8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272

General

Target

8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272.exe
Size

38KB
MD5

b1bf72c9c9bfc9b16f0bba3135de8377
SHA1

a83c333d22d3e440a4a57cc03ea1318c35573853
SHA256

8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272
SHA512

b4062697d47415b7475f2c756b1671a14b4945621202311b97a782aea1f2acb5fa900ce37940ac7aa8d038a9bcbc633e9bcc2bb2a8838b1422377e3cd43a8584
SSDEEP

768:9VO48tURyrl6iaLcuR+G7UxFEtTJFFXC3CKegOP:O4QUIrl3a5RCxOHFy3dC

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
972	decrypted.exe

Loads dropped DLL 5 IoCs

pid	Process
1900	8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272.exe
1900	8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272.exe
1384	WerFault.exe
1384	WerFault.exe
1384	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1384	972	WerFault.exe	28

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1900	8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 972	1900	8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272.exe	28
PID 1900 wrote to memory of 972	1900	8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272.exe	28
PID 1900 wrote to memory of 972	1900	8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272.exe	28
PID 1900 wrote to memory of 972	1900	8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272.exe	28
PID 972 wrote to memory of 1384	972	decrypted.exe	29
PID 972 wrote to memory of 1384	972	decrypted.exe	29
PID 972 wrote to memory of 1384	972	decrypted.exe	29
PID 972 wrote to memory of 1384	972	decrypted.exe	29

C:\Users\Admin\AppData\Local\Temp\8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272.exe
"C:\Users\Admin\AppData\Local\Temp\8c14c0bca0e2096bd8d5b25669043c05bcc32c414c944358460c779cd7b5d272.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\decrypted.exe
  "C:\Users\Admin\AppData\Local\Temp\decrypted.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\decrypted.exe

Filesize
18KB

MD5
b6c14514b988e297c03f0019dd120f5c

SHA1
de0e8a847866e5bd33bfe18df1a5de6668c624d0

SHA256
ef572c4809c415f36959f1b7435bb665b7eca83d6dd42450ddbc1c78bc205a77

SHA512
bafbffdac3523e52f5ee079a85800c1bcec10a9d2559ff1517a87835bede61c1950814d7df442e6da698d35adaa36f5ce1c1e7a15264d3238d254649193582d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\decrypted.exe

Filesize
18KB

MD5
b6c14514b988e297c03f0019dd120f5c

SHA1
de0e8a847866e5bd33bfe18df1a5de6668c624d0

SHA256
ef572c4809c415f36959f1b7435bb665b7eca83d6dd42450ddbc1c78bc205a77

SHA512
bafbffdac3523e52f5ee079a85800c1bcec10a9d2559ff1517a87835bede61c1950814d7df442e6da698d35adaa36f5ce1c1e7a15264d3238d254649193582d5

Download Submit
\Users\Admin\AppData\Local\Temp\decrypted.exe

Filesize
18KB

MD5
b6c14514b988e297c03f0019dd120f5c

SHA1
de0e8a847866e5bd33bfe18df1a5de6668c624d0

SHA256
ef572c4809c415f36959f1b7435bb665b7eca83d6dd42450ddbc1c78bc205a77

SHA512
bafbffdac3523e52f5ee079a85800c1bcec10a9d2559ff1517a87835bede61c1950814d7df442e6da698d35adaa36f5ce1c1e7a15264d3238d254649193582d5

Download Submit
\Users\Admin\AppData\Local\Temp\decrypted.exe

Filesize
18KB

MD5
b6c14514b988e297c03f0019dd120f5c

SHA1
de0e8a847866e5bd33bfe18df1a5de6668c624d0

SHA256
ef572c4809c415f36959f1b7435bb665b7eca83d6dd42450ddbc1c78bc205a77

SHA512
bafbffdac3523e52f5ee079a85800c1bcec10a9d2559ff1517a87835bede61c1950814d7df442e6da698d35adaa36f5ce1c1e7a15264d3238d254649193582d5

Download Submit
\Users\Admin\AppData\Local\Temp\decrypted.exe

Filesize
18KB

MD5
b6c14514b988e297c03f0019dd120f5c

SHA1
de0e8a847866e5bd33bfe18df1a5de6668c624d0

SHA256
ef572c4809c415f36959f1b7435bb665b7eca83d6dd42450ddbc1c78bc205a77

SHA512
bafbffdac3523e52f5ee079a85800c1bcec10a9d2559ff1517a87835bede61c1950814d7df442e6da698d35adaa36f5ce1c1e7a15264d3238d254649193582d5

Download Submit
\Users\Admin\AppData\Local\Temp\decrypted.exe

Filesize
18KB

MD5
b6c14514b988e297c03f0019dd120f5c

SHA1
de0e8a847866e5bd33bfe18df1a5de6668c624d0

SHA256
ef572c4809c415f36959f1b7435bb665b7eca83d6dd42450ddbc1c78bc205a77

SHA512
bafbffdac3523e52f5ee079a85800c1bcec10a9d2559ff1517a87835bede61c1950814d7df442e6da698d35adaa36f5ce1c1e7a15264d3238d254649193582d5

Download Submit
\Users\Admin\AppData\Local\Temp\decrypted.exe

Filesize
18KB

MD5
b6c14514b988e297c03f0019dd120f5c

SHA1
de0e8a847866e5bd33bfe18df1a5de6668c624d0

SHA256
ef572c4809c415f36959f1b7435bb665b7eca83d6dd42450ddbc1c78bc205a77

SHA512
bafbffdac3523e52f5ee079a85800c1bcec10a9d2559ff1517a87835bede61c1950814d7df442e6da698d35adaa36f5ce1c1e7a15264d3238d254649193582d5

Download Submit
memory/972-62-0x0000000000402000-0x0000000000405000-memory.dmp

Filesize
12KB

Download
memory/972-63-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1900-56-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing