26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9

General

Target

26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe
Size

1.4MB
MD5

d8ef684e0179a9d4439ca25aaf7946e3
SHA1

c85a8b63d74133376356d53aeb3c51b508fc623a
SHA256

26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9
SHA512

c74d77dd757c1640903cb64dd2b90b42d8906d19056d6fbfda7344082a0621f45ac5b1625f34715c391fdbb545581509a2bd19024fbca710b13a0ed792bb653b
SSDEEP

24576:yfna/BVJIi1fhDZlb8YNVnJgkOAdHHZTv7l5OZfOOP06iIyxJXOHYN69S0WiM:yfudv3DPjNVnJgNAdH5Tzl5OZhUIo+Hy

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1684	yiCrfu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4336	1684	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1684	yiCrfu.exe
1684	yiCrfu.exe
1684	yiCrfu.exe
1684	yiCrfu.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
1212	26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe
1212	26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe
1212	26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe
1684	yiCrfu.exe
1684	yiCrfu.exe
1212	26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe
1212	26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe
1212	26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe
1212	26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe
1212	26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe
1212	26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
1212	26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe
1212	26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe
1212	26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe
1684	yiCrfu.exe
1684	yiCrfu.exe
1212	26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe
1212	26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe
1212	26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe
1212	26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe
1212	26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe
1212	26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 3792	1212	26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe	79
PID 1212 wrote to memory of 3792	1212	26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe	79
PID 1212 wrote to memory of 3792	1212	26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe	79
PID 3792 wrote to memory of 1684	3792	cmd.exe	81
PID 3792 wrote to memory of 1684	3792	cmd.exe	81
PID 3792 wrote to memory of 1684	3792	cmd.exe	81
PID 1684 wrote to memory of 4300	1684	yiCrfu.exe	82
PID 1684 wrote to memory of 4300	1684	yiCrfu.exe	82
PID 1684 wrote to memory of 4300	1684	yiCrfu.exe	82
PID 1684 wrote to memory of 4300	1684	yiCrfu.exe	82
PID 1684 wrote to memory of 4300	1684	yiCrfu.exe	82

C:\Users\Admin\AppData\Local\Temp\26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe
"C:\Users\Admin\AppData\Local\Temp\26c22154c71d281c330b5aa36171a128f9b9835d8b815f95147d9e451e1f03a9.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiCrfu.exe axMDDO
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Users\Admin\AppData\Local\Temp\yiCrfu.exe
    C:\Users\Admin\AppData\Local\Temp\yiCrfu.exe axMDDO
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\System32\svchost.exe"
      4⤵
      PID:4300
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 740
      4⤵
      Program crash
      PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1684 -ip 1684
1⤵
PID:2748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\axMDDO

Filesize
10KB

MD5
90bf4babbe143d70e3f4b096e29b7b25

SHA1
cba59d8d62e1d2f400bcf06e6544e2f9e7f48c85

SHA256
146e59edbf739a275c6693bcbb9b69c5edd4aef2ba6143f4d3e79e2b48fbaa92

SHA512
721fd13790c35f42d9ac8f86df5e1e706f29f07083b07823f72d9f6260df0eb2d686ed2ddcc24caef773b4d4fe6f5b286832f1972b37abe832d52a03f9c5ee6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bNWOah.txt

Filesize
1.1MB

MD5
191256021efee5e8c1abf15b8cdd2914

SHA1
75ed58888dc54e1947cbc8cecd32985a07b10e11

SHA256
7101570f8471cc1f2d7d44773a0c734b0c89f279c943cbe6af9b68abcdc189e8

SHA512
9a6d7035fb76dfe9bff89554c1f260afc3ff0c5c026938b01e0d3ebe6923ce9edfeedf516f614970456e9ff796f54b7e43571bf23d723f0e868f315cde9d8f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\yiCrfu.exe

Filesize
510KB

MD5
bae1ae33faf5a78f92d36c5beff333aa

SHA1
224ec26c41642f65e8fa9041de4cb8be97f019eb

SHA256
1c4a358205ba1dc9a65d347dca77197dba2b571a522ed62f9eadd026f7ff51b1

SHA512
476a063043bb0020cf05c374ddfce6e96d3a63ac5ebd25218b315b8803bafb9a4317bfa1aa0c400c8d339a66efc3ba6729ece1b685a25cef8fa7018f9e8f1ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yiCrfu.exe

Filesize
510KB

MD5
bae1ae33faf5a78f92d36c5beff333aa

SHA1
224ec26c41642f65e8fa9041de4cb8be97f019eb

SHA256
1c4a358205ba1dc9a65d347dca77197dba2b571a522ed62f9eadd026f7ff51b1

SHA512
476a063043bb0020cf05c374ddfce6e96d3a63ac5ebd25218b315b8803bafb9a4317bfa1aa0c400c8d339a66efc3ba6729ece1b685a25cef8fa7018f9e8f1ec8

Download Submit

Analysis

Sharing