8addc46a1e996f780e9b2725a82cc2c6d59ce1f36cd1ba65167c92c933aacd19

General

Target

8addc46a1e996f780e9b2725a82cc2c6d59ce1f36cd1ba65167c92c933aacd19.exe
Size

104KB
MD5

b8997772ff477520de562d39b9a09b22
SHA1

67915490d3ff1e3bab7d64b70baa556337eea8fe
SHA256

8addc46a1e996f780e9b2725a82cc2c6d59ce1f36cd1ba65167c92c933aacd19
SHA512

29e4a35b8eb4ddfc8b462c2d4f58cd0c268dd37f2b2594bb3a03e09b1b0c1b64b30fae57c2dcfa55ee7d2a2180796455d473ba21317c8e7683935c21b1cb1859
SSDEEP

3072:4gXdZt9P6D3XJcM8kR7PGszZueuCURNi66DxKP13Lvl:4e34f8kRygZuD9RNi68xI1rl

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

wzfxydxc.exewzfxydxc.exe

pid process

1168 wzfxydxc.exe
628 wzfxydxc.exe

pid	process
1168	wzfxydxc.exe
628	wzfxydxc.exe

Loads dropped DLL 3 IoCs

Processes:

8addc46a1e996f780e9b2725a82cc2c6d59ce1f36cd1ba65167c92c933aacd19.exewzfxydxc.exe

pid	process
956	8addc46a1e996f780e9b2725a82cc2c6d59ce1f36cd1ba65167c92c933aacd19.exe
956	8addc46a1e996f780e9b2725a82cc2c6d59ce1f36cd1ba65167c92c933aacd19.exe
1168	wzfxydxc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wzfxydxc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	wzfxydxc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wzfxydxc.exe

description pid process target process

PID 1168 set thread context of 628 1168 wzfxydxc.exe wzfxydxc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

wzfxydxc.exe

pid process

628 wzfxydxc.exe
628 wzfxydxc.exe
628 wzfxydxc.exe
628 wzfxydxc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wzfxydxc.exe

pid process

1168 wzfxydxc.exe

description	pid	process	target process
PID 1168 set thread context of 628	1168	wzfxydxc.exe	wzfxydxc.exe

pid	process
628	wzfxydxc.exe
628	wzfxydxc.exe
628	wzfxydxc.exe
628	wzfxydxc.exe

pid	process
1168	wzfxydxc.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

8addc46a1e996f780e9b2725a82cc2c6d59ce1f36cd1ba65167c92c933aacd19.exewzfxydxc.exe

description	pid	process	target process
PID 956 wrote to memory of 1168	956	8addc46a1e996f780e9b2725a82cc2c6d59ce1f36cd1ba65167c92c933aacd19.exe	wzfxydxc.exe
PID 956 wrote to memory of 1168	956	8addc46a1e996f780e9b2725a82cc2c6d59ce1f36cd1ba65167c92c933aacd19.exe	wzfxydxc.exe
PID 956 wrote to memory of 1168	956	8addc46a1e996f780e9b2725a82cc2c6d59ce1f36cd1ba65167c92c933aacd19.exe	wzfxydxc.exe
PID 956 wrote to memory of 1168	956	8addc46a1e996f780e9b2725a82cc2c6d59ce1f36cd1ba65167c92c933aacd19.exe	wzfxydxc.exe
PID 1168 wrote to memory of 628	1168	wzfxydxc.exe	wzfxydxc.exe
PID 1168 wrote to memory of 628	1168	wzfxydxc.exe	wzfxydxc.exe
PID 1168 wrote to memory of 628	1168	wzfxydxc.exe	wzfxydxc.exe
PID 1168 wrote to memory of 628	1168	wzfxydxc.exe	wzfxydxc.exe
PID 1168 wrote to memory of 628	1168	wzfxydxc.exe	wzfxydxc.exe
PID 1168 wrote to memory of 628	1168	wzfxydxc.exe	wzfxydxc.exe
PID 1168 wrote to memory of 628	1168	wzfxydxc.exe	wzfxydxc.exe
PID 1168 wrote to memory of 628	1168	wzfxydxc.exe	wzfxydxc.exe
PID 1168 wrote to memory of 628	1168	wzfxydxc.exe	wzfxydxc.exe

C:\Users\Admin\AppData\Local\Temp\8addc46a1e996f780e9b2725a82cc2c6d59ce1f36cd1ba65167c92c933aacd19.exe
"C:\Users\Admin\AppData\Local\Temp\8addc46a1e996f780e9b2725a82cc2c6d59ce1f36cd1ba65167c92c933aacd19.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\Temp\wzfxydxc.exe
C:\Users\Admin\AppData\Local\Temp\wzfxydxc.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168

C:\Users\Admin\AppData\Local\Temp\wzfxydxc.exe
C:\Users\Admin\AppData\Local\Temp\wzfxydxc.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup.dat

Filesize
38KB

MD5
cc2e61b0677295f97ee463e1232fdabf

SHA1
5f26d5ee905618aca1be68753afca20af0b3421f

SHA256
8ea10fb9e21297828f13e6539fd9ce30fc5c72cf87d25563e0fbb58958c08780

SHA512
c88d4c9b35e7e0f9c433ab01f93d206832673c3420320cba083aac99ed3476073dee245a669f7182a6ca529ea5d25dc3e5439a1a368c94de47a7e70b04e6fd7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzfxydxc.exe

Filesize
48KB

MD5
15774c7824d086b14d25f95f6614adda

SHA1
5f2c2490b5dca7130e0024f7241e9ae98727d878

SHA256
8ff9603d9a1084f9f8b2e5e4e05719e76494f2183ec013ae606e74c5108bf7bb

SHA512
f9715dcc1e4dcf3973f46d0d585049dc8350a4152606d57666d046e0bfbc1f3b935d84dadf092d9c4dd594e59b5099931473ac83040bf9d4498aa8f0c4d62f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzfxydxc.exe

Filesize
48KB

MD5
15774c7824d086b14d25f95f6614adda

SHA1
5f2c2490b5dca7130e0024f7241e9ae98727d878

SHA256
8ff9603d9a1084f9f8b2e5e4e05719e76494f2183ec013ae606e74c5108bf7bb

SHA512
f9715dcc1e4dcf3973f46d0d585049dc8350a4152606d57666d046e0bfbc1f3b935d84dadf092d9c4dd594e59b5099931473ac83040bf9d4498aa8f0c4d62f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzfxydxc.exe

Filesize
48KB

MD5
15774c7824d086b14d25f95f6614adda

SHA1
5f2c2490b5dca7130e0024f7241e9ae98727d878

SHA256
8ff9603d9a1084f9f8b2e5e4e05719e76494f2183ec013ae606e74c5108bf7bb

SHA512
f9715dcc1e4dcf3973f46d0d585049dc8350a4152606d57666d046e0bfbc1f3b935d84dadf092d9c4dd594e59b5099931473ac83040bf9d4498aa8f0c4d62f74

Download Submit
\Users\Admin\AppData\Local\Temp\wzfxydxc.exe

Filesize
48KB

MD5
15774c7824d086b14d25f95f6614adda

SHA1
5f2c2490b5dca7130e0024f7241e9ae98727d878

SHA256
8ff9603d9a1084f9f8b2e5e4e05719e76494f2183ec013ae606e74c5108bf7bb

SHA512
f9715dcc1e4dcf3973f46d0d585049dc8350a4152606d57666d046e0bfbc1f3b935d84dadf092d9c4dd594e59b5099931473ac83040bf9d4498aa8f0c4d62f74

Download Submit
\Users\Admin\AppData\Local\Temp\wzfxydxc.exe

Filesize
48KB

MD5
15774c7824d086b14d25f95f6614adda

SHA1
5f2c2490b5dca7130e0024f7241e9ae98727d878

SHA256
8ff9603d9a1084f9f8b2e5e4e05719e76494f2183ec013ae606e74c5108bf7bb

SHA512
f9715dcc1e4dcf3973f46d0d585049dc8350a4152606d57666d046e0bfbc1f3b935d84dadf092d9c4dd594e59b5099931473ac83040bf9d4498aa8f0c4d62f74

Download Submit
\Users\Admin\AppData\Local\Temp\wzfxydxc.exe

Filesize
48KB

MD5
15774c7824d086b14d25f95f6614adda

SHA1
5f2c2490b5dca7130e0024f7241e9ae98727d878

SHA256
8ff9603d9a1084f9f8b2e5e4e05719e76494f2183ec013ae606e74c5108bf7bb

SHA512
f9715dcc1e4dcf3973f46d0d585049dc8350a4152606d57666d046e0bfbc1f3b935d84dadf092d9c4dd594e59b5099931473ac83040bf9d4498aa8f0c4d62f74

Download Submit
memory/628-63-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/628-64-0x0000000000401FD7-mapping.dmp

Download
memory/628-67-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/628-70-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/628-74-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/956-54-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download
memory/1168-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads