d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf

General

Target

d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe
Size

1.5MB
MD5

a2d2674fe920910365ec490c2271837d
SHA1

24281340c82dcfa81f0a56c667ea93048869aeef
SHA256

d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf
SHA512

e97bf4d096f1f4887d7e54c6af407ede8c3b56c0d905200a6017d2c98a360c14730050e34842fa14ecf57bdc73764f3e5d42c229ffa36d366847626b4eebc65a
SSDEEP

24576:Qutr5OUX+0HSNRdylALXlfBwUiRQs3utW65Lu31xneixByVP26L1TC71+jc6onPx:QuX1+jNClCwDus+1tfixByz541+doRXf

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

avc2011.exe

pid process

1472 avc2011.exe

pid	process
1472	avc2011.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1472-60-0x0000000001FF0000-0x00000000021CC000-memory.dmp	upx
behavioral1/memory/1472-67-0x0000000001FF0000-0x00000000021CC000-memory.dmp	upx

Loads dropped DLL 6 IoCs

Processes:

d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exeWerFault.exe

pid	process
1352	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe
1352	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe
948	WerFault.exe
948	WerFault.exe
948	WerFault.exe
948	WerFault.exe

Drops file in Program Files directory 8 IoCs

Processes:

d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe

description	ioc	process
File opened for modification	C:\Program Files\Antivirus Clean 2011\avservice.exe	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe
File created	C:\Program Files\Antivirus Clean 2011\avsetup.exe	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe
File opened for modification	C:\Program Files\Antivirus Clean 2011\avsetup.exe	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe
File opened for modification	C:\Program Files\Antivirus Clean 2011	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe
File created	C:\Program Files\Antivirus Clean 2011\__tmp_rar_sfx_access_check_7092679	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe
File created	C:\Program Files\Antivirus Clean 2011\avc2011.exe	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe
File opened for modification	C:\Program Files\Antivirus Clean 2011\avc2011.exe	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe
File created	C:\Program Files\Antivirus Clean 2011\avservice.exe	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

948 1472 WerFault.exe avc2011.exe

pid	pid_target	process	target process
948	1472	WerFault.exe	avc2011.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exeavc2011.exe

description	pid	process	target process
PID 1352 wrote to memory of 1472	1352	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe	avc2011.exe
PID 1352 wrote to memory of 1472	1352	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe	avc2011.exe
PID 1352 wrote to memory of 1472	1352	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe	avc2011.exe
PID 1352 wrote to memory of 1472	1352	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe	avc2011.exe
PID 1352 wrote to memory of 1472	1352	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe	avc2011.exe
PID 1352 wrote to memory of 1472	1352	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe	avc2011.exe
PID 1352 wrote to memory of 1472	1352	d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe	avc2011.exe
PID 1472 wrote to memory of 948	1472	avc2011.exe	WerFault.exe
PID 1472 wrote to memory of 948	1472	avc2011.exe	WerFault.exe
PID 1472 wrote to memory of 948	1472	avc2011.exe	WerFault.exe
PID 1472 wrote to memory of 948	1472	avc2011.exe	WerFault.exe
PID 1472 wrote to memory of 948	1472	avc2011.exe	WerFault.exe
PID 1472 wrote to memory of 948	1472	avc2011.exe	WerFault.exe
PID 1472 wrote to memory of 948	1472	avc2011.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe
"C:\Users\Admin\AppData\Local\Temp\d1f602dc95f7c1277165d7d4c3103c5d74c188120fa85794bbde8da8850f65cf.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1352

C:\Program Files\Antivirus Clean 2011\avc2011.exe
"C:\Program Files\Antivirus Clean 2011\avc2011.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 200
3⤵
- Loads dropped DLL
- Program crash
PID:948

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Antivirus Clean 2011\avc2011.exe
Filesize
1.0MB

MD5
374f9b3e7878ba44bdb4fa6e7245203d

SHA1
c69a62efc8d68346c4fc5e31f8f5eb3258a07dc5

SHA256
1d82472c93c84ce59eabfc9ddc33b97f54ca47a78311e627df33cea14af872ca

SHA512
8769190790e4afd5686c92ca2c6c89a2ca90cfeb3a7f0a2fa223f3739a199c608c477207d7ce0fc5ba0d21e5a97f3dc230a7c67d3d4688433fa7b1c9dc996768

Download Submit
\Program Files\Antivirus Clean 2011\avc2011.exe
Filesize
1.0MB

MD5
374f9b3e7878ba44bdb4fa6e7245203d

SHA1
c69a62efc8d68346c4fc5e31f8f5eb3258a07dc5

SHA256
1d82472c93c84ce59eabfc9ddc33b97f54ca47a78311e627df33cea14af872ca

SHA512
8769190790e4afd5686c92ca2c6c89a2ca90cfeb3a7f0a2fa223f3739a199c608c477207d7ce0fc5ba0d21e5a97f3dc230a7c67d3d4688433fa7b1c9dc996768

Download Submit
\Program Files\Antivirus Clean 2011\avc2011.exe
Filesize
1.0MB

MD5
374f9b3e7878ba44bdb4fa6e7245203d

SHA1
c69a62efc8d68346c4fc5e31f8f5eb3258a07dc5

SHA256
1d82472c93c84ce59eabfc9ddc33b97f54ca47a78311e627df33cea14af872ca

SHA512
8769190790e4afd5686c92ca2c6c89a2ca90cfeb3a7f0a2fa223f3739a199c608c477207d7ce0fc5ba0d21e5a97f3dc230a7c67d3d4688433fa7b1c9dc996768

Download Submit
\Program Files\Antivirus Clean 2011\avc2011.exe
Filesize
1.0MB

MD5
374f9b3e7878ba44bdb4fa6e7245203d

SHA1
c69a62efc8d68346c4fc5e31f8f5eb3258a07dc5

SHA256
1d82472c93c84ce59eabfc9ddc33b97f54ca47a78311e627df33cea14af872ca

SHA512
8769190790e4afd5686c92ca2c6c89a2ca90cfeb3a7f0a2fa223f3739a199c608c477207d7ce0fc5ba0d21e5a97f3dc230a7c67d3d4688433fa7b1c9dc996768

Download Submit
\Program Files\Antivirus Clean 2011\avc2011.exe
Filesize
1.0MB

MD5
374f9b3e7878ba44bdb4fa6e7245203d

SHA1
c69a62efc8d68346c4fc5e31f8f5eb3258a07dc5

SHA256
1d82472c93c84ce59eabfc9ddc33b97f54ca47a78311e627df33cea14af872ca

SHA512
8769190790e4afd5686c92ca2c6c89a2ca90cfeb3a7f0a2fa223f3739a199c608c477207d7ce0fc5ba0d21e5a97f3dc230a7c67d3d4688433fa7b1c9dc996768

Download Submit
\Program Files\Antivirus Clean 2011\avc2011.exe
Filesize
1.0MB

MD5
374f9b3e7878ba44bdb4fa6e7245203d

SHA1
c69a62efc8d68346c4fc5e31f8f5eb3258a07dc5

SHA256
1d82472c93c84ce59eabfc9ddc33b97f54ca47a78311e627df33cea14af872ca

SHA512
8769190790e4afd5686c92ca2c6c89a2ca90cfeb3a7f0a2fa223f3739a199c608c477207d7ce0fc5ba0d21e5a97f3dc230a7c67d3d4688433fa7b1c9dc996768

Download Submit
\Program Files\Antivirus Clean 2011\avc2011.exe
Filesize
1.0MB

MD5
374f9b3e7878ba44bdb4fa6e7245203d

SHA1
c69a62efc8d68346c4fc5e31f8f5eb3258a07dc5

SHA256
1d82472c93c84ce59eabfc9ddc33b97f54ca47a78311e627df33cea14af872ca

SHA512
8769190790e4afd5686c92ca2c6c89a2ca90cfeb3a7f0a2fa223f3739a199c608c477207d7ce0fc5ba0d21e5a97f3dc230a7c67d3d4688433fa7b1c9dc996768

Download Submit
memory/948-62-0x0000000000000000-mapping.dmp

Download
memory/1352-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1472-57-0x0000000000000000-mapping.dmp

Download
memory/1472-60-0x0000000001FF0000-0x00000000021CC000-memory.dmp

Filesize
1.9MB

Download
memory/1472-67-0x0000000001FF0000-0x00000000021CC000-memory.dmp

Filesize
1.9MB

Download
memory/1472-68-0x00000000006E0000-0x00000000008BF000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads