b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea

General

Target

b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
Size

182KB
MD5

bceb88668190427c178ea7ca11f8e878
SHA1

7e2a0ad49638f2744a7bf16c2af77a2b0177461e
SHA256

b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea
SHA512

3d98c0ea36b8f750b7404f8429e7a9d826150dbc12cfee018956e8c60a7f9587c4c8e3f59339cfbce4f1451f6c4e5057a5f03b864b4ca6ceb35560b7b3755e81
SSDEEP

3072:KQoOG/Xth9DrXJWCpWEPjAsq5dhTSnP18uVpw+83C8xvWPrVjr8vNaPTNfCiJY:KQ4/pLQGqhWVpw+8y8xv+p2aLLY

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe

pid	process
4908	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
4908	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

816 5048 WerFault.exe iexplore.exe

pid	pid_target	process	target process
816	5048	WerFault.exe	iexplore.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe

description	pid	process	target process
PID 4908 set thread context of 4296	4908	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exeiexplore.exeiexplore.exe

description	pid	process
Token: SeDebugPrivilege	4296	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
Token: SeDebugPrivilege	4168	iexplore.exe
Token: SeDebugPrivilege	5048	iexplore.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exeb1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exeiexplore.exe

description	pid	process	target process
PID 4908 wrote to memory of 4296	4908	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 4908 wrote to memory of 4296	4908	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 4908 wrote to memory of 4296	4908	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 4908 wrote to memory of 4296	4908	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 4908 wrote to memory of 4296	4908	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 4908 wrote to memory of 4296	4908	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 4908 wrote to memory of 4296	4908	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 4908 wrote to memory of 4296	4908	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 4908 wrote to memory of 4296	4908	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 4908 wrote to memory of 4296	4908	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 4908 wrote to memory of 4296	4908	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 4908 wrote to memory of 4296	4908	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 4296 wrote to memory of 4168	4296	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	iexplore.exe
PID 4296 wrote to memory of 4168	4296	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	iexplore.exe
PID 4296 wrote to memory of 4168	4296	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	iexplore.exe
PID 4296 wrote to memory of 4168	4296	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	iexplore.exe
PID 4296 wrote to memory of 4168	4296	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	iexplore.exe
PID 4168 wrote to memory of 5048	4168	iexplore.exe	iexplore.exe
PID 4168 wrote to memory of 5048	4168	iexplore.exe	iexplore.exe
PID 4168 wrote to memory of 5048	4168	iexplore.exe	iexplore.exe
PID 4168 wrote to memory of 5048	4168	iexplore.exe	iexplore.exe
PID 4168 wrote to memory of 5048	4168	iexplore.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
"C:\Users\Admin\AppData\Local\Temp\b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4908

C:\Users\Admin\AppData\Local\Temp\b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
"C:\Users\Admin\AppData\Local\Temp\b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 676
5⤵
- Program crash
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 5048 -ip 5048
1⤵
PID:2736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsf2D6B.tmp\bwJbyexASCbf.dll

Filesize
118KB

MD5
bee2bc7ca85e944a77dcf8be9bd8b7e1

SHA1
561e8f534eb2da783e2aa72a678b4967d71bdf23

SHA256
2b1c9ebd08e2c2286590e20f1777b07163dfa2706f12735a9317c3423ca71bf8

SHA512
51e385786e6de3f8b432be3f9cff5709b3d059a9183314dc6f69ac8b19c0809622964471aac21f5f1a67b9fc888dc2ba9969d1e015bb4fbb93de18fb6251c90f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf2D6B.tmp\bwJbyexASCbf.dll

Filesize
118KB

MD5
bee2bc7ca85e944a77dcf8be9bd8b7e1

SHA1
561e8f534eb2da783e2aa72a678b4967d71bdf23

SHA256
2b1c9ebd08e2c2286590e20f1777b07163dfa2706f12735a9317c3423ca71bf8

SHA512
51e385786e6de3f8b432be3f9cff5709b3d059a9183314dc6f69ac8b19c0809622964471aac21f5f1a67b9fc888dc2ba9969d1e015bb4fbb93de18fb6251c90f

Download Submit
memory/4296-135-0x0000000000000000-mapping.dmp

Download
memory/4296-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4296-138-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4296-139-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4908-134-0x00000000022A0000-0x00000000022C6000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads