dcfdd9fbaead8a88da69c3c236acd023d2da6d3917b291e4890a0d525220e502

General

Target

dcfdd9fbaead8a88da69c3c236acd023d2da6d3917b291e4890a0d525220e502.exe
Size

97KB
MD5

0e8eba4e5c892aa4a09d707e35daef06
SHA1

a7b7ea36f903b7f5404c04447a53c1549442f48a
SHA256

dcfdd9fbaead8a88da69c3c236acd023d2da6d3917b291e4890a0d525220e502
SHA512

3cb3d4f98bd83372f628bd19f14ece0ebefa669c5fc3d634e70459f50f672af503764ffa0fdf12e025252437a777117ab74b91aafaf14c56cba0a816d6c823f9
SSDEEP

1536:6pgpHzb9dZVX9fHMvG0D3XJcMVqHPAfWQnrhQwRANI7LmK+utKcmjxFSs2p2T3r0:4gXdZt9P6D3XJcMVqvQBJjfm/S16rn0

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1328	rmfsiknr.exe

Loads dropped DLL 5 IoCs

pid	Process
1872	dcfdd9fbaead8a88da69c3c236acd023d2da6d3917b291e4890a0d525220e502.exe
1872	dcfdd9fbaead8a88da69c3c236acd023d2da6d3917b291e4890a0d525220e502.exe
848	WerFault.exe
848	WerFault.exe
848	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
848	1328	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1328	rmfsiknr.exe
1328	rmfsiknr.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 1328	1872	dcfdd9fbaead8a88da69c3c236acd023d2da6d3917b291e4890a0d525220e502.exe	27
PID 1872 wrote to memory of 1328	1872	dcfdd9fbaead8a88da69c3c236acd023d2da6d3917b291e4890a0d525220e502.exe	27
PID 1872 wrote to memory of 1328	1872	dcfdd9fbaead8a88da69c3c236acd023d2da6d3917b291e4890a0d525220e502.exe	27
PID 1872 wrote to memory of 1328	1872	dcfdd9fbaead8a88da69c3c236acd023d2da6d3917b291e4890a0d525220e502.exe	27
PID 1328 wrote to memory of 848	1328	rmfsiknr.exe	28
PID 1328 wrote to memory of 848	1328	rmfsiknr.exe	28
PID 1328 wrote to memory of 848	1328	rmfsiknr.exe	28
PID 1328 wrote to memory of 848	1328	rmfsiknr.exe	28

C:\Users\Admin\AppData\Local\Temp\dcfdd9fbaead8a88da69c3c236acd023d2da6d3917b291e4890a0d525220e502.exe
"C:\Users\Admin\AppData\Local\Temp\dcfdd9fbaead8a88da69c3c236acd023d2da6d3917b291e4890a0d525220e502.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Local\Temp\nsoB241.tmp\rmfsiknr.exe
  C:\Users\Admin\AppData\Local\Temp\nsoB241.tmp\rmfsiknr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 248
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsoB241.tmp\rmfsiknr.exe

Filesize
23KB

MD5
9775363761b511f205a8af193487289b

SHA1
49414612e36ecdcc513f1e4a5c5fb86ef4bdfce2

SHA256
bdbf687a80526d228c986fa8bed936c31b58555f957fb01a87c1a8fedc821842

SHA512
cd864e2d64a045e0755ebaecb508c0d45185d8baa3a9cf569c96cfd07cab400e1b42e5e25f0a542b64a22e219b202b8620c38bf55fc589e3b59a8f4d7b769e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB241.tmp\s92lm1ga.dat

Filesize
49KB

MD5
5478eb9ca1939bc22b3ba66a2b7ea5f1

SHA1
8fb297205f5c070d29fbfb4386c30ab9378a118c

SHA256
ccf41f66176d7ae3fb52596eba4680bc45b15b4eb5f15b438e0e802448445220

SHA512
5d893f0f513a0b59bf184fae76983a74dcebf376702665d5b8d93ede4bbf12323692897e0ca233836346505fa8c4e1660f5b08585e919e9916261041cbfc3dd8

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB241.tmp\rmfsiknr.exe

Filesize
23KB

MD5
9775363761b511f205a8af193487289b

SHA1
49414612e36ecdcc513f1e4a5c5fb86ef4bdfce2

SHA256
bdbf687a80526d228c986fa8bed936c31b58555f957fb01a87c1a8fedc821842

SHA512
cd864e2d64a045e0755ebaecb508c0d45185d8baa3a9cf569c96cfd07cab400e1b42e5e25f0a542b64a22e219b202b8620c38bf55fc589e3b59a8f4d7b769e5e

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB241.tmp\rmfsiknr.exe

Filesize
23KB

MD5
9775363761b511f205a8af193487289b

SHA1
49414612e36ecdcc513f1e4a5c5fb86ef4bdfce2

SHA256
bdbf687a80526d228c986fa8bed936c31b58555f957fb01a87c1a8fedc821842

SHA512
cd864e2d64a045e0755ebaecb508c0d45185d8baa3a9cf569c96cfd07cab400e1b42e5e25f0a542b64a22e219b202b8620c38bf55fc589e3b59a8f4d7b769e5e

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB241.tmp\rmfsiknr.exe

Filesize
23KB

MD5
9775363761b511f205a8af193487289b

SHA1
49414612e36ecdcc513f1e4a5c5fb86ef4bdfce2

SHA256
bdbf687a80526d228c986fa8bed936c31b58555f957fb01a87c1a8fedc821842

SHA512
cd864e2d64a045e0755ebaecb508c0d45185d8baa3a9cf569c96cfd07cab400e1b42e5e25f0a542b64a22e219b202b8620c38bf55fc589e3b59a8f4d7b769e5e

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB241.tmp\rmfsiknr.exe

Filesize
23KB

MD5
9775363761b511f205a8af193487289b

SHA1
49414612e36ecdcc513f1e4a5c5fb86ef4bdfce2

SHA256
bdbf687a80526d228c986fa8bed936c31b58555f957fb01a87c1a8fedc821842

SHA512
cd864e2d64a045e0755ebaecb508c0d45185d8baa3a9cf569c96cfd07cab400e1b42e5e25f0a542b64a22e219b202b8620c38bf55fc589e3b59a8f4d7b769e5e

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB241.tmp\rmfsiknr.exe

Filesize
23KB

MD5
9775363761b511f205a8af193487289b

SHA1
49414612e36ecdcc513f1e4a5c5fb86ef4bdfce2

SHA256
bdbf687a80526d228c986fa8bed936c31b58555f957fb01a87c1a8fedc821842

SHA512
cd864e2d64a045e0755ebaecb508c0d45185d8baa3a9cf569c96cfd07cab400e1b42e5e25f0a542b64a22e219b202b8620c38bf55fc589e3b59a8f4d7b769e5e

Download Submit
memory/848-67-0x0000000000000000-mapping.dmp

Download
memory/1328-57-0x0000000000000000-mapping.dmp

Download
memory/1328-59-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/1328-62-0x00000000736E0000-0x00000000736FB000-memory.dmp

Filesize
108KB

Download
memory/1872-54-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing