f8fa7ed7d4114746aa6df182f4442f192329d788635de37ef7679bd31bc09c0c

General

Target

f8fa7ed7d4114746aa6df182f4442f192329d788635de37ef7679bd31bc09c0c.exe
Size

542KB
MD5

0e3af8520b4d7737f759c9a70b8f7e75
SHA1

613bb28a2d8460368accf27323191b49ae0ae40e
SHA256

f8fa7ed7d4114746aa6df182f4442f192329d788635de37ef7679bd31bc09c0c
SHA512

6b9fa9b561fb9ad1be0aed80db208986a259a67b4232d8f19243aa9319fb2af94735df9484c9619fbb1471a829b5a264e176cdcad1ac43b9666ffb381c29ddf5
SSDEEP

6144:skQdh1gQZpdi1gSaF2vL1V22NTlaHj+LIayFlbw3uwSJogne7NPyF8OmFbJ:s51JZpZS2uV2Ql0jQIzIQJrn0yFc

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1496	pGZsDH0.exe
1616	fMcBjC1.exe

Loads dropped DLL 6 IoCs

pid	Process
1996	f8fa7ed7d4114746aa6df182f4442f192329d788635de37ef7679bd31bc09c0c.exe
1996	f8fa7ed7d4114746aa6df182f4442f192329d788635de37ef7679bd31bc09c0c.exe
1996	f8fa7ed7d4114746aa6df182f4442f192329d788635de37ef7679bd31bc09c0c.exe
1424	WerFault.exe
1424	WerFault.exe
1424	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1424	1496	WerFault.exe	27

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1616	fMcBjC1.exe
1616	fMcBjC1.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1496	1996	f8fa7ed7d4114746aa6df182f4442f192329d788635de37ef7679bd31bc09c0c.exe	27
PID 1996 wrote to memory of 1496	1996	f8fa7ed7d4114746aa6df182f4442f192329d788635de37ef7679bd31bc09c0c.exe	27
PID 1996 wrote to memory of 1496	1996	f8fa7ed7d4114746aa6df182f4442f192329d788635de37ef7679bd31bc09c0c.exe	27
PID 1996 wrote to memory of 1496	1996	f8fa7ed7d4114746aa6df182f4442f192329d788635de37ef7679bd31bc09c0c.exe	27
PID 1996 wrote to memory of 1616	1996	f8fa7ed7d4114746aa6df182f4442f192329d788635de37ef7679bd31bc09c0c.exe	28
PID 1996 wrote to memory of 1616	1996	f8fa7ed7d4114746aa6df182f4442f192329d788635de37ef7679bd31bc09c0c.exe	28
PID 1996 wrote to memory of 1616	1996	f8fa7ed7d4114746aa6df182f4442f192329d788635de37ef7679bd31bc09c0c.exe	28
PID 1996 wrote to memory of 1616	1996	f8fa7ed7d4114746aa6df182f4442f192329d788635de37ef7679bd31bc09c0c.exe	28
PID 1496 wrote to memory of 1424	1496	pGZsDH0.exe	29
PID 1496 wrote to memory of 1424	1496	pGZsDH0.exe	29
PID 1496 wrote to memory of 1424	1496	pGZsDH0.exe	29
PID 1496 wrote to memory of 1424	1496	pGZsDH0.exe	29

C:\Users\Admin\AppData\Local\Temp\f8fa7ed7d4114746aa6df182f4442f192329d788635de37ef7679bd31bc09c0c.exe
"C:\Users\Admin\AppData\Local\Temp\f8fa7ed7d4114746aa6df182f4442f192329d788635de37ef7679bd31bc09c0c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\pGZsDH0.exe
  "C:\Users\Admin\AppData\Local\Temp\pGZsDH0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 192
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1424
- C:\Users\Admin\AppData\Local\Temp\fMcBjC1.exe
  "C:\Users\Admin\AppData\Local\Temp\fMcBjC1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fMcBjC1.exe

Filesize
364KB

MD5
5b3f5eb8ddd69f3a283c180b6cc82ec3

SHA1
04f253041dbedb78255f054d30ff627e68c3e8f7

SHA256
626a4de384f52dbdb344354dade251d37084384d57d54f2de580bc0f3fdbf577

SHA512
2e8ec03fcca0ac5bc8f520899f5c9cb516a96a116cec56555b378f0803e8c70be9ea8f1e8916f994195d051b1316151bf7cf2e065aa3614616af40c0c92dc412

Download Submit
C:\Users\Admin\AppData\Local\Temp\pGZsDH0.exe

Filesize
90KB

MD5
6d5edb0523f7f3d9627b9e4e8f939119

SHA1
eb52dbaa4f1bf83401d0d21d0e58450fcf5c5d88

SHA256
da618769cff67f9b45b01d1458ef9801dd7984d295f8fd98db7f259012b76817

SHA512
690343ba203e02ea3275c348334d29ffe8527ac66653440c6c4e4f3539a59ff7434c6fc4a1e0176a1a119d6443b0a1ca957e8d3710708be8a8088b745de6e686

Download Submit
\Users\Admin\AppData\Local\Temp\fMcBjC1.exe

Filesize
364KB

MD5
5b3f5eb8ddd69f3a283c180b6cc82ec3

SHA1
04f253041dbedb78255f054d30ff627e68c3e8f7

SHA256
626a4de384f52dbdb344354dade251d37084384d57d54f2de580bc0f3fdbf577

SHA512
2e8ec03fcca0ac5bc8f520899f5c9cb516a96a116cec56555b378f0803e8c70be9ea8f1e8916f994195d051b1316151bf7cf2e065aa3614616af40c0c92dc412

Download Submit
\Users\Admin\AppData\Local\Temp\fMcBjC1.exe

Filesize
364KB

MD5
5b3f5eb8ddd69f3a283c180b6cc82ec3

SHA1
04f253041dbedb78255f054d30ff627e68c3e8f7

SHA256
626a4de384f52dbdb344354dade251d37084384d57d54f2de580bc0f3fdbf577

SHA512
2e8ec03fcca0ac5bc8f520899f5c9cb516a96a116cec56555b378f0803e8c70be9ea8f1e8916f994195d051b1316151bf7cf2e065aa3614616af40c0c92dc412

Download Submit
\Users\Admin\AppData\Local\Temp\pGZsDH0.exe

Filesize
90KB

MD5
6d5edb0523f7f3d9627b9e4e8f939119

SHA1
eb52dbaa4f1bf83401d0d21d0e58450fcf5c5d88

SHA256
da618769cff67f9b45b01d1458ef9801dd7984d295f8fd98db7f259012b76817

SHA512
690343ba203e02ea3275c348334d29ffe8527ac66653440c6c4e4f3539a59ff7434c6fc4a1e0176a1a119d6443b0a1ca957e8d3710708be8a8088b745de6e686

Download Submit
\Users\Admin\AppData\Local\Temp\pGZsDH0.exe

Filesize
90KB

MD5
6d5edb0523f7f3d9627b9e4e8f939119

SHA1
eb52dbaa4f1bf83401d0d21d0e58450fcf5c5d88

SHA256
da618769cff67f9b45b01d1458ef9801dd7984d295f8fd98db7f259012b76817

SHA512
690343ba203e02ea3275c348334d29ffe8527ac66653440c6c4e4f3539a59ff7434c6fc4a1e0176a1a119d6443b0a1ca957e8d3710708be8a8088b745de6e686

Download Submit
\Users\Admin\AppData\Local\Temp\pGZsDH0.exe

Filesize
90KB

MD5
6d5edb0523f7f3d9627b9e4e8f939119

SHA1
eb52dbaa4f1bf83401d0d21d0e58450fcf5c5d88

SHA256
da618769cff67f9b45b01d1458ef9801dd7984d295f8fd98db7f259012b76817

SHA512
690343ba203e02ea3275c348334d29ffe8527ac66653440c6c4e4f3539a59ff7434c6fc4a1e0176a1a119d6443b0a1ca957e8d3710708be8a8088b745de6e686

Download Submit
\Users\Admin\AppData\Local\Temp\pGZsDH0.exe

Filesize
90KB

MD5
6d5edb0523f7f3d9627b9e4e8f939119

SHA1
eb52dbaa4f1bf83401d0d21d0e58450fcf5c5d88

SHA256
da618769cff67f9b45b01d1458ef9801dd7984d295f8fd98db7f259012b76817

SHA512
690343ba203e02ea3275c348334d29ffe8527ac66653440c6c4e4f3539a59ff7434c6fc4a1e0176a1a119d6443b0a1ca957e8d3710708be8a8088b745de6e686

Download Submit
memory/1496-67-0x0000000000280000-0x0000000000294000-memory.dmp

Filesize
80KB

Download
memory/1996-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing