93cd51fe7c53201276d55f833

SHA256
9d025b4958bfd0d490e8244b72c5a92444ed673813f6e1b71e819c59b4e82f4c

SHA512
369e6ba35aab71a67db9787fe9d0938e61e0abce3b7028655281012425e05c5b379316912ca1df1c66aa0ccbb015f9cef5f1aa983f24e146b66514ef093aaa91

Download Submit
memory/1476-135-0x0000000000000000-mapping.dmp

Download
memory/2216-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing