f7d7c3c283891a3fdffccf5dbd1da3a841064cd393aed4eab3987dfb1d93a51c

General

Target

REVERSE_.exe
Size

507KB
MD5

b378a8a59c97e5db6fc1c6faf37c90de
SHA1

1ba14ba7adab7d5903f0dd6c9e8ef9a9d40115e7
SHA256

ab85c8e3305016e7806bf71583c6100e8249054dbb2701b9944a190ae15a7284
SHA512

d31d6c7d52fe576ae7f5d3276fabcf56ae1d0b30786df1b795e7b03ccb4b0e607fcd95e9e7229f5017dd059803c5c2415243091109163cca424dcfeb10197a4d

Score

7^/10

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

240 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1616 240 WerFault.exe rundll32.exe

pid	process
240	rundll32.exe

pid	pid_target	process	target process
1616	240	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

REVERSE_.exerundll32.exe

description	pid	process	target process
PID 1444 wrote to memory of 240	1444	REVERSE_.exe	rundll32.exe
PID 1444 wrote to memory of 240	1444	REVERSE_.exe	rundll32.exe
PID 1444 wrote to memory of 240	1444	REVERSE_.exe	rundll32.exe
PID 1444 wrote to memory of 240	1444	REVERSE_.exe	rundll32.exe
PID 1444 wrote to memory of 240	1444	REVERSE_.exe	rundll32.exe
PID 1444 wrote to memory of 240	1444	REVERSE_.exe	rundll32.exe
PID 1444 wrote to memory of 240	1444	REVERSE_.exe	rundll32.exe
PID 240 wrote to memory of 1616	240	rundll32.exe	WerFault.exe
PID 240 wrote to memory of 1616	240	rundll32.exe	WerFault.exe
PID 240 wrote to memory of 1616	240	rundll32.exe	WerFault.exe
PID 240 wrote to memory of 1616	240	rundll32.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\REVERSE_.exe
"C:\Users\Admin\AppData\Local\Temp\REVERSE_.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 240 -s 228
3⤵
- Program crash
PID:1616

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Users\Admin\AppData\Local\Temp\Helenium
Filesize
250KB

MD5
e0671641d426de50ad7c213f6e20a62e

SHA1
14bc1c6609a404952f3a18db64f658d24b44a0a7

SHA256
c7400e7ce60118d11dd93c40c1d8804998a174caa9f71bb73ccaa11174e117cf

SHA512
fa8dbc736af60464f367645c125d750195bf11554f91253ad0b3cd61af96291f68b14c54a94c64bd8cde1de42aeee24792f1c18460fe85ff9c261a958c13060a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pentagon.DLL
Filesize
56KB

MD5
84efccfc8c97ebda74559a289f41c769

SHA1
5325f8b9e8a20a0ac8911f48b6f744c69665650a

SHA256
0515fa8a1ed1d74e440cb372c981b8e3b703fe5c1593e26deaba5a47704cebc8

SHA512
8c0845739ee37d658c91899f947604cbd69c126e9e0cfc6af275a007ef99802cf86e4af4af180b4a14a786aec9645144f737dafb87543c7d3faa13544888e66b

Download Submit
\Users\Admin\AppData\Local\Temp\Pentagon.dll
Filesize
56KB

MD5
84efccfc8c97ebda74559a289f41c769

SHA1
5325f8b9e8a20a0ac8911f48b6f744c69665650a

SHA256
0515fa8a1ed1d74e440cb372c981b8e3b703fe5c1593e26deaba5a47704cebc8

SHA512
8c0845739ee37d658c91899f947604cbd69c126e9e0cfc6af275a007ef99802cf86e4af4af180b4a14a786aec9645144f737dafb87543c7d3faa13544888e66b

Download Submit
memory/240-55-0x0000000000000000-mapping.dmp

Download
memory/240-61-0x00000000000B0000-0x00000000000B3000-memory.dmp

Filesize
12KB

Download
memory/1444-54-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download
memory/1616-60-0x0000000000000000-mapping.dmp

Download