958e95fb09d0684059746ab4b2d229c56a3c6606a3bcbf60a656d92580d08721

General

Target

958e95fb09d0684059746ab4b2d229c56a3c6606a3bcbf60a656d92580d08721.exe
Size

300KB
MD5

1e3f95bc5a26eb0b15be2f2f98396e30
SHA1

c8587f5dfdcec4a38420691c3262801b43e8fa1f
SHA256

958e95fb09d0684059746ab4b2d229c56a3c6606a3bcbf60a656d92580d08721
SHA512

ea676029b2cca40da9b8c1824f4d69d4d68236a0f1b1f81fc291f5898445bd75895bedbb644121f108e13d9b9e00e3cdb6574ddb63730ebc1903beff888865b0
SSDEEP

6144:/1dlZro5yU3nvdyUx337YfwZtriVkeiOVjmvszo+VTg4tR7cTw:/1dlZo5yU3nv8U1awbriVk6Nx04HgTw

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1828	Crypted.exe

Loads dropped DLL 6 IoCs

pid	Process
1660	958e95fb09d0684059746ab4b2d229c56a3c6606a3bcbf60a656d92580d08721.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe
1988	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1988	1828	WerFault.exe	27

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1828	1660	958e95fb09d0684059746ab4b2d229c56a3c6606a3bcbf60a656d92580d08721.exe	27
PID 1660 wrote to memory of 1828	1660	958e95fb09d0684059746ab4b2d229c56a3c6606a3bcbf60a656d92580d08721.exe	27
PID 1660 wrote to memory of 1828	1660	958e95fb09d0684059746ab4b2d229c56a3c6606a3bcbf60a656d92580d08721.exe	27
PID 1660 wrote to memory of 1828	1660	958e95fb09d0684059746ab4b2d229c56a3c6606a3bcbf60a656d92580d08721.exe	27
PID 1828 wrote to memory of 1988	1828	Crypted.exe	28
PID 1828 wrote to memory of 1988	1828	Crypted.exe	28
PID 1828 wrote to memory of 1988	1828	Crypted.exe	28
PID 1828 wrote to memory of 1988	1828	Crypted.exe	28

C:\Users\Admin\AppData\Local\Temp\958e95fb09d0684059746ab4b2d229c56a3c6606a3bcbf60a656d92580d08721.exe
"C:\Users\Admin\AppData\Local\Temp\958e95fb09d0684059746ab4b2d229c56a3c6606a3bcbf60a656d92580d08721.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Extracted\Crypted.exe
  "C:\Extracted\Crypted.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 456
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\Crypted.exe

Filesize
192KB

MD5
76b48e93e5c8c256cd65f287acb6d7f2

SHA1
643c1d6211e121c94d11207b1a124d6a17626a5c

SHA256
8321f9e987f12257e071230b7fed16be1cb1003514396a9cedb2954a15fa7f24

SHA512
5a1225bb5588a22ecd80b0b1dd11e4b25cf0f288f6b0d1f5723911b69ed6db90f33f9b12acdc2edbdd1658182ebff94b3c25b61e16e3c1fbd6d1e6d3f5a06152

Download Submit
\Extracted\Crypted.exe

Filesize
192KB

MD5
76b48e93e5c8c256cd65f287acb6d7f2

SHA1
643c1d6211e121c94d11207b1a124d6a17626a5c

SHA256
8321f9e987f12257e071230b7fed16be1cb1003514396a9cedb2954a15fa7f24

SHA512
5a1225bb5588a22ecd80b0b1dd11e4b25cf0f288f6b0d1f5723911b69ed6db90f33f9b12acdc2edbdd1658182ebff94b3c25b61e16e3c1fbd6d1e6d3f5a06152

Download Submit
\Extracted\Crypted.exe

Filesize
192KB

MD5
76b48e93e5c8c256cd65f287acb6d7f2

SHA1
643c1d6211e121c94d11207b1a124d6a17626a5c

SHA256
8321f9e987f12257e071230b7fed16be1cb1003514396a9cedb2954a15fa7f24

SHA512
5a1225bb5588a22ecd80b0b1dd11e4b25cf0f288f6b0d1f5723911b69ed6db90f33f9b12acdc2edbdd1658182ebff94b3c25b61e16e3c1fbd6d1e6d3f5a06152

Download Submit
\Extracted\Crypted.exe

Filesize
192KB

MD5
76b48e93e5c8c256cd65f287acb6d7f2

SHA1
643c1d6211e121c94d11207b1a124d6a17626a5c

SHA256
8321f9e987f12257e071230b7fed16be1cb1003514396a9cedb2954a15fa7f24

SHA512
5a1225bb5588a22ecd80b0b1dd11e4b25cf0f288f6b0d1f5723911b69ed6db90f33f9b12acdc2edbdd1658182ebff94b3c25b61e16e3c1fbd6d1e6d3f5a06152

Download Submit
\Extracted\Crypted.exe

Filesize
192KB

MD5
76b48e93e5c8c256cd65f287acb6d7f2

SHA1
643c1d6211e121c94d11207b1a124d6a17626a5c

SHA256
8321f9e987f12257e071230b7fed16be1cb1003514396a9cedb2954a15fa7f24

SHA512
5a1225bb5588a22ecd80b0b1dd11e4b25cf0f288f6b0d1f5723911b69ed6db90f33f9b12acdc2edbdd1658182ebff94b3c25b61e16e3c1fbd6d1e6d3f5a06152

Download Submit
\Extracted\Crypted.exe

Filesize
192KB

MD5
76b48e93e5c8c256cd65f287acb6d7f2

SHA1
643c1d6211e121c94d11207b1a124d6a17626a5c

SHA256
8321f9e987f12257e071230b7fed16be1cb1003514396a9cedb2954a15fa7f24

SHA512
5a1225bb5588a22ecd80b0b1dd11e4b25cf0f288f6b0d1f5723911b69ed6db90f33f9b12acdc2edbdd1658182ebff94b3c25b61e16e3c1fbd6d1e6d3f5a06152

Download Submit
\Extracted\Crypted.exe

Filesize
192KB

MD5
76b48e93e5c8c256cd65f287acb6d7f2

SHA1
643c1d6211e121c94d11207b1a124d6a17626a5c

SHA256
8321f9e987f12257e071230b7fed16be1cb1003514396a9cedb2954a15fa7f24

SHA512
5a1225bb5588a22ecd80b0b1dd11e4b25cf0f288f6b0d1f5723911b69ed6db90f33f9b12acdc2edbdd1658182ebff94b3c25b61e16e3c1fbd6d1e6d3f5a06152

Download Submit
memory/1660-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1828-56-0x0000000000000000-mapping.dmp

Download
memory/1828-58-0x0000000000020000-0x000000000003E000-memory.dmp

Filesize
120KB

Download
memory/1988-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing