05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d

General

Target

05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe
Size

112KB
MD5

7706876568542419a64f5e0a48d322b1
SHA1

3b6abe527b2da5c119a452d06891566e7e01b376
SHA256

05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d
SHA512

ea878b336946fbad4229eb60207265b1c66e0f8ef7c8d3e97c61e0341e92d3307f4290abcaa0211eea95fdf435522e0c5d347bbe09c4a32764bac99559daf5f9
SSDEEP

3072:TRm3h5i0hA95TJ4tzzzzzzzzzzzzzzzzzzzzzzzzzzz+a6/md31Rq3F:TRmbic44zzzzzzzzzzzzzzzzzzzzzzzW

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1712	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1228 set thread context of 1096	1228	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1432	1712	WerFault.exe	29

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1916	NOTEPAD.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1096	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe
1096	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 1096	1228	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	28
PID 1228 wrote to memory of 1096	1228	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	28
PID 1228 wrote to memory of 1096	1228	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	28
PID 1228 wrote to memory of 1096	1228	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	28
PID 1228 wrote to memory of 1096	1228	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	28
PID 1228 wrote to memory of 1096	1228	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	28
PID 1228 wrote to memory of 1096	1228	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	28
PID 1228 wrote to memory of 1096	1228	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	28
PID 1228 wrote to memory of 1096	1228	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	28
PID 1096 wrote to memory of 1712	1096	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	29
PID 1096 wrote to memory of 1712	1096	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	29
PID 1096 wrote to memory of 1712	1096	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	29
PID 1096 wrote to memory of 1712	1096	05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe	29
PID 1712 wrote to memory of 1916	1712	svchost.exe	30
PID 1712 wrote to memory of 1916	1712	svchost.exe	30
PID 1712 wrote to memory of 1916	1712	svchost.exe	30
PID 1712 wrote to memory of 1916	1712	svchost.exe	30
PID 1712 wrote to memory of 1432	1712	svchost.exe	32
PID 1712 wrote to memory of 1432	1712	svchost.exe	32
PID 1712 wrote to memory of 1432	1712	svchost.exe	32
PID 1712 wrote to memory of 1432	1712	svchost.exe	32

C:\Users\Admin\AppData\Local\Temp\05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe
"C:\Users\Admin\AppData\Local\Temp\05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe
  C:\Users\Admin\AppData\Local\Temp\05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.exe
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:1916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 784
      4⤵
      Program crash
      PID:1432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\05a3ae0b0e40549f4fd3d2256ca1614ebf8c3265a0bc1972e974e8f668a35c9d.txt

Filesize
5B

MD5
43fb2705d9766ea761f934981936503f

SHA1
c9589c81355baab345cd121a76dcd743d65e131c

SHA256
766a90366e6cac315d05afc9c97dcd6206a7f66da260dd41d209bb6ad13947e0

SHA512
ebf82587e4a8dad580b0c6c6959c73315c584cea82c41c073aab41854a44027fbc63d3f360651e726bfe71bc9e99a1b803574715e63d462f90182291ce3dfbf4

Download Submit
memory/1096-55-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1096-57-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1096-59-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1096-60-0x0000000000408160-mapping.dmp

Download
memory/1096-54-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1096-64-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1432-72-0x0000000000000000-mapping.dmp

Download
memory/1712-63-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download
memory/1712-66-0x0000000000080000-0x0000000000088000-memory.dmp

Filesize
32KB

Download
memory/1712-67-0x0000000000420000-0x00000000004A0000-memory.dmp

Filesize
512KB

Download
memory/1712-65-0x0000000000120000-0x0000000000128000-memory.dmp

Filesize
32KB

Download
memory/1712-71-0x0000000000420000-0x00000000004A0000-memory.dmp

Filesize
512KB

Download
memory/1712-62-0x0000000000000000-mapping.dmp

Download
memory/1916-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing