dfff4404103f050b6f4d89c76bad75fdd2e5e37fb9a0f1c5bb591a59e2b6c101

General

Target

dfff4404103f050b6f4d89c76bad75fdd2e5e37fb9a0f1c5bb591a59e2b6c101.exe
Size

359KB
MD5

47baaf2fbc235eb9de77724feee480fb
SHA1

ab065af2571ab669515ab6b93379e14e7346f22d
SHA256

dfff4404103f050b6f4d89c76bad75fdd2e5e37fb9a0f1c5bb591a59e2b6c101
SHA512

b607db6e1f58eb2c4eaaf25b594ccb027cc4002194615ff0c239d4954a9ee7617c678ff19c773fb936b71e68a0ec797d205d6dc1369f41b88463c8f2ff6ea238
SSDEEP

6144:Q1db49+rEg024fpLZazEjvE/rbay19tSt4bO2BaDmeBJe59kI5MI8D0lXuk:QjkArEN249AyE/rbaMct4bO2/VJpplXF

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
220	server.exe
1340	server.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1312-132-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/1312-136-0x0000000000400000-0x00000000004C1000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1312-136-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 220 set thread context of 1340	220	server.exe	84

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\server.exe	dfff4404103f050b6f4d89c76bad75fdd2e5e37fb9a0f1c5bb591a59e2b6c101.exe
File created	C:\Program Files (x86)\server.exe	dfff4404103f050b6f4d89c76bad75fdd2e5e37fb9a0f1c5bb591a59e2b6c101.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1396	220	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1312	dfff4404103f050b6f4d89c76bad75fdd2e5e37fb9a0f1c5bb591a59e2b6c101.exe
1312	dfff4404103f050b6f4d89c76bad75fdd2e5e37fb9a0f1c5bb591a59e2b6c101.exe
1312	dfff4404103f050b6f4d89c76bad75fdd2e5e37fb9a0f1c5bb591a59e2b6c101.exe
1312	dfff4404103f050b6f4d89c76bad75fdd2e5e37fb9a0f1c5bb591a59e2b6c101.exe
1312	dfff4404103f050b6f4d89c76bad75fdd2e5e37fb9a0f1c5bb591a59e2b6c101.exe
1312	dfff4404103f050b6f4d89c76bad75fdd2e5e37fb9a0f1c5bb591a59e2b6c101.exe
1312	dfff4404103f050b6f4d89c76bad75fdd2e5e37fb9a0f1c5bb591a59e2b6c101.exe
1312	dfff4404103f050b6f4d89c76bad75fdd2e5e37fb9a0f1c5bb591a59e2b6c101.exe
1312	dfff4404103f050b6f4d89c76bad75fdd2e5e37fb9a0f1c5bb591a59e2b6c101.exe
1312	dfff4404103f050b6f4d89c76bad75fdd2e5e37fb9a0f1c5bb591a59e2b6c101.exe
1312	dfff4404103f050b6f4d89c76bad75fdd2e5e37fb9a0f1c5bb591a59e2b6c101.exe
1312	dfff4404103f050b6f4d89c76bad75fdd2e5e37fb9a0f1c5bb591a59e2b6c101.exe
1340	server.exe
1340	server.exe
1340	server.exe
1340	server.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 220	1312	dfff4404103f050b6f4d89c76bad75fdd2e5e37fb9a0f1c5bb591a59e2b6c101.exe	83
PID 1312 wrote to memory of 220	1312	dfff4404103f050b6f4d89c76bad75fdd2e5e37fb9a0f1c5bb591a59e2b6c101.exe	83
PID 1312 wrote to memory of 220	1312	dfff4404103f050b6f4d89c76bad75fdd2e5e37fb9a0f1c5bb591a59e2b6c101.exe	83
PID 220 wrote to memory of 1340	220	server.exe	84
PID 220 wrote to memory of 1340	220	server.exe	84
PID 220 wrote to memory of 1340	220	server.exe	84
PID 220 wrote to memory of 1340	220	server.exe	84
PID 220 wrote to memory of 1340	220	server.exe	84
PID 220 wrote to memory of 1340	220	server.exe	84
PID 220 wrote to memory of 1340	220	server.exe	84
PID 1340 wrote to memory of 652	1340	server.exe	38
PID 1340 wrote to memory of 652	1340	server.exe	38
PID 1340 wrote to memory of 652	1340	server.exe	38
PID 1340 wrote to memory of 652	1340	server.exe	38

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:652
- C:\Users\Admin\AppData\Local\Temp\dfff4404103f050b6f4d89c76bad75fdd2e5e37fb9a0f1c5bb591a59e2b6c101.exe
  "C:\Users\Admin\AppData\Local\Temp\dfff4404103f050b6f4d89c76bad75fdd2e5e37fb9a0f1c5bb591a59e2b6c101.exe"
  2⤵
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Program Files (x86)\server.exe
    "C:\Program Files (x86)/server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Program Files (x86)\server.exe
      "C:\Program Files (x86)\server.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1340
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 280
      4⤵
      Program crash
      PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 220 -ip 220
1⤵
PID:4728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\server.exe

Filesize
67KB

MD5
b9c6a38e3663541ae5a0b906f1d15efa

SHA1
1a5195b65a5a15b09bbe21c987a028704fc1e74e

SHA256
ee07feaeaaeab5f22cce42e83ad54e9ed0c0a09fc7100043b3966e91c946b4ce

SHA512
abfb14aa7547706778978b8af35c720d36a5253773c24bb76f88c2a20cc58ee4de331c1a66937bf7ea4c2cedf9313e5318dda9ed2472696b648d57c7ec920a6d

Download Submit
C:\Program Files (x86)\server.exe

Filesize
67KB

MD5
b9c6a38e3663541ae5a0b906f1d15efa

SHA1
1a5195b65a5a15b09bbe21c987a028704fc1e74e

SHA256
ee07feaeaaeab5f22cce42e83ad54e9ed0c0a09fc7100043b3966e91c946b4ce

SHA512
abfb14aa7547706778978b8af35c720d36a5253773c24bb76f88c2a20cc58ee4de331c1a66937bf7ea4c2cedf9313e5318dda9ed2472696b648d57c7ec920a6d

Download Submit
C:\Program Files (x86)\server.exe

Filesize
67KB

MD5
b9c6a38e3663541ae5a0b906f1d15efa

SHA1
1a5195b65a5a15b09bbe21c987a028704fc1e74e

SHA256
ee07feaeaaeab5f22cce42e83ad54e9ed0c0a09fc7100043b3966e91c946b4ce

SHA512
abfb14aa7547706778978b8af35c720d36a5253773c24bb76f88c2a20cc58ee4de331c1a66937bf7ea4c2cedf9313e5318dda9ed2472696b648d57c7ec920a6d

Download Submit
memory/652-142-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1312-132-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1312-136-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1340-138-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1340-141-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1340-143-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1340-144-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing