87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7

General

Target

87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Size

4.8MB
MD5

9a36695d174a4088cb9b8a1e5c93cf93
SHA1

f18ca8c1f014506cccd892735c4b4bcc3af123af
SHA256

87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7
SHA512

e142e8250aa1e0cf1efc64f3fa1d4e13a6fc2992b1471836ca4de1554522d31588cf902f75041e82e42c934dc1d1a3ee5cfc20e36920a9fd4d643bd553f2da13
SSDEEP

98304:E6PkbdjibIYSyJn4THjxLBoNsw0+0qvhRfeTGpIh4:hPkbdj6NZpID4sw0+0KhRVO

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
4820	4644	WerFault.exe	78
4404	4644	WerFault.exe	78
1168	4644	WerFault.exe	78
2712	4644	WerFault.exe	78
220	4644	WerFault.exe	78
4244	4644	WerFault.exe	78

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe

C:\Users\Admin\AppData\Local\Temp\87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe
"C:\Users\Admin\AppData\Local\Temp\87c0adbd79908f108504bfaae266aefdcbb2dc1e7ed52b0213640f242bc4c1c7.exe"
1⤵
- Checks processor information in registry
PID:4644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 828
  2⤵
  - Program crash
  PID:4820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 828
  2⤵
  - Program crash
  PID:4404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 836
  2⤵
  - Program crash
  PID:1168
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 984
  2⤵
  - Program crash
  PID:2712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 836
  2⤵
  - Program crash
  PID:220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1004
  2⤵
  - Program crash
  PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4644 -ip 4644
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4644 -ip 4644
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4644 -ip 4644
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4644 -ip 4644
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4644 -ip 4644
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4644 -ip 4644
1⤵
PID:4468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4644-132-0x00000000029A1000-0x0000000002E56000-memory.dmp

Filesize
4.7MB

Download
memory/4644-133-0x0000000002E60000-0x00000000034CF000-memory.dmp

Filesize
6.4MB

Download
memory/4644-134-0x0000000000400000-0x0000000000A7C000-memory.dmp

Filesize
6.5MB

Download
memory/4644-135-0x0000000000400000-0x0000000000A7C000-memory.dmp

Filesize
6.5MB

Download
memory/4644-136-0x0000000000400000-0x0000000000A7C000-memory.dmp

Filesize
6.5MB

Download
memory/4644-137-0x0000000002E60000-0x00000000034CF000-memory.dmp

Filesize
6.4MB

Download
memory/4644-138-0x0000000000400000-0x0000000000A7C000-memory.dmp

Filesize
6.5MB

Download
memory/4644-139-0x00000000039E0000-0x0000000004553000-memory.dmp

Filesize
11.4MB

Download
memory/4644-140-0x00000000039E0000-0x0000000004553000-memory.dmp

Filesize
11.4MB

Download
memory/4644-141-0x00000000039E0000-0x0000000004553000-memory.dmp

Filesize
11.4MB

Download
memory/4644-142-0x00000000046F0000-0x0000000004830000-memory.dmp

Filesize
1.2MB

Download
memory/4644-143-0x00000000046F0000-0x0000000004830000-memory.dmp

Filesize
1.2MB

Download
memory/4644-144-0x00000000046F0000-0x0000000004830000-memory.dmp

Filesize
1.2MB

Download
memory/4644-145-0x00000000046F0000-0x0000000004830000-memory.dmp

Filesize
1.2MB

Download
memory/4644-146-0x00000000046F0000-0x0000000004830000-memory.dmp

Filesize
1.2MB

Download
memory/4644-147-0x00000000046F0000-0x0000000004830000-memory.dmp

Filesize
1.2MB

Download
memory/4644-148-0x00000000046F0000-0x0000000004830000-memory.dmp

Filesize
1.2MB

Download
memory/4644-149-0x00000000046F0000-0x0000000004830000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing