b57ade1475862243f45d03901e7798f76d81a1d8e48666083f5c8b2e4be58f05

General

Target

b57ade1475862243f45d03901e7798f76d81a1d8e48666083f5c8b2e4be58f05.exe
Size

426KB
MD5

72338fb415bf0ff50072a28a3c166110
SHA1

3252df9ecf9f7e67a544ca381ecf331a32ab501d
SHA256

b57ade1475862243f45d03901e7798f76d81a1d8e48666083f5c8b2e4be58f05
SHA512

2e07f21d32969f3a1938abd3a35f1eb69eb96f5d707d18d9156c3242336ef18a7fb297f87435703f83e47b74ce844f8a2f5592bcf7381435ec131dfa3cb52257
SSDEEP

12288:DFszBhqS5mGG9wPwGnrFV1spU0T8LtPBVR:DFszWS5RlPpxV1yAZVR

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1816	server.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d0000000054a8-55.dat	upx
behavioral1/files/0x000d0000000054a8-56.dat	upx
behavioral1/files/0x000d0000000054a8-58.dat	upx
behavioral1/files/0x000d0000000054a8-61.dat	upx
behavioral1/files/0x000d0000000054a8-63.dat	upx
behavioral1/files/0x000d0000000054a8-62.dat	upx
behavioral1/files/0x000d0000000054a8-64.dat	upx
behavioral1/memory/1816-65-0x0000000000400000-0x0000000000466000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
1624	b57ade1475862243f45d03901e7798f76d81a1d8e48666083f5c8b2e4be58f05.exe
1624	b57ade1475862243f45d03901e7798f76d81a1d8e48666083f5c8b2e4be58f05.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1576	1816	WerFault.exe	28

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 1816	1624	b57ade1475862243f45d03901e7798f76d81a1d8e48666083f5c8b2e4be58f05.exe	28
PID 1624 wrote to memory of 1816	1624	b57ade1475862243f45d03901e7798f76d81a1d8e48666083f5c8b2e4be58f05.exe	28
PID 1624 wrote to memory of 1816	1624	b57ade1475862243f45d03901e7798f76d81a1d8e48666083f5c8b2e4be58f05.exe	28
PID 1624 wrote to memory of 1816	1624	b57ade1475862243f45d03901e7798f76d81a1d8e48666083f5c8b2e4be58f05.exe	28
PID 1624 wrote to memory of 1816	1624	b57ade1475862243f45d03901e7798f76d81a1d8e48666083f5c8b2e4be58f05.exe	28
PID 1624 wrote to memory of 1816	1624	b57ade1475862243f45d03901e7798f76d81a1d8e48666083f5c8b2e4be58f05.exe	28
PID 1624 wrote to memory of 1816	1624	b57ade1475862243f45d03901e7798f76d81a1d8e48666083f5c8b2e4be58f05.exe	28
PID 1816 wrote to memory of 1576	1816	server.exe	29
PID 1816 wrote to memory of 1576	1816	server.exe	29
PID 1816 wrote to memory of 1576	1816	server.exe	29
PID 1816 wrote to memory of 1576	1816	server.exe	29
PID 1816 wrote to memory of 1576	1816	server.exe	29
PID 1816 wrote to memory of 1576	1816	server.exe	29
PID 1816 wrote to memory of 1576	1816	server.exe	29

C:\Users\Admin\AppData\Local\Temp\b57ade1475862243f45d03901e7798f76d81a1d8e48666083f5c8b2e4be58f05.exe
"C:\Users\Admin\AppData\Local\Temp\b57ade1475862243f45d03901e7798f76d81a1d8e48666083f5c8b2e4be58f05.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 208
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
336KB

MD5
88b18b5685d4fabe061c53c4f97fd132

SHA1
5ff73a3c6fb421c13b341b1005e591fb97664093

SHA256
be827ff2deefed3f8e662c804428df1afbaea98f1e25c4b9832376ee6be97c40

SHA512
cd66dae571166502a1d0974adb76c7ff193ade9c95214045a7a9e9bc210e0022c5e79ed72ce662d4ed65d2ee44b4d3634e139b3e39488f47b52a52385158f06d

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
336KB

MD5
88b18b5685d4fabe061c53c4f97fd132

SHA1
5ff73a3c6fb421c13b341b1005e591fb97664093

SHA256
be827ff2deefed3f8e662c804428df1afbaea98f1e25c4b9832376ee6be97c40

SHA512
cd66dae571166502a1d0974adb76c7ff193ade9c95214045a7a9e9bc210e0022c5e79ed72ce662d4ed65d2ee44b4d3634e139b3e39488f47b52a52385158f06d

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
336KB

MD5
88b18b5685d4fabe061c53c4f97fd132

SHA1
5ff73a3c6fb421c13b341b1005e591fb97664093

SHA256
be827ff2deefed3f8e662c804428df1afbaea98f1e25c4b9832376ee6be97c40

SHA512
cd66dae571166502a1d0974adb76c7ff193ade9c95214045a7a9e9bc210e0022c5e79ed72ce662d4ed65d2ee44b4d3634e139b3e39488f47b52a52385158f06d

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
336KB

MD5
88b18b5685d4fabe061c53c4f97fd132

SHA1
5ff73a3c6fb421c13b341b1005e591fb97664093

SHA256
be827ff2deefed3f8e662c804428df1afbaea98f1e25c4b9832376ee6be97c40

SHA512
cd66dae571166502a1d0974adb76c7ff193ade9c95214045a7a9e9bc210e0022c5e79ed72ce662d4ed65d2ee44b4d3634e139b3e39488f47b52a52385158f06d

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
336KB

MD5
88b18b5685d4fabe061c53c4f97fd132

SHA1
5ff73a3c6fb421c13b341b1005e591fb97664093

SHA256
be827ff2deefed3f8e662c804428df1afbaea98f1e25c4b9832376ee6be97c40

SHA512
cd66dae571166502a1d0974adb76c7ff193ade9c95214045a7a9e9bc210e0022c5e79ed72ce662d4ed65d2ee44b4d3634e139b3e39488f47b52a52385158f06d

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
336KB

MD5
88b18b5685d4fabe061c53c4f97fd132

SHA1
5ff73a3c6fb421c13b341b1005e591fb97664093

SHA256
be827ff2deefed3f8e662c804428df1afbaea98f1e25c4b9832376ee6be97c40

SHA512
cd66dae571166502a1d0974adb76c7ff193ade9c95214045a7a9e9bc210e0022c5e79ed72ce662d4ed65d2ee44b4d3634e139b3e39488f47b52a52385158f06d

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
336KB

MD5
88b18b5685d4fabe061c53c4f97fd132

SHA1
5ff73a3c6fb421c13b341b1005e591fb97664093

SHA256
be827ff2deefed3f8e662c804428df1afbaea98f1e25c4b9832376ee6be97c40

SHA512
cd66dae571166502a1d0974adb76c7ff193ade9c95214045a7a9e9bc210e0022c5e79ed72ce662d4ed65d2ee44b4d3634e139b3e39488f47b52a52385158f06d

Download Submit
memory/1576-60-0x0000000000000000-mapping.dmp

Download
memory/1624-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1816-57-0x0000000000000000-mapping.dmp

Download
memory/1816-65-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing