e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01

General

Target

e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
Size

1.4MB
MD5

6c6c16697a1a4163f878854d813e2481
SHA1

3cfaf6af2b24dcc8f960163e31d9e4b8299774d6
SHA256

e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01
SHA512

42780b13a478a4b6d62495923fcfcbcab12390b2e3f263c3a2b7382695592f1c807c61d886686a25fb30ea2ab3721ca2dbb988fa71bbdcde4df6b15f57afe69a
SSDEEP

24576:eRmJkcoQricOIQxiZY1iaYU9U2A5kbcUFBO4g262ylRoYo9E:LJZoQrbTFZY1iaR9U26GcUk262h8

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe

description	pid	process	target process
PID 2184 set thread context of 212	2184	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1360 212 WerFault.exe svchost.exe

pid	pid_target	process	target process
1360	212	WerFault.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe

pid	process
2184	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
2184	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exee23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe

pid	process
1316	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
1316	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
1316	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
2184	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
2184	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
2184	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exee23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe

pid	process
1316	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
1316	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
1316	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
2184	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
2184	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
2184	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exee23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe

description	pid	process	target process
PID 1316 wrote to memory of 2184	1316	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
PID 1316 wrote to memory of 2184	1316	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
PID 1316 wrote to memory of 2184	1316	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
PID 2184 wrote to memory of 212	2184	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe	svchost.exe
PID 2184 wrote to memory of 212	2184	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe	svchost.exe
PID 2184 wrote to memory of 212	2184	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe	svchost.exe
PID 2184 wrote to memory of 212	2184	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
"C:\Users\Admin\AppData\Local\Temp\e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Local\Temp\e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
C:\Users\Admin\AppData\Local\Temp\e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\test.a3x"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2184

\??\c:\windows\SysWOW64\svchost.exe
"c:\windows\system32\svchost.exe"
3⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 84
4⤵
- Program crash
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 212 -ip 212
1⤵
PID:216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.a3x
Filesize
484KB

MD5
ec29165f4264777325a3ff2916356fc1

SHA1
b0eea8a09b47ee5401b5622b28d96ca88c7a1d04

SHA256
b92b1bd53e3feb88f852d8c43eca5147ef90baee939c1da20dd576f4844b595c

SHA512
4187121b736be8f644f3ad3a1b12ada0e26f551e6e5b847e6b2793e525d3aeaa0c918feb0a970b596b6835ecee7c05ce4354df110934e8cf8f719a9d08034704

Download Submit
memory/212-134-0x0000000000000000-mapping.dmp

Download
memory/2184-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads