17663de3b5590994b113887514c3d108e9e34cb3ad4487e2eafcf824044ea632

General

Target

17663de3b5590994b113887514c3d108e9e34cb3ad4487e2eafcf824044ea632.exe
Size

88KB
MD5

5b5d924e1f57f965b630f76ca67a78e0
SHA1

558e3d39e536050f2096a70490cb15b8341c4525
SHA256

17663de3b5590994b113887514c3d108e9e34cb3ad4487e2eafcf824044ea632
SHA512

20a0abf003823ff88221fe159d2a8ad713900fc9758f4c807c08109c016a9b717cd4df7f45ad7c55d72843bc1f72e49e89b9b4ff79dcd5c9e82aa780bcfd22e0
SSDEEP

1536:wbNrxkeaUMzYurxQhfvbKkQI3yMp1xP93AT4JR7YNUsEkEs01V:wxpMzYsdMp1xVQT4Tql01V

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1768	troyan7.exe

Loads dropped DLL 5 IoCs

pid	Process
1828	17663de3b5590994b113887514c3d108e9e34cb3ad4487e2eafcf824044ea632.exe
1828	17663de3b5590994b113887514c3d108e9e34cb3ad4487e2eafcf824044ea632.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1976	1768	WerFault.exe	27

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1416	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1828	17663de3b5590994b113887514c3d108e9e34cb3ad4487e2eafcf824044ea632.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 1768	1828	17663de3b5590994b113887514c3d108e9e34cb3ad4487e2eafcf824044ea632.exe	27
PID 1828 wrote to memory of 1768	1828	17663de3b5590994b113887514c3d108e9e34cb3ad4487e2eafcf824044ea632.exe	27
PID 1828 wrote to memory of 1768	1828	17663de3b5590994b113887514c3d108e9e34cb3ad4487e2eafcf824044ea632.exe	27
PID 1828 wrote to memory of 1768	1828	17663de3b5590994b113887514c3d108e9e34cb3ad4487e2eafcf824044ea632.exe	27
PID 1768 wrote to memory of 1976	1768	troyan7.exe	28
PID 1768 wrote to memory of 1976	1768	troyan7.exe	28
PID 1768 wrote to memory of 1976	1768	troyan7.exe	28
PID 1768 wrote to memory of 1976	1768	troyan7.exe	28

C:\Users\Admin\AppData\Local\Temp\17663de3b5590994b113887514c3d108e9e34cb3ad4487e2eafcf824044ea632.exe
"C:\Users\Admin\AppData\Local\Temp\17663de3b5590994b113887514c3d108e9e34cb3ad4487e2eafcf824044ea632.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Users\Admin\AppData\Local\Temp\troyan7.exe
  "C:\Users\Admin\AppData\Local\Temp\troyan7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1976

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Puesta de sol.jpg

Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\troyan7.exe

Filesize
7KB

MD5
284a47f6c479b9ad48204038527ab619

SHA1
33ec0d00cf5e6352a99688cb34353e59b7fae2cc

SHA256
cd34f1cc2ce944e583c6bd642fab7aa8daf29ab97da848088cd3cec335d19034

SHA512
94c7c03fc2538e96be5d7af31e848a829350f89f4ef29df489e1bc024ebbaf4d6390f56865c6780d2bee151d61cbb14bfc7fd0c37fb2ff002d78303e245808ff

Download Submit
\Users\Admin\AppData\Local\Temp\troyan7.exe

Filesize
7KB

MD5
284a47f6c479b9ad48204038527ab619

SHA1
33ec0d00cf5e6352a99688cb34353e59b7fae2cc

SHA256
cd34f1cc2ce944e583c6bd642fab7aa8daf29ab97da848088cd3cec335d19034

SHA512
94c7c03fc2538e96be5d7af31e848a829350f89f4ef29df489e1bc024ebbaf4d6390f56865c6780d2bee151d61cbb14bfc7fd0c37fb2ff002d78303e245808ff

Download Submit
\Users\Admin\AppData\Local\Temp\troyan7.exe

Filesize
7KB

MD5
284a47f6c479b9ad48204038527ab619

SHA1
33ec0d00cf5e6352a99688cb34353e59b7fae2cc

SHA256
cd34f1cc2ce944e583c6bd642fab7aa8daf29ab97da848088cd3cec335d19034

SHA512
94c7c03fc2538e96be5d7af31e848a829350f89f4ef29df489e1bc024ebbaf4d6390f56865c6780d2bee151d61cbb14bfc7fd0c37fb2ff002d78303e245808ff

Download Submit
\Users\Admin\AppData\Local\Temp\troyan7.exe

Filesize
7KB

MD5
284a47f6c479b9ad48204038527ab619

SHA1
33ec0d00cf5e6352a99688cb34353e59b7fae2cc

SHA256
cd34f1cc2ce944e583c6bd642fab7aa8daf29ab97da848088cd3cec335d19034

SHA512
94c7c03fc2538e96be5d7af31e848a829350f89f4ef29df489e1bc024ebbaf4d6390f56865c6780d2bee151d61cbb14bfc7fd0c37fb2ff002d78303e245808ff

Download Submit
\Users\Admin\AppData\Local\Temp\troyan7.exe

Filesize
7KB

MD5
284a47f6c479b9ad48204038527ab619

SHA1
33ec0d00cf5e6352a99688cb34353e59b7fae2cc

SHA256
cd34f1cc2ce944e583c6bd642fab7aa8daf29ab97da848088cd3cec335d19034

SHA512
94c7c03fc2538e96be5d7af31e848a829350f89f4ef29df489e1bc024ebbaf4d6390f56865c6780d2bee151d61cbb14bfc7fd0c37fb2ff002d78303e245808ff

Download Submit
\Users\Admin\AppData\Local\Temp\troyan7.exe

Filesize
7KB

MD5
284a47f6c479b9ad48204038527ab619

SHA1
33ec0d00cf5e6352a99688cb34353e59b7fae2cc

SHA256
cd34f1cc2ce944e583c6bd642fab7aa8daf29ab97da848088cd3cec335d19034

SHA512
94c7c03fc2538e96be5d7af31e848a829350f89f4ef29df489e1bc024ebbaf4d6390f56865c6780d2bee151d61cbb14bfc7fd0c37fb2ff002d78303e245808ff

Download Submit
memory/1768-66-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1828-56-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing