cd4c2fd62fc59152c089d29cc24f214b3cad8dced2bd14e3c1df7e53e9ef47c5

General

Target

cd4c2fd62fc59152c089d29cc24f214b3cad8dced2bd14e3c1df7e53e9ef47c5.exe
Size

144KB
MD5

0a87abafc0d532f15ddb91ea04849771
SHA1

d1468975d59f7aba47f79ebf36f9412e885f3435
SHA256

cd4c2fd62fc59152c089d29cc24f214b3cad8dced2bd14e3c1df7e53e9ef47c5
SHA512

0c367bae391b293aa640a00c489e93679fd0fbd897ff0a9f44f55d70a6b9cc0f5d18f23da4b8312f7f5677d954e4117dbee05be155125a62954c0250eb1b5e84
SSDEEP

3072:DQIURTXJ+MYK/YuOn4PDjYngd8BaPlDXiVzJrWQ9:Ds9Hsng0ngg27szJr3

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
820	rundll32.exe
820	rundll32.exe
820	rundll32.exe
820	rundll32.exe
1216	WerFault.exe
1216	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1216	820	WerFault.exe	26

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
820	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 820	1364	cd4c2fd62fc59152c089d29cc24f214b3cad8dced2bd14e3c1df7e53e9ef47c5.exe	26
PID 1364 wrote to memory of 820	1364	cd4c2fd62fc59152c089d29cc24f214b3cad8dced2bd14e3c1df7e53e9ef47c5.exe	26
PID 1364 wrote to memory of 820	1364	cd4c2fd62fc59152c089d29cc24f214b3cad8dced2bd14e3c1df7e53e9ef47c5.exe	26
PID 1364 wrote to memory of 820	1364	cd4c2fd62fc59152c089d29cc24f214b3cad8dced2bd14e3c1df7e53e9ef47c5.exe	26
PID 1364 wrote to memory of 820	1364	cd4c2fd62fc59152c089d29cc24f214b3cad8dced2bd14e3c1df7e53e9ef47c5.exe	26
PID 1364 wrote to memory of 820	1364	cd4c2fd62fc59152c089d29cc24f214b3cad8dced2bd14e3c1df7e53e9ef47c5.exe	26
PID 1364 wrote to memory of 820	1364	cd4c2fd62fc59152c089d29cc24f214b3cad8dced2bd14e3c1df7e53e9ef47c5.exe	26
PID 820 wrote to memory of 1216	820	rundll32.exe	27
PID 820 wrote to memory of 1216	820	rundll32.exe	27
PID 820 wrote to memory of 1216	820	rundll32.exe	27
PID 820 wrote to memory of 1216	820	rundll32.exe	27

C:\Users\Admin\AppData\Local\Temp\cd4c2fd62fc59152c089d29cc24f214b3cad8dced2bd14e3c1df7e53e9ef47c5.exe
"C:\Users\Admin\AppData\Local\Temp\cd4c2fd62fc59152c089d29cc24f214b3cad8dced2bd14e3c1df7e53e9ef47c5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\nsd316F.tmp\nvhgybhf.dll",CoDeviceInstall
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 284
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd316F.tmp\nvhgybhf.dll

Filesize
300KB

MD5
7f80e17c61e61131272d0f8da1691bcd

SHA1
bc62d7a7763a7c8c179caaf893276c33033b2fce

SHA256
a9d3a51bc7459e9e8e8dadf0daeb6cad8889371ef89cfd31ed72c1d56010c77f

SHA512
55c792f6e700932b068d4a76e91029f7a9c924982dc78acd8d4e44a84ad47d5562ecc8056be91385c173203f773c239d51ae817381a8ffadcc5dec9fdeb84187

Download Submit
\Users\Admin\AppData\Local\Temp\nsd316F.tmp\nvhgybhf.dll

Filesize
300KB

MD5
7f80e17c61e61131272d0f8da1691bcd

SHA1
bc62d7a7763a7c8c179caaf893276c33033b2fce

SHA256
a9d3a51bc7459e9e8e8dadf0daeb6cad8889371ef89cfd31ed72c1d56010c77f

SHA512
55c792f6e700932b068d4a76e91029f7a9c924982dc78acd8d4e44a84ad47d5562ecc8056be91385c173203f773c239d51ae817381a8ffadcc5dec9fdeb84187

Download Submit
\Users\Admin\AppData\Local\Temp\nsd316F.tmp\nvhgybhf.dll

Filesize
300KB

MD5
7f80e17c61e61131272d0f8da1691bcd

SHA1
bc62d7a7763a7c8c179caaf893276c33033b2fce

SHA256
a9d3a51bc7459e9e8e8dadf0daeb6cad8889371ef89cfd31ed72c1d56010c77f

SHA512
55c792f6e700932b068d4a76e91029f7a9c924982dc78acd8d4e44a84ad47d5562ecc8056be91385c173203f773c239d51ae817381a8ffadcc5dec9fdeb84187

Download Submit
\Users\Admin\AppData\Local\Temp\nsd316F.tmp\nvhgybhf.dll

Filesize
300KB

MD5
7f80e17c61e61131272d0f8da1691bcd

SHA1
bc62d7a7763a7c8c179caaf893276c33033b2fce

SHA256
a9d3a51bc7459e9e8e8dadf0daeb6cad8889371ef89cfd31ed72c1d56010c77f

SHA512
55c792f6e700932b068d4a76e91029f7a9c924982dc78acd8d4e44a84ad47d5562ecc8056be91385c173203f773c239d51ae817381a8ffadcc5dec9fdeb84187

Download Submit
\Users\Admin\AppData\Local\Temp\nsd316F.tmp\nvhgybhf.dll

Filesize
300KB

MD5
7f80e17c61e61131272d0f8da1691bcd

SHA1
bc62d7a7763a7c8c179caaf893276c33033b2fce

SHA256
a9d3a51bc7459e9e8e8dadf0daeb6cad8889371ef89cfd31ed72c1d56010c77f

SHA512
55c792f6e700932b068d4a76e91029f7a9c924982dc78acd8d4e44a84ad47d5562ecc8056be91385c173203f773c239d51ae817381a8ffadcc5dec9fdeb84187

Download Submit
\Users\Admin\AppData\Local\Temp\nsd316F.tmp\nvhgybhf.dll

Filesize
300KB

MD5
7f80e17c61e61131272d0f8da1691bcd

SHA1
bc62d7a7763a7c8c179caaf893276c33033b2fce

SHA256
a9d3a51bc7459e9e8e8dadf0daeb6cad8889371ef89cfd31ed72c1d56010c77f

SHA512
55c792f6e700932b068d4a76e91029f7a9c924982dc78acd8d4e44a84ad47d5562ecc8056be91385c173203f773c239d51ae817381a8ffadcc5dec9fdeb84187

Download Submit
\Users\Admin\AppData\Local\Temp\nsd316F.tmp\nvhgybhf.dll

Filesize
300KB

MD5
7f80e17c61e61131272d0f8da1691bcd

SHA1
bc62d7a7763a7c8c179caaf893276c33033b2fce

SHA256
a9d3a51bc7459e9e8e8dadf0daeb6cad8889371ef89cfd31ed72c1d56010c77f

SHA512
55c792f6e700932b068d4a76e91029f7a9c924982dc78acd8d4e44a84ad47d5562ecc8056be91385c173203f773c239d51ae817381a8ffadcc5dec9fdeb84187

Download Submit
memory/820-65-0x0000000010000000-0x000000001004E000-memory.dmp

Filesize
312KB

Download
memory/1364-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing