345ac596f12617871bbf4c0584e578c7606451bfa270383ab90f6d57b4d82672

General

Target

345ac596f12617871bbf4c0584e578c7606451bfa270383ab90f6d57b4d82672.exe
Size

118KB
MD5

58386adaea3b5e737144388e6607d8a5
SHA1

951c5d44f30ecb219117c3e5691b417d1bdba397
SHA256

345ac596f12617871bbf4c0584e578c7606451bfa270383ab90f6d57b4d82672
SHA512

8d6417cf5243f1d22ff17164f90055925e7de11d39f194723749d50f0e97810ab33d48356c571a681546e577750c1bd13781848d0f24c1c8a01e9c7560b7788e

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

fakerror.exeinjector(automatic).exe

pid process

968 fakerror.exe
1356 injector(automatic).exe

pid	process
968	fakerror.exe
1356	injector(automatic).exe

Loads dropped DLL 3 IoCs

Processes:

345ac596f12617871bbf4c0584e578c7606451bfa270383ab90f6d57b4d82672.exe

pid	process
1312	345ac596f12617871bbf4c0584e578c7606451bfa270383ab90f6d57b4d82672.exe
1312	345ac596f12617871bbf4c0584e578c7606451bfa270383ab90f6d57b4d82672.exe
1312	345ac596f12617871bbf4c0584e578c7606451bfa270383ab90f6d57b4d82672.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

345ac596f12617871bbf4c0584e578c7606451bfa270383ab90f6d57b4d82672.exe

description	pid	process	target process
PID 1312 wrote to memory of 968	1312	345ac596f12617871bbf4c0584e578c7606451bfa270383ab90f6d57b4d82672.exe	fakerror.exe
PID 1312 wrote to memory of 968	1312	345ac596f12617871bbf4c0584e578c7606451bfa270383ab90f6d57b4d82672.exe	fakerror.exe
PID 1312 wrote to memory of 968	1312	345ac596f12617871bbf4c0584e578c7606451bfa270383ab90f6d57b4d82672.exe	fakerror.exe
PID 1312 wrote to memory of 968	1312	345ac596f12617871bbf4c0584e578c7606451bfa270383ab90f6d57b4d82672.exe	fakerror.exe
PID 1312 wrote to memory of 1356	1312	345ac596f12617871bbf4c0584e578c7606451bfa270383ab90f6d57b4d82672.exe	injector(automatic).exe
PID 1312 wrote to memory of 1356	1312	345ac596f12617871bbf4c0584e578c7606451bfa270383ab90f6d57b4d82672.exe	injector(automatic).exe
PID 1312 wrote to memory of 1356	1312	345ac596f12617871bbf4c0584e578c7606451bfa270383ab90f6d57b4d82672.exe	injector(automatic).exe
PID 1312 wrote to memory of 1356	1312	345ac596f12617871bbf4c0584e578c7606451bfa270383ab90f6d57b4d82672.exe	injector(automatic).exe

C:\Users\Admin\AppData\Local\Temp\345ac596f12617871bbf4c0584e578c7606451bfa270383ab90f6d57b4d82672.exe
"C:\Users\Admin\AppData\Local\Temp\345ac596f12617871bbf4c0584e578c7606451bfa270383ab90f6d57b4d82672.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Local\Temp\fakerror.exe
"C:\Users\Admin\AppData\Local\Temp\fakerror.exe"
2⤵
- Executes dropped EXE
PID:968

C:\Users\Admin\AppData\Local\Temp\injector(automatic).exe
"C:\Users\Admin\AppData\Local\Temp\injector(automatic).exe"
2⤵
- Executes dropped EXE
PID:1356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fakerror.exe
Filesize
7KB

MD5
3f4bc3d0287d911603691767c5d372fa

SHA1
04dcd270b7ed88185d2374ca0f825adbd058a51c

SHA256
c07e16bba6f09bead939ed6e38f23a55de6515558679a8bb8f722ef4edbb1909

SHA512
f560a7e3e4c0931ca45237d85f65a711a5033ffb2b825145013c7b9289b0010e0f0f4cdc4f77882d565f1e97ea9825c9d4aebfa55fb7b44624a8ef7e9134a797

Download Submit
C:\Users\Admin\AppData\Local\Temp\fakerror.exe
Filesize
7KB

MD5
3f4bc3d0287d911603691767c5d372fa

SHA1
04dcd270b7ed88185d2374ca0f825adbd058a51c

SHA256
c07e16bba6f09bead939ed6e38f23a55de6515558679a8bb8f722ef4edbb1909

SHA512
f560a7e3e4c0931ca45237d85f65a711a5033ffb2b825145013c7b9289b0010e0f0f4cdc4f77882d565f1e97ea9825c9d4aebfa55fb7b44624a8ef7e9134a797

Download Submit
C:\Users\Admin\AppData\Local\Temp\injector(automatic).exe
Filesize
92KB

MD5
6dc7b811bef861b5b02700fa57bddb7d

SHA1
80a78327bbb4b9068c745c95b4f1e9fed092529f

SHA256
1f10ea8c69d9f31bd3ec919e7a903e5f91ea855936a6a51d064fbbb3442ff47f

SHA512
bad80e61bee84f532a10319c719edadcdbb936562a3a0e3c5a0df2beffa6c3172b72db344c4f5169549e11d4183453d914139b4154c6ba61da039b7dab58e210

Download Submit
C:\Users\Admin\AppData\Local\Temp\injector(automatic).exe
Filesize
43KB

MD5
731e8773be9abf0890aaf27b2dd1652b

SHA1
ce0225f7f8e9526877082169d620d17a31047934

SHA256
6cab9389da5c22211bb6e84d06d0bd4256b843f2e2e90f5261f9460232be7e80

SHA512
8202e786280e0d53b14e7fa1bc5d269a0f39ea9998ea7a77d915d14438b581a678bd08c5a170a5ee272da82115950c1cde2b76acda63bdcff2838f75a18440e1

Download Submit
\Users\Admin\AppData\Local\Temp\fakerror.exe
Filesize
7KB

MD5
3f4bc3d0287d911603691767c5d372fa

SHA1
04dcd270b7ed88185d2374ca0f825adbd058a51c

SHA256
c07e16bba6f09bead939ed6e38f23a55de6515558679a8bb8f722ef4edbb1909

SHA512
f560a7e3e4c0931ca45237d85f65a711a5033ffb2b825145013c7b9289b0010e0f0f4cdc4f77882d565f1e97ea9825c9d4aebfa55fb7b44624a8ef7e9134a797

Download Submit
\Users\Admin\AppData\Local\Temp\injector(automatic).exe
Filesize
92KB

MD5
6dc7b811bef861b5b02700fa57bddb7d

SHA1
80a78327bbb4b9068c745c95b4f1e9fed092529f

SHA256
1f10ea8c69d9f31bd3ec919e7a903e5f91ea855936a6a51d064fbbb3442ff47f

SHA512
bad80e61bee84f532a10319c719edadcdbb936562a3a0e3c5a0df2beffa6c3172b72db344c4f5169549e11d4183453d914139b4154c6ba61da039b7dab58e210

Download Submit
\Users\Admin\AppData\Local\Temp\injector(automatic).exe
Filesize
87KB

MD5
f701637b1c920b1ad7ae2f299b48cbfe

SHA1
a9d3a05bff37c081d909a6a2f9138c941fae32c5

SHA256
f611652f95bc025e4ad3fd3ea4f027d8cd01b29e9ba9dd91dbe47dfc13f36095

SHA512
463c9a640c40a61cf0bfc1d9b765df7f4d89a7e8cc05bc7c5b7b858d87af429eebff24e0681426dbb89ab6f42a392591ac2eb9068293d5b875cad32ae7b40bea

Download Submit
memory/968-56-0x0000000000000000-mapping.dmp

Download
memory/968-64-0x00000000012B0000-0x00000000012B8000-memory.dmp

Filesize
32KB

Download
memory/1312-54-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download
memory/1356-60-0x0000000000000000-mapping.dmp

Download
memory/1356-65-0x0000000000990000-0x00000000009B0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing