1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972

General

Target

1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe
Size

596KB
MD5

b09a08656becc46cf4f0547926f90cf8
SHA1

0b6f000fad78f9d9082344c724c0a2637046080e
SHA256

1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972
SHA512

cf77f7ee2720836db3f9480d244e5f3b9ed38e5ff981ae1b25c58e031571a6681886e5665c66b5303baf5880f9b75e3267e6a323c5cd18e0849bcb731bbf52de
SSDEEP

12288:ko0ZjcnNr3Sh4Ybgob0vSZcVm/IMnfiNAKrq4HMklp8W6Q1F:kPZjcnxY4eIvFMIQ6Pr7n

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ufZKjp.exe

pid process

4240 ufZKjp.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ufZKjp.exe

description pid process target process

PID 4240 set thread context of 4976 4240 ufZKjp.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1312 4976 WerFault.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ufZKjp.exe

pid process

4240 ufZKjp.exe
4240 ufZKjp.exe
4240 ufZKjp.exe
4240 ufZKjp.exe

pid	process
4240	ufZKjp.exe

description	pid	process	target process
PID 4240 set thread context of 4976	4240	ufZKjp.exe	svchost.exe

pid	pid_target	process	target process
1312	4976	WerFault.exe	svchost.exe

pid	process
4240	ufZKjp.exe
4240	ufZKjp.exe
4240	ufZKjp.exe
4240	ufZKjp.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe

pid	process
3436	1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe
3436	1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe
3436	1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe
3436	1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe

pid	process
3436	1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe
3436	1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe
3436	1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe
3436	1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.execmd.exeufZKjp.exe

description	pid	process	target process
PID 3436 wrote to memory of 3876	3436	1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe	cmd.exe
PID 3436 wrote to memory of 3876	3436	1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe	cmd.exe
PID 3436 wrote to memory of 3876	3436	1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe	cmd.exe
PID 3876 wrote to memory of 4240	3876	cmd.exe	ufZKjp.exe
PID 3876 wrote to memory of 4240	3876	cmd.exe	ufZKjp.exe
PID 3876 wrote to memory of 4240	3876	cmd.exe	ufZKjp.exe
PID 4240 wrote to memory of 4976	4240	ufZKjp.exe	svchost.exe
PID 4240 wrote to memory of 4976	4240	ufZKjp.exe	svchost.exe
PID 4240 wrote to memory of 4976	4240	ufZKjp.exe	svchost.exe
PID 4240 wrote to memory of 4976	4240	ufZKjp.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe
"C:\Users\Admin\AppData\Local\Temp\1bf9f2ba608fddd01e07cbcd9dd9faeb51ba56acd6664932920f3e52231ce972.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ufZKjp.exe INRpVM
2⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Users\Admin\AppData\Local\Temp\ufZKjp.exe
C:\Users\Admin\AppData\Local\Temp\ufZKjp.exe INRpVM
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 84
5⤵
- Program crash
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4976 -ip 4976
1⤵
PID:4952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\INRpVM
Filesize
7KB

MD5
8b6b5bb58abe252c0690506e05102e99

SHA1
174d719bbbbae1e7a89d342c70ebc162769287b9

SHA256
542a63f17deed9808021404219009bc7c63d4354e0fb28cb073e514f8bdf8ad4

SHA512
88adf4b9a805b320fb6e1aa9d2d77f452d77d9f8fd06f8afcb000d8c9a037c59c163c794aa1f6c88c1fc138a6713f40fc686332c6e2b51e4ea28647432d5db69

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufZKjp.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufZKjp.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vujVHJ.txt
Filesize
235KB

MD5
ad733659b0fa0ca5bb21c4de23d291e7

SHA1
4ea03e36ad34f8fb43ea390fe662e069dec598e5

SHA256
9c7d314ddc390b3805916fc6bf809663a9777c0560cd042b768c07a2006c55ce

SHA512
692ae106b6ba48929ebfb081718b30c9fb6efd5cb3c1e1d7fbc92665267b0812e17f0912b1897ba0a58792cd9c6f040ecc12c64fd9fd1619b1d7ce5bf3cd3811

Download Submit
memory/3876-132-0x0000000000000000-mapping.dmp

Download
memory/4240-133-0x0000000000000000-mapping.dmp

Download
memory/4976-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads