af3d519bd12d60130d9ae029fde0d434f5840f102f6c6217bc0ecafaa9baf32d

Analysis

max time kernel
146s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af3d519bd12d60130d9ae029fde0d434f5840f102f6c6217bc0ecafaa9baf32d.exe
Size

489KB
MD5

87f875ed4fb7fe7153d7601819e7c65b
SHA1

da1bedeeee6c2e0b8d24639b2394489c0f07c829
SHA256

af3d519bd12d60130d9ae029fde0d434f5840f102f6c6217bc0ecafaa9baf32d
SHA512

bb7fc532656abb7409a5410e4a443d24d52a99f4ef22ec0d910828a833fb1835426644f6061583da7547938381f183d479e04513cdc5cb4ed96650aa163d5a51
SSDEEP

12288:d+QfhJ7kNO9EoUOPKD3ypHaWIjsDEDsj:dXJ7kY9EoUpDipjED

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4132	befadegfdg_P.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4832	4132	WerFault.exe	79

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 4132	1568	af3d519bd12d60130d9ae029fde0d434f5840f102f6c6217bc0ecafaa9baf32d.exe	79
PID 1568 wrote to memory of 4132	1568	af3d519bd12d60130d9ae029fde0d434f5840f102f6c6217bc0ecafaa9baf32d.exe	79
PID 1568 wrote to memory of 4132	1568	af3d519bd12d60130d9ae029fde0d434f5840f102f6c6217bc0ecafaa9baf32d.exe	79

C:\Users\Admin\AppData\Local\Temp\af3d519bd12d60130d9ae029fde0d434f5840f102f6c6217bc0ecafaa9baf32d.exe
"C:\Users\Admin\AppData\Local\Temp\af3d519bd12d60130d9ae029fde0d434f5840f102f6c6217bc0ecafaa9baf32d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Users\Admin\AppData\Local\Temp\befadegfdg_P.exe
  C:\Users\Admin\AppData\Local\Temp\befadegfdg_P.exe 6|8|9|0|5|5|7|1|1|2|7 KUhARDgsMjczMBkpS0xCS0Q9PC8eKEg9S1dKTURIQzspGic7SU5PQkM8LhkpO0BEOCsZLk9QSD5NOlRaRD08Lx4oTT1JVkBNWFRRSjZibGtwNSoocnF0Jz49SksoT0hPLD9JSiZATkFKGS5CSkI9Q0BEOBsoQzA7JisYJkQtOCYwHy09LTUkMRsqPTM8KyoaJzs1OCgqHy5OS0k8TENPWklRSFQ6PVE0ICpLS05DUzxOVzxVRzw2Hy5OS0k8TENPWkdATEM2Gic8WEBaTlFLOxkpPU9FWj5GQ0tHRz81Fy9DSkxTXkBLSU9KRU04Lh8uUkE7RkJZSlBYVFFKNhonTU04LRkuQ1EqNxgmUlBJTUhMQ1hRPUNDSkg+SEw/QD9NSUw4GyhIUl1LT0ZLSUhANnNxc14aJ0lFT1BLTUhMQFlNSkVNWj1AWFE2LBgmSEQ/Plc8LxkpQUpfP1RHQExHPFk9RUNNVElTREI2YFljc2AbKENOVUdGRzhEWkRJPDEuMSgpKDApNCwtMDArGidHQU08RUtESlhDRkpUPEdFPHNwbl8YJlRESD48MDIuKi4nMDIsLx8uQkhRRkNPPD9YU0hLPjcpKS8tKygxLy8uJDAxMzM1LDUpP0Y=
  2⤵
  - Executes dropped EXE
  PID:4132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 228
    3⤵
    - Program crash
    PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4132 -ip 4132
1⤵
PID:4200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\befadegfdg_P.exe

Filesize
674KB

MD5
93c3c1d0d5299bb9cefe9e9181a17070

SHA1
77a89de10714fd3862276d65ca4cb440628d81a4

SHA256
fbe70131b58335fc221283fe76ee5ebeef38c677ab97a7a775ec1a8beb32aaa7

SHA512
9e2871266f95a6f96fd92db2f37141f4a39b095922e1a6f482a73fbaaeb653464f4ff0e445ef3aec95e9b1f2437245ff68fd7bc1c5e5341c572b24a1e4ab0ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\befadegfdg_P.exe

Filesize
674KB

MD5
93c3c1d0d5299bb9cefe9e9181a17070

SHA1
77a89de10714fd3862276d65ca4cb440628d81a4

SHA256
fbe70131b58335fc221283fe76ee5ebeef38c677ab97a7a775ec1a8beb32aaa7

SHA512
9e2871266f95a6f96fd92db2f37141f4a39b095922e1a6f482a73fbaaeb653464f4ff0e445ef3aec95e9b1f2437245ff68fd7bc1c5e5341c572b24a1e4ab0ce3

Download Submit