2bb2e6320ee0d10a0364417bdb84381cece15babc6481b12c0b45960b5096c6f

General

Target

2bb2e6320ee0d10a0364417bdb84381cece15babc6481b12c0b45960b5096c6f.exe
Size

338KB
MD5

2b5b0932b4ade5f527e708ab706c93be
SHA1

0a751cd77a783016d3435642d3ac5f4216430df0
SHA256

2bb2e6320ee0d10a0364417bdb84381cece15babc6481b12c0b45960b5096c6f
SHA512

0837eba9ed38420137d35e5979b2a576036919cad6583a67ebe46590359ed21282ab666ee7769387d1ee66549845c796c74d60dc8d0006385f491e497980a5b6
SSDEEP

6144:6lZ/zUMu4pDSxsCMRzf7x3SfS1JAzXBtL76l2PIDNogwM1:6HLUMuiv9RgfSjAzRty5CgwM1

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1616	server.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1484-60-0x0000000000400000-0x00000000004B8000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
1484	2bb2e6320ee0d10a0364417bdb84381cece15babc6481b12c0b45960b5096c6f.exe
1484	2bb2e6320ee0d10a0364417bdb84381cece15babc6481b12c0b45960b5096c6f.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1484-60-0x0000000000400000-0x00000000004B8000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1324	1616	WerFault.exe	28

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 1616	1484	2bb2e6320ee0d10a0364417bdb84381cece15babc6481b12c0b45960b5096c6f.exe	28
PID 1484 wrote to memory of 1616	1484	2bb2e6320ee0d10a0364417bdb84381cece15babc6481b12c0b45960b5096c6f.exe	28
PID 1484 wrote to memory of 1616	1484	2bb2e6320ee0d10a0364417bdb84381cece15babc6481b12c0b45960b5096c6f.exe	28
PID 1484 wrote to memory of 1616	1484	2bb2e6320ee0d10a0364417bdb84381cece15babc6481b12c0b45960b5096c6f.exe	28
PID 1616 wrote to memory of 1324	1616	server.exe	29
PID 1616 wrote to memory of 1324	1616	server.exe	29
PID 1616 wrote to memory of 1324	1616	server.exe	29
PID 1616 wrote to memory of 1324	1616	server.exe	29

C:\Users\Admin\AppData\Local\Temp\2bb2e6320ee0d10a0364417bdb84381cece15babc6481b12c0b45960b5096c6f.exe
"C:\Users\Admin\AppData\Local\Temp\2bb2e6320ee0d10a0364417bdb84381cece15babc6481b12c0b45960b5096c6f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Local\Temp\server.exe
  C:\Users\Admin\AppData\Local\Temp/server.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 120
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
61KB

MD5
7b18b8772616f942960418f5c6e7e31b

SHA1
fca3e6cf5e85a876cc2ea1754592c6c42a6f07ce

SHA256
79f7ee55ebf9f8c91dd4a15c11c2656563383bd890f9d0c68b2e158e5be81346

SHA512
5f2886322e8f26be58b2cbd1781bbf6edcaa7036c60032a456b66a85dd85b54d86972e67e1fe05c25831b783179099b2315c52d49bcda0edf978a9dc73cfdf68

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
61KB

MD5
7b18b8772616f942960418f5c6e7e31b

SHA1
fca3e6cf5e85a876cc2ea1754592c6c42a6f07ce

SHA256
79f7ee55ebf9f8c91dd4a15c11c2656563383bd890f9d0c68b2e158e5be81346

SHA512
5f2886322e8f26be58b2cbd1781bbf6edcaa7036c60032a456b66a85dd85b54d86972e67e1fe05c25831b783179099b2315c52d49bcda0edf978a9dc73cfdf68

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
61KB

MD5
7b18b8772616f942960418f5c6e7e31b

SHA1
fca3e6cf5e85a876cc2ea1754592c6c42a6f07ce

SHA256
79f7ee55ebf9f8c91dd4a15c11c2656563383bd890f9d0c68b2e158e5be81346

SHA512
5f2886322e8f26be58b2cbd1781bbf6edcaa7036c60032a456b66a85dd85b54d86972e67e1fe05c25831b783179099b2315c52d49bcda0edf978a9dc73cfdf68

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
61KB

MD5
7b18b8772616f942960418f5c6e7e31b

SHA1
fca3e6cf5e85a876cc2ea1754592c6c42a6f07ce

SHA256
79f7ee55ebf9f8c91dd4a15c11c2656563383bd890f9d0c68b2e158e5be81346

SHA512
5f2886322e8f26be58b2cbd1781bbf6edcaa7036c60032a456b66a85dd85b54d86972e67e1fe05c25831b783179099b2315c52d49bcda0edf978a9dc73cfdf68

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
61KB

MD5
7b18b8772616f942960418f5c6e7e31b

SHA1
fca3e6cf5e85a876cc2ea1754592c6c42a6f07ce

SHA256
79f7ee55ebf9f8c91dd4a15c11c2656563383bd890f9d0c68b2e158e5be81346

SHA512
5f2886322e8f26be58b2cbd1781bbf6edcaa7036c60032a456b66a85dd85b54d86972e67e1fe05c25831b783179099b2315c52d49bcda0edf978a9dc73cfdf68

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
61KB

MD5
7b18b8772616f942960418f5c6e7e31b

SHA1
fca3e6cf5e85a876cc2ea1754592c6c42a6f07ce

SHA256
79f7ee55ebf9f8c91dd4a15c11c2656563383bd890f9d0c68b2e158e5be81346

SHA512
5f2886322e8f26be58b2cbd1781bbf6edcaa7036c60032a456b66a85dd85b54d86972e67e1fe05c25831b783179099b2315c52d49bcda0edf978a9dc73cfdf68

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
61KB

MD5
7b18b8772616f942960418f5c6e7e31b

SHA1
fca3e6cf5e85a876cc2ea1754592c6c42a6f07ce

SHA256
79f7ee55ebf9f8c91dd4a15c11c2656563383bd890f9d0c68b2e158e5be81346

SHA512
5f2886322e8f26be58b2cbd1781bbf6edcaa7036c60032a456b66a85dd85b54d86972e67e1fe05c25831b783179099b2315c52d49bcda0edf978a9dc73cfdf68

Download Submit
memory/1324-61-0x0000000000000000-mapping.dmp

Download
memory/1484-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1484-60-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1616-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing