bcda430c964ec79cb7fbaafdf69b08fbd5dc2d7f0bd1a3a7bbda5ba9048e85f0

General

Target

bcda430c964ec79cb7fbaafdf69b08fbd5dc2d7f0bd1a3a7bbda5ba9048e85f0.exe
Size

124KB
MD5

fd68f0744f7a12cd38124377e26d675c
SHA1

e74e6e950a8827f2baefe6c11d86923e06824a6b
SHA256

bcda430c964ec79cb7fbaafdf69b08fbd5dc2d7f0bd1a3a7bbda5ba9048e85f0
SHA512

eca005570f7f76d451467e8c4a7fdd8b25130e3895bc1f0bac75e6bbdcbb062d7c724058de870e672294ddd54e24a8de192abaa7c646eac549508c7700d35e72
SSDEEP

3072:qtlS53uSK5BRmOw+8p6yclYpKaFYYGBfWoq4:qzS5Y5COw+vyC7I4

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1168	BlueRaTech.exe

Loads dropped DLL 7 IoCs

pid	Process
1664	bcda430c964ec79cb7fbaafdf69b08fbd5dc2d7f0bd1a3a7bbda5ba9048e85f0.exe
1664	bcda430c964ec79cb7fbaafdf69b08fbd5dc2d7f0bd1a3a7bbda5ba9048e85f0.exe
1520	WerFault.exe
1520	WerFault.exe
1520	WerFault.exe
1520	WerFault.exe
1520	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1520	1168	WerFault.exe	28

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1168	1664	bcda430c964ec79cb7fbaafdf69b08fbd5dc2d7f0bd1a3a7bbda5ba9048e85f0.exe	28
PID 1664 wrote to memory of 1168	1664	bcda430c964ec79cb7fbaafdf69b08fbd5dc2d7f0bd1a3a7bbda5ba9048e85f0.exe	28
PID 1664 wrote to memory of 1168	1664	bcda430c964ec79cb7fbaafdf69b08fbd5dc2d7f0bd1a3a7bbda5ba9048e85f0.exe	28
PID 1664 wrote to memory of 1168	1664	bcda430c964ec79cb7fbaafdf69b08fbd5dc2d7f0bd1a3a7bbda5ba9048e85f0.exe	28
PID 1168 wrote to memory of 1520	1168	BlueRaTech.exe	29
PID 1168 wrote to memory of 1520	1168	BlueRaTech.exe	29
PID 1168 wrote to memory of 1520	1168	BlueRaTech.exe	29
PID 1168 wrote to memory of 1520	1168	BlueRaTech.exe	29

C:\Users\Admin\AppData\Local\Temp\bcda430c964ec79cb7fbaafdf69b08fbd5dc2d7f0bd1a3a7bbda5ba9048e85f0.exe
"C:\Users\Admin\AppData\Local\Temp\bcda430c964ec79cb7fbaafdf69b08fbd5dc2d7f0bd1a3a7bbda5ba9048e85f0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\BlueRaTech.exe
  C:\Users\Admin\AppData\Local\Temp\BlueRaTech.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 148
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BlueRaTech.exe

Filesize
75KB

MD5
04f3b4c6bc334efebe7e410175c4dc4f

SHA1
fbf2b0171b5edc5ef716861db1072a621693d859

SHA256
10112db58174c278bcced3740e3256f122dd2945d4903f0f85459edb21d79701

SHA512
58579824f202dd3aa63d5567f50f4a9ea5fb237cc6009285e8ecb1c32b09e7e25bbd5e903ff2b7f3176fe43c3298a147cd6aa6f97a1b45e130b6fba2a862c1eb

Download Submit
\Users\Admin\AppData\Local\Temp\BlueRaTech.exe

Filesize
75KB

MD5
04f3b4c6bc334efebe7e410175c4dc4f

SHA1
fbf2b0171b5edc5ef716861db1072a621693d859

SHA256
10112db58174c278bcced3740e3256f122dd2945d4903f0f85459edb21d79701

SHA512
58579824f202dd3aa63d5567f50f4a9ea5fb237cc6009285e8ecb1c32b09e7e25bbd5e903ff2b7f3176fe43c3298a147cd6aa6f97a1b45e130b6fba2a862c1eb

Download Submit
\Users\Admin\AppData\Local\Temp\BlueRaTech.exe

Filesize
75KB

MD5
04f3b4c6bc334efebe7e410175c4dc4f

SHA1
fbf2b0171b5edc5ef716861db1072a621693d859

SHA256
10112db58174c278bcced3740e3256f122dd2945d4903f0f85459edb21d79701

SHA512
58579824f202dd3aa63d5567f50f4a9ea5fb237cc6009285e8ecb1c32b09e7e25bbd5e903ff2b7f3176fe43c3298a147cd6aa6f97a1b45e130b6fba2a862c1eb

Download Submit
\Users\Admin\AppData\Local\Temp\BlueRaTech.exe

Filesize
75KB

MD5
04f3b4c6bc334efebe7e410175c4dc4f

SHA1
fbf2b0171b5edc5ef716861db1072a621693d859

SHA256
10112db58174c278bcced3740e3256f122dd2945d4903f0f85459edb21d79701

SHA512
58579824f202dd3aa63d5567f50f4a9ea5fb237cc6009285e8ecb1c32b09e7e25bbd5e903ff2b7f3176fe43c3298a147cd6aa6f97a1b45e130b6fba2a862c1eb

Download Submit
\Users\Admin\AppData\Local\Temp\BlueRaTech.exe

Filesize
75KB

MD5
04f3b4c6bc334efebe7e410175c4dc4f

SHA1
fbf2b0171b5edc5ef716861db1072a621693d859

SHA256
10112db58174c278bcced3740e3256f122dd2945d4903f0f85459edb21d79701

SHA512
58579824f202dd3aa63d5567f50f4a9ea5fb237cc6009285e8ecb1c32b09e7e25bbd5e903ff2b7f3176fe43c3298a147cd6aa6f97a1b45e130b6fba2a862c1eb

Download Submit
\Users\Admin\AppData\Local\Temp\BlueRaTech.exe

Filesize
75KB

MD5
04f3b4c6bc334efebe7e410175c4dc4f

SHA1
fbf2b0171b5edc5ef716861db1072a621693d859

SHA256
10112db58174c278bcced3740e3256f122dd2945d4903f0f85459edb21d79701

SHA512
58579824f202dd3aa63d5567f50f4a9ea5fb237cc6009285e8ecb1c32b09e7e25bbd5e903ff2b7f3176fe43c3298a147cd6aa6f97a1b45e130b6fba2a862c1eb

Download Submit
\Users\Admin\AppData\Local\Temp\BlueRaTech.exe

Filesize
75KB

MD5
04f3b4c6bc334efebe7e410175c4dc4f

SHA1
fbf2b0171b5edc5ef716861db1072a621693d859

SHA256
10112db58174c278bcced3740e3256f122dd2945d4903f0f85459edb21d79701

SHA512
58579824f202dd3aa63d5567f50f4a9ea5fb237cc6009285e8ecb1c32b09e7e25bbd5e903ff2b7f3176fe43c3298a147cd6aa6f97a1b45e130b6fba2a862c1eb

Download Submit
\Users\Admin\AppData\Local\Temp\BlueRaTech.exe

Filesize
75KB

MD5
04f3b4c6bc334efebe7e410175c4dc4f

SHA1
fbf2b0171b5edc5ef716861db1072a621693d859

SHA256
10112db58174c278bcced3740e3256f122dd2945d4903f0f85459edb21d79701

SHA512
58579824f202dd3aa63d5567f50f4a9ea5fb237cc6009285e8ecb1c32b09e7e25bbd5e903ff2b7f3176fe43c3298a147cd6aa6f97a1b45e130b6fba2a862c1eb

Download Submit
memory/1168-59-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download
memory/1168-65-0x0000000000240000-0x0000000000257000-memory.dmp

Filesize
92KB

Download
memory/1664-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing