1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487

General

Target

1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe
Size

770KB
MD5

5fb5607b0f61bb044ff17e28388df490
SHA1

a5e0e097746b63d8ee36701dd040e16784df5da2
SHA256

1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487
SHA512

37fa97795ae202377263b62dce420acad9397c17aefe1ac8ea35be43bd386bdb1aa0a0ef4a0ad659359269a29180bb0036d2c7310e8b511a1136df4ac4afa25d
SSDEEP

12288:+MzEoDzA1NLzZJncwAVDZI2r1xZyLA6y3TlWW+X+a3qml9nkDRTXj69mfx:t7wnLzZ0Dr1xP6y3t+Z3Vl9nATzGGx

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

vhwmdff.exevhwmdff.exe

pid process

3472 vhwmdff.exe
3888 vhwmdff.exe

pid	process
3472	vhwmdff.exe
3888	vhwmdff.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vhwmdff.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	vhwmdff.exe

Loads dropped DLL 4 IoCs

Processes:

1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exevhwmdff.exe

pid	process
3492	1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe
3492	1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe
3472	vhwmdff.exe
3472	vhwmdff.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exevhwmdff.exe

description	pid	process	target process
PID 3492 set thread context of 2864	3492	1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe	1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe
PID 3472 set thread context of 3888	3472	vhwmdff.exe	vhwmdff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2668 3888 WerFault.exe vhwmdff.exe

pid	pid_target	process	target process
2668	3888	WerFault.exe	vhwmdff.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exevhwmdff.exe

pid	process
2864	1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe
2864	1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe
3888	vhwmdff.exe
3888	vhwmdff.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vhwmdff.exe

description pid process

Token: SeDebugPrivilege 3888 vhwmdff.exe

description	pid	process
Token: SeDebugPrivilege	3888	vhwmdff.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exevhwmdff.exevhwmdff.exe

description	pid	process	target process
PID 3492 wrote to memory of 2864	3492	1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe	1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe
PID 3492 wrote to memory of 2864	3492	1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe	1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe
PID 3492 wrote to memory of 2864	3492	1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe	1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe
PID 3492 wrote to memory of 2864	3492	1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe	1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe
PID 3492 wrote to memory of 2864	3492	1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe	1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe
PID 3492 wrote to memory of 2864	3492	1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe	1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe
PID 3472 wrote to memory of 3888	3472	vhwmdff.exe	vhwmdff.exe
PID 3472 wrote to memory of 3888	3472	vhwmdff.exe	vhwmdff.exe
PID 3472 wrote to memory of 3888	3472	vhwmdff.exe	vhwmdff.exe
PID 3472 wrote to memory of 3888	3472	vhwmdff.exe	vhwmdff.exe
PID 3472 wrote to memory of 3888	3472	vhwmdff.exe	vhwmdff.exe
PID 3472 wrote to memory of 3888	3472	vhwmdff.exe	vhwmdff.exe
PID 3888 wrote to memory of 2700	3888	vhwmdff.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe
"C:\Users\Admin\AppData\Local\Temp\1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3492

C:\Users\Admin\AppData\Local\Temp\1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe
"C:\Users\Admin\AppData\Local\Temp\1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2864

C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3472

C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe
"C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 680
3⤵
- Program crash
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3888 -ip 3888
1⤵
PID:1212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bar\lesions.wc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd2C0.tmp\lesions.dll
Filesize
58KB

MD5
7f932b6120900b3173396748c5c6eb56

SHA1
05ebef281fb7848636c06a18b29626baaf993214

SHA256
efce73f68630ceab971c912c0a5887eb2b4c7b48f1e7faeb8cf52e03281a7055

SHA512
b5b59e25a5bae9fdae64309d10a0604cb7fe93f97f30b63cd0778aa7db7aa8b5c6a969c8539bdf63fb212c7f4efb4ea76a80076c84c237450897a248f15704f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd2C0.tmp\lesions.dll
Filesize
58KB

MD5
7f932b6120900b3173396748c5c6eb56

SHA1
05ebef281fb7848636c06a18b29626baaf993214

SHA256
efce73f68630ceab971c912c0a5887eb2b4c7b48f1e7faeb8cf52e03281a7055

SHA512
b5b59e25a5bae9fdae64309d10a0604cb7fe93f97f30b63cd0778aa7db7aa8b5c6a969c8539bdf63fb212c7f4efb4ea76a80076c84c237450897a248f15704f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw3F0D.tmp\lesions.dll
Filesize
58KB

MD5
7f932b6120900b3173396748c5c6eb56

SHA1
05ebef281fb7848636c06a18b29626baaf993214

SHA256
efce73f68630ceab971c912c0a5887eb2b4c7b48f1e7faeb8cf52e03281a7055

SHA512
b5b59e25a5bae9fdae64309d10a0604cb7fe93f97f30b63cd0778aa7db7aa8b5c6a969c8539bdf63fb212c7f4efb4ea76a80076c84c237450897a248f15704f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw3F0D.tmp\lesions.dll
Filesize
58KB

MD5
7f932b6120900b3173396748c5c6eb56

SHA1
05ebef281fb7848636c06a18b29626baaf993214

SHA256
efce73f68630ceab971c912c0a5887eb2b4c7b48f1e7faeb8cf52e03281a7055

SHA512
b5b59e25a5bae9fdae64309d10a0604cb7fe93f97f30b63cd0778aa7db7aa8b5c6a969c8539bdf63fb212c7f4efb4ea76a80076c84c237450897a248f15704f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe
Filesize
770KB

MD5
5fb5607b0f61bb044ff17e28388df490

SHA1
a5e0e097746b63d8ee36701dd040e16784df5da2

SHA256
1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487

SHA512
37fa97795ae202377263b62dce420acad9397c17aefe1ac8ea35be43bd386bdb1aa0a0ef4a0ad659359269a29180bb0036d2c7310e8b511a1136df4ac4afa25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe
Filesize
770KB

MD5
5fb5607b0f61bb044ff17e28388df490

SHA1
a5e0e097746b63d8ee36701dd040e16784df5da2

SHA256
1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487

SHA512
37fa97795ae202377263b62dce420acad9397c17aefe1ac8ea35be43bd386bdb1aa0a0ef4a0ad659359269a29180bb0036d2c7310e8b511a1136df4ac4afa25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe
Filesize
770KB

MD5
5fb5607b0f61bb044ff17e28388df490

SHA1
a5e0e097746b63d8ee36701dd040e16784df5da2

SHA256
1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487

SHA512
37fa97795ae202377263b62dce420acad9397c17aefe1ac8ea35be43bd386bdb1aa0a0ef4a0ad659359269a29180bb0036d2c7310e8b511a1136df4ac4afa25d

Download Submit
memory/2700-153-0x00000000035F0000-0x0000000003655000-memory.dmp

Filesize
404KB

Download
memory/2864-136-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2864-140-0x0000000000990000-0x0000000000BEF000-memory.dmp

Filesize
2.4MB

Download
memory/2864-139-0x0000000000400000-0x00000000004B0A00-memory.dmp

Filesize
706KB

Download
memory/2864-138-0x0000000000760000-0x000000000098E000-memory.dmp

Filesize
2.2MB

Download
memory/2864-135-0x0000000000000000-mapping.dmp

Download
memory/3472-146-0x0000000000770000-0x0000000000788000-memory.dmp

Filesize
96KB

Download
memory/3492-134-0x0000000002280000-0x0000000002298000-memory.dmp

Filesize
96KB

Download
memory/3888-147-0x0000000000000000-mapping.dmp

Download
memory/3888-152-0x0000000000A30000-0x0000000000C8F000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads