6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73

General

Target

6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73.exe
Size

685KB
MD5

40089b8d40929560a8041b3389f427d0
SHA1

152c6e1f88833bf2545a575cee2bc2525e397b70
SHA256

6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73
SHA512

417a0e5d125f95d147595afcf5d20936889e40c806b02163b441817c6c5f2a33bf3a6fa695ac919171c28f58ad9db3a3abaf2f7ea04abff105ad8be3491ecafc
SSDEEP

12288:ehkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aCVb6jc:uRmJkcoQricOIQxiZY1iaCVb8c

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCleaner.lnk	6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73.exe

Loads dropped DLL 7 IoCs

pid	Process
1472	WerFault.exe
1472	WerFault.exe
1472	WerFault.exe
1472	WerFault.exe
1472	WerFault.exe
1472	WerFault.exe
1472	WerFault.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000800000001230e-56.dat	autoit_exe
behavioral1/files/0x000800000001230e-57.dat	autoit_exe
behavioral1/files/0x000800000001230e-59.dat	autoit_exe
behavioral1/files/0x000800000001230e-58.dat	autoit_exe
behavioral1/files/0x000800000001230e-60.dat	autoit_exe
behavioral1/files/0x000800000001230e-61.dat	autoit_exe
behavioral1/files/0x000800000001230e-62.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1472	772	WerFault.exe	27

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
772	6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 1472	772	6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73.exe	28
PID 772 wrote to memory of 1472	772	6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73.exe	28
PID 772 wrote to memory of 1472	772	6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73.exe	28
PID 772 wrote to memory of 1472	772	6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73.exe	28

C:\Users\Admin\AppData\Local\Temp\6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73.exe
"C:\Users\Admin\AppData\Local\Temp\6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73.exe"
1⤵
- Drops startup file
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 612
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73.exe

Filesize
685KB

MD5
40089b8d40929560a8041b3389f427d0

SHA1
152c6e1f88833bf2545a575cee2bc2525e397b70

SHA256
6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73

SHA512
417a0e5d125f95d147595afcf5d20936889e40c806b02163b441817c6c5f2a33bf3a6fa695ac919171c28f58ad9db3a3abaf2f7ea04abff105ad8be3491ecafc

Download Submit
\Users\Admin\AppData\Local\Temp\6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73.exe

Filesize
685KB

MD5
40089b8d40929560a8041b3389f427d0

SHA1
152c6e1f88833bf2545a575cee2bc2525e397b70

SHA256
6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73

SHA512
417a0e5d125f95d147595afcf5d20936889e40c806b02163b441817c6c5f2a33bf3a6fa695ac919171c28f58ad9db3a3abaf2f7ea04abff105ad8be3491ecafc

Download Submit
\Users\Admin\AppData\Local\Temp\6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73.exe

Filesize
685KB

MD5
40089b8d40929560a8041b3389f427d0

SHA1
152c6e1f88833bf2545a575cee2bc2525e397b70

SHA256
6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73

SHA512
417a0e5d125f95d147595afcf5d20936889e40c806b02163b441817c6c5f2a33bf3a6fa695ac919171c28f58ad9db3a3abaf2f7ea04abff105ad8be3491ecafc

Download Submit
\Users\Admin\AppData\Local\Temp\6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73.exe

Filesize
685KB

MD5
40089b8d40929560a8041b3389f427d0

SHA1
152c6e1f88833bf2545a575cee2bc2525e397b70

SHA256
6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73

SHA512
417a0e5d125f95d147595afcf5d20936889e40c806b02163b441817c6c5f2a33bf3a6fa695ac919171c28f58ad9db3a3abaf2f7ea04abff105ad8be3491ecafc

Download Submit
\Users\Admin\AppData\Local\Temp\6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73.exe

Filesize
685KB

MD5
40089b8d40929560a8041b3389f427d0

SHA1
152c6e1f88833bf2545a575cee2bc2525e397b70

SHA256
6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73

SHA512
417a0e5d125f95d147595afcf5d20936889e40c806b02163b441817c6c5f2a33bf3a6fa695ac919171c28f58ad9db3a3abaf2f7ea04abff105ad8be3491ecafc

Download Submit
\Users\Admin\AppData\Local\Temp\6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73.exe

Filesize
685KB

MD5
40089b8d40929560a8041b3389f427d0

SHA1
152c6e1f88833bf2545a575cee2bc2525e397b70

SHA256
6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73

SHA512
417a0e5d125f95d147595afcf5d20936889e40c806b02163b441817c6c5f2a33bf3a6fa695ac919171c28f58ad9db3a3abaf2f7ea04abff105ad8be3491ecafc

Download Submit
\Users\Admin\AppData\Local\Temp\6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73.exe

Filesize
685KB

MD5
40089b8d40929560a8041b3389f427d0

SHA1
152c6e1f88833bf2545a575cee2bc2525e397b70

SHA256
6772bb9422f7cf2e1ff901755f3ae561d8a494193f3320cd61d0c98bd624da73

SHA512
417a0e5d125f95d147595afcf5d20936889e40c806b02163b441817c6c5f2a33bf3a6fa695ac919171c28f58ad9db3a3abaf2f7ea04abff105ad8be3491ecafc

Download Submit
memory/772-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing