2854f4d1680f950af08694f95aa5e4d6f70134a6d5ba53fc9bf9c26c45ce432d

General

Target

2854f4d1680f950af08694f95aa5e4d6f70134a6d5ba53fc9bf9c26c45ce432d.exe
Size

455KB
MD5

96ebda2f695dd39914e8c59510b311e0
SHA1

cef88f2190124c514a7eab5b2c270cae1e61fcbc
SHA256

2854f4d1680f950af08694f95aa5e4d6f70134a6d5ba53fc9bf9c26c45ce432d
SHA512

4fcca9f8070ad1672c4be25f196ffa6d161906b638c74caed3ab8856132f1c7cfef32f325fa324f58c59379bce21b483286e6561f673ead1763545c66f17e35a
SSDEEP

12288:Fkx2/vK8yrOYF6SCryrqrF6Dv+VyfezUq6aorzaFxcA:FQ2/vbLYF6SCrfF6/O6ao6YA

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2228	e567e5c.tmp
376	2854f4d1680f950af08694f95aa5e4d6f70134a6d5ba53fc9bf9c26c45ce432d.exe
4216	e567f56.exe

Loads dropped DLL 1 IoCs

pid	Process
376	2854f4d1680f950af08694f95aa5e4d6f70134a6d5ba53fc9bf9c26c45ce432d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4788	4216	WerFault.exe	84

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0008000000022e19-138.dat	nsis_installer_1
behavioral2/files/0x0008000000022e19-138.dat	nsis_installer_2
behavioral2/files/0x0008000000022e19-143.dat	nsis_installer_1
behavioral2/files/0x0008000000022e19-143.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2228	2604	2854f4d1680f950af08694f95aa5e4d6f70134a6d5ba53fc9bf9c26c45ce432d.exe	82
PID 2604 wrote to memory of 2228	2604	2854f4d1680f950af08694f95aa5e4d6f70134a6d5ba53fc9bf9c26c45ce432d.exe	82
PID 2604 wrote to memory of 2228	2604	2854f4d1680f950af08694f95aa5e4d6f70134a6d5ba53fc9bf9c26c45ce432d.exe	82
PID 2228 wrote to memory of 376	2228	e567e5c.tmp	83
PID 2228 wrote to memory of 376	2228	e567e5c.tmp	83
PID 2228 wrote to memory of 376	2228	e567e5c.tmp	83
PID 2228 wrote to memory of 4216	2228	e567e5c.tmp	84
PID 2228 wrote to memory of 4216	2228	e567e5c.tmp	84
PID 2228 wrote to memory of 4216	2228	e567e5c.tmp	84

C:\Users\Admin\AppData\Local\Temp\2854f4d1680f950af08694f95aa5e4d6f70134a6d5ba53fc9bf9c26c45ce432d.exe
"C:\Users\Admin\AppData\Local\Temp\2854f4d1680f950af08694f95aa5e4d6f70134a6d5ba53fc9bf9c26c45ce432d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Local\Temp\e567e5c.tmp
  >C:\Users\Admin\AppData\Local\Temp\2854f4d1680f950af08694f95aa5e4d6f70134a6d5ba53fc9bf9c26c45ce432d.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\2854f4d1680f950af08694f95aa5e4d6f70134a6d5ba53fc9bf9c26c45ce432d.exe
    "C:\Users\Admin\AppData\Local\Temp\2854f4d1680f950af08694f95aa5e4d6f70134a6d5ba53fc9bf9c26c45ce432d.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:376
- - C:\Users\Admin\AppData\Local\Temp\e567f56.exe
    "C:\Users\Admin\AppData\Local\Temp\\e567f56.exe"
    3⤵
    - Executes dropped EXE
    PID:4216
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 224
      4⤵
      Program crash
      PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4216 -ip 4216
1⤵
PID:4836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2854f4d1680f950af08694f95aa5e4d6f70134a6d5ba53fc9bf9c26c45ce432d.exe

Filesize
227KB

MD5
3f60f894ecf5a40400d2cd6141ed9233

SHA1
f43f91fb867e103b514ccdb3bec4571565393fc7

SHA256
2e34ea7120db26f8a21ea5576352ac62020ad4a84a0a8452e7670a7f94045455

SHA512
a8b062a7c829e3e08c18efb1c6f27c6f41cbc32851296a1d40fec772b3f305e4ca1ae77e8f018e6157f6ad3e0bdd95514b68ca55bcf667e4aef45532620bbfc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2854f4d1680f950af08694f95aa5e4d6f70134a6d5ba53fc9bf9c26c45ce432d.exe

Filesize
227KB

MD5
3f60f894ecf5a40400d2cd6141ed9233

SHA1
f43f91fb867e103b514ccdb3bec4571565393fc7

SHA256
2e34ea7120db26f8a21ea5576352ac62020ad4a84a0a8452e7670a7f94045455

SHA512
a8b062a7c829e3e08c18efb1c6f27c6f41cbc32851296a1d40fec772b3f305e4ca1ae77e8f018e6157f6ad3e0bdd95514b68ca55bcf667e4aef45532620bbfc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e567e5c.tmp

Filesize
455KB

MD5
96ebda2f695dd39914e8c59510b311e0

SHA1
cef88f2190124c514a7eab5b2c270cae1e61fcbc

SHA256
2854f4d1680f950af08694f95aa5e4d6f70134a6d5ba53fc9bf9c26c45ce432d

SHA512
4fcca9f8070ad1672c4be25f196ffa6d161906b638c74caed3ab8856132f1c7cfef32f325fa324f58c59379bce21b483286e6561f673ead1763545c66f17e35a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e567e5c.tmp

Filesize
455KB

MD5
96ebda2f695dd39914e8c59510b311e0

SHA1
cef88f2190124c514a7eab5b2c270cae1e61fcbc

SHA256
2854f4d1680f950af08694f95aa5e4d6f70134a6d5ba53fc9bf9c26c45ce432d

SHA512
4fcca9f8070ad1672c4be25f196ffa6d161906b638c74caed3ab8856132f1c7cfef32f325fa324f58c59379bce21b483286e6561f673ead1763545c66f17e35a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e567f56.exe

Filesize
208KB

MD5
6d91e4c28ea55a621320990ffd2dffa4

SHA1
f7b51886bf2c40bba04f1dd011c580c1aa9ad26e

SHA256
8b3ff8ee69e8c68b389c8de791b8ae22ff8cac6e99fc75093622492b4416e129

SHA512
189cbe39b97e1a3f55aa5764da899cfb64f978d1c26f518ed1e22094f5b66483d105d993ce7dc261662602ebe3650209a359ae45a5627a2e0d263b786af746f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\e567f56.exe

Filesize
208KB

MD5
6d91e4c28ea55a621320990ffd2dffa4

SHA1
f7b51886bf2c40bba04f1dd011c580c1aa9ad26e

SHA256
8b3ff8ee69e8c68b389c8de791b8ae22ff8cac6e99fc75093622492b4416e129

SHA512
189cbe39b97e1a3f55aa5764da899cfb64f978d1c26f518ed1e22094f5b66483d105d993ce7dc261662602ebe3650209a359ae45a5627a2e0d263b786af746f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx80EE.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
memory/2228-141-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2604-136-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2604-132-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4216-145-0x0000000001000000-0x00000000010F9000-memory.dmp

Filesize
996KB

Download

Analysis

Sharing