ae795b630803cdbf3445f61de32784882998281fd728641d0637fbc31b5ec7b5

General

Target

ae795b630803cdbf3445f61de32784882998281fd728641d0637fbc31b5ec7b5.exe
Size

2.5MB
MD5

73eebdabdfd327a3a0dd26832f397606
SHA1

ebc95472d9e0dde878d8ce29896619e6002b9911
SHA256

ae795b630803cdbf3445f61de32784882998281fd728641d0637fbc31b5ec7b5
SHA512

20473661949e2091279e46dab4864e5942b7efc782180cc8d879b07c4f074b36a40c7bacdcd6f041e230f771bfc53a63638f341a1528449ab14dc2066af026aa
SSDEEP

49152:AvFp7flGSxtd67sCCKVgU/Ps+cvlijHquBTRTToarsvD/DX+y4onCYDoD5:89Gmd67svKaU/vcdibnRRzrsvD/D+do4

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3548	5555.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000300000000072f-141.dat	upx
behavioral2/files/0x000300000000072f-142.dat	upx
behavioral2/memory/3548-143-0x0000000001000000-0x0000000001412000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
4892	ae795b630803cdbf3445f61de32784882998281fd728641d0637fbc31b5ec7b5.exe
4892	ae795b630803cdbf3445f61de32784882998281fd728641d0637fbc31b5ec7b5.exe
4892	ae795b630803cdbf3445f61de32784882998281fd728641d0637fbc31b5ec7b5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3096	3548	WerFault.exe	84

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4892	ae795b630803cdbf3445f61de32784882998281fd728641d0637fbc31b5ec7b5.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 4688	4892	ae795b630803cdbf3445f61de32784882998281fd728641d0637fbc31b5ec7b5.exe	80
PID 4892 wrote to memory of 4688	4892	ae795b630803cdbf3445f61de32784882998281fd728641d0637fbc31b5ec7b5.exe	80
PID 4892 wrote to memory of 4688	4892	ae795b630803cdbf3445f61de32784882998281fd728641d0637fbc31b5ec7b5.exe	80
PID 4892 wrote to memory of 4204	4892	ae795b630803cdbf3445f61de32784882998281fd728641d0637fbc31b5ec7b5.exe	81
PID 4892 wrote to memory of 4204	4892	ae795b630803cdbf3445f61de32784882998281fd728641d0637fbc31b5ec7b5.exe	81
PID 4892 wrote to memory of 4204	4892	ae795b630803cdbf3445f61de32784882998281fd728641d0637fbc31b5ec7b5.exe	81
PID 4204 wrote to memory of 3548	4204	cmd.exe	84
PID 4204 wrote to memory of 3548	4204	cmd.exe	84
PID 4204 wrote to memory of 3548	4204	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\ae795b630803cdbf3445f61de32784882998281fd728641d0637fbc31b5ec7b5.exe
"C:\Users\Admin\AppData\Local\Temp\ae795b630803cdbf3445f61de32784882998281fd728641d0637fbc31b5ec7b5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\\2260.jpg
  2⤵
  PID:4688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\\5555.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Users\Admin\AppData\Local\Temp\5555.exe
    C:\Users\Admin\AppData\Local\Temp\\5555.exe
    3⤵
    - Executes dropped EXE
    PID:3548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 560
      4⤵
      Program crash
      PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3548 -ip 3548
1⤵
PID:4764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5555.exe

Filesize
1.6MB

MD5
d9af5f64622c7b481451102dc077f04c

SHA1
33f33d20a39a9afb2d248d13677d2af668f64855

SHA256
cdbe3b1971ee33b5f461c670c0757c2038cbb99511040ea193482078e902fa70

SHA512
a281538be617a7da21cd09a99b82d934f79e5cb0b4b9bccb318b57c0f3d6a81ea74d4ffee19a73c2719cda6a030c584a7b6295b7dfa6a06d2319c27ea78189ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\5555.exe

Filesize
1.6MB

MD5
d9af5f64622c7b481451102dc077f04c

SHA1
33f33d20a39a9afb2d248d13677d2af668f64855

SHA256
cdbe3b1971ee33b5f461c670c0757c2038cbb99511040ea193482078e902fa70

SHA512
a281538be617a7da21cd09a99b82d934f79e5cb0b4b9bccb318b57c0f3d6a81ea74d4ffee19a73c2719cda6a030c584a7b6295b7dfa6a06d2319c27ea78189ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.1MB

MD5
97c8fe752e354b2945e4c593a87e4a8b

SHA1
03ab4c91535ecf14b13e0258f3a7be459a7957f9

SHA256
820d8dd49baed0da44d42555ad361d78e068115661dce72ae6578dcdab6baead

SHA512
af4492c08d6659d21ebfefe752b0d71210d2542c1788f1d2d9f86a85f01c3dd05eebf61c925e18b5e870aec7e9794e4a7050a04f4c58d90dca93324485690bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\shell.fne

Filesize
56KB

MD5
d63851f89c7ad4615565ca300e8b8e27

SHA1
1c9a6c1ce94581f85be0e99e2d370384b959578f

SHA256
0a6ae72df15cbca21c6af32bc2c13ca876e191008f1078228b3b98add9fc9d8d

SHA512
623e9e9beb5d2a9f3a6a75e5fac9dda5b437246fd3b10db4bba680f61bc68aae6714f11a12938b7d22b1c7691f45a75c4406ba06fa901da8ce05e784038970d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\shell.fne

Filesize
56KB

MD5
d63851f89c7ad4615565ca300e8b8e27

SHA1
1c9a6c1ce94581f85be0e99e2d370384b959578f

SHA256
0a6ae72df15cbca21c6af32bc2c13ca876e191008f1078228b3b98add9fc9d8d

SHA512
623e9e9beb5d2a9f3a6a75e5fac9dda5b437246fd3b10db4bba680f61bc68aae6714f11a12938b7d22b1c7691f45a75c4406ba06fa901da8ce05e784038970d2

Download Submit
memory/3548-143-0x0000000001000000-0x0000000001412000-memory.dmp

Filesize
4.1MB

Download
memory/4892-132-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4892-136-0x0000000002170000-0x0000000002184000-memory.dmp

Filesize
80KB

Download
memory/4892-139-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing