f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e

General

Target

f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe
Size

168KB
MD5

84bde147952c733a576987980796f580
SHA1

b56dad6e162ea2bf28181a0178597922e417dc40
SHA256

f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e
SHA512

274c21d858679adca8a3f791d2b16cabf7f7a9af5ae601ebf77bbc081aad89bb8bb1f618fd53f7e8e74bdb1acaaf6706c3cf8bfa91481d33e22e87ce28ada023
SSDEEP

3072:TQIURTXJXdMn35l27PZA4Qi1a8njb8aDryvx1tNt+UNNOXXT/8NFfNAP:Tsc3iZZaEn8Er8f0yOHT/0lAP

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
2016	f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe
2016	f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe
828	regsvr32.exe
972	WerFault.exe
972	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
972	828	WerFault.exe	26

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
828	regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 828	2016	f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe	26
PID 2016 wrote to memory of 828	2016	f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe	26
PID 2016 wrote to memory of 828	2016	f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe	26
PID 2016 wrote to memory of 828	2016	f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe	26
PID 2016 wrote to memory of 828	2016	f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe	26
PID 2016 wrote to memory of 828	2016	f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe	26
PID 2016 wrote to memory of 828	2016	f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe	26
PID 828 wrote to memory of 972	828	regsvr32.exe	27
PID 828 wrote to memory of 972	828	regsvr32.exe	27
PID 828 wrote to memory of 972	828	regsvr32.exe	27
PID 828 wrote to memory of 972	828	regsvr32.exe	27

C:\Users\Admin\AppData\Local\Temp\f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe
"C:\Users\Admin\AppData\Local\Temp\f0db1d24ff4c6b7a5bf5403728dc7e221c44620af99326075a090d7daaf0056e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\nso3161.tmp\hvlduxmp.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 312
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso3161.tmp\hvlduxmp.dll

Filesize
724KB

MD5
c8ba018ed4a06c28657146326151c5d8

SHA1
65670a104b327629622355be14b1d78de3e2f81f

SHA256
ce8e58a59ab8d325618cfd4b144bb327a35e11674b069f76fc43b3696c3a25b5

SHA512
2ecf565ed5db63b84197cfebc80adcee84b6c9ccd201c900a9947cafde34ec1bb64a1b166d31363a70f4dc0e52ee3e80e70d64e0ed3d036a8acd39f0a5f4f24e

Download Submit
\Users\Admin\AppData\Local\Temp\nsj3141.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsj3141.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nso3161.tmp\hvlduxmp.dll

Filesize
724KB

MD5
c8ba018ed4a06c28657146326151c5d8

SHA1
65670a104b327629622355be14b1d78de3e2f81f

SHA256
ce8e58a59ab8d325618cfd4b144bb327a35e11674b069f76fc43b3696c3a25b5

SHA512
2ecf565ed5db63b84197cfebc80adcee84b6c9ccd201c900a9947cafde34ec1bb64a1b166d31363a70f4dc0e52ee3e80e70d64e0ed3d036a8acd39f0a5f4f24e

Download Submit
\Users\Admin\AppData\Local\Temp\nso3161.tmp\hvlduxmp.dll

Filesize
724KB

MD5
c8ba018ed4a06c28657146326151c5d8

SHA1
65670a104b327629622355be14b1d78de3e2f81f

SHA256
ce8e58a59ab8d325618cfd4b144bb327a35e11674b069f76fc43b3696c3a25b5

SHA512
2ecf565ed5db63b84197cfebc80adcee84b6c9ccd201c900a9947cafde34ec1bb64a1b166d31363a70f4dc0e52ee3e80e70d64e0ed3d036a8acd39f0a5f4f24e

Download Submit
\Users\Admin\AppData\Local\Temp\nso3161.tmp\hvlduxmp.dll

Filesize
724KB

MD5
c8ba018ed4a06c28657146326151c5d8

SHA1
65670a104b327629622355be14b1d78de3e2f81f

SHA256
ce8e58a59ab8d325618cfd4b144bb327a35e11674b069f76fc43b3696c3a25b5

SHA512
2ecf565ed5db63b84197cfebc80adcee84b6c9ccd201c900a9947cafde34ec1bb64a1b166d31363a70f4dc0e52ee3e80e70d64e0ed3d036a8acd39f0a5f4f24e

Download Submit
memory/828-64-0x0000000074E40000-0x0000000074EF7000-memory.dmp

Filesize
732KB

Download
memory/2016-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing