f5153592a277fb24d56703c52bff0503dc30d2ae64072382d773622cabd52efb

General

Target

f5153592a277fb24d56703c52bff0503dc30d2ae64072382d773622cabd52efb.exe
Size

124KB
MD5

26817fd338b0fccaedfc316c3646487e
SHA1

1e2bf031d305529e08c44b7f2a6e202d9e7ddf18
SHA256

f5153592a277fb24d56703c52bff0503dc30d2ae64072382d773622cabd52efb
SHA512

3c9a86d220b940cc4b7b8b53f65bedb99b70ab44e6e7ce8c283f1c8486358462b4a75bb6ca9ff68912f89cd6361528fdb79454e7905838660fe792da961a04d0
SSDEEP

3072:qtlS53uSK5BRmhiJb2rLu5CaDMT3q/U7+Lhw:qzS5Y5Chix5XDMcw

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1712	ExpressVids.exe

Loads dropped DLL 7 IoCs

pid	Process
1836	f5153592a277fb24d56703c52bff0503dc30d2ae64072382d773622cabd52efb.exe
1836	f5153592a277fb24d56703c52bff0503dc30d2ae64072382d773622cabd52efb.exe
960	WerFault.exe
960	WerFault.exe
960	WerFault.exe
960	WerFault.exe
960	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
960	1712	WerFault.exe	27

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 1712	1836	f5153592a277fb24d56703c52bff0503dc30d2ae64072382d773622cabd52efb.exe	27
PID 1836 wrote to memory of 1712	1836	f5153592a277fb24d56703c52bff0503dc30d2ae64072382d773622cabd52efb.exe	27
PID 1836 wrote to memory of 1712	1836	f5153592a277fb24d56703c52bff0503dc30d2ae64072382d773622cabd52efb.exe	27
PID 1836 wrote to memory of 1712	1836	f5153592a277fb24d56703c52bff0503dc30d2ae64072382d773622cabd52efb.exe	27
PID 1712 wrote to memory of 960	1712	ExpressVids.exe	28
PID 1712 wrote to memory of 960	1712	ExpressVids.exe	28
PID 1712 wrote to memory of 960	1712	ExpressVids.exe	28
PID 1712 wrote to memory of 960	1712	ExpressVids.exe	28

C:\Users\Admin\AppData\Local\Temp\f5153592a277fb24d56703c52bff0503dc30d2ae64072382d773622cabd52efb.exe
"C:\Users\Admin\AppData\Local\Temp\f5153592a277fb24d56703c52bff0503dc30d2ae64072382d773622cabd52efb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\ExpressVids.exe
  C:\Users\Admin\AppData\Local\Temp\ExpressVids.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 148
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ExpressVids.exe

Filesize
75KB

MD5
7316d2bd622b30459ee64ef2e914b0f0

SHA1
0ab8ab57519e5c114e744429e34a758098ae6812

SHA256
fb7950f9c4e8199c2d139205b71b8cb3feec9719bb4faf3459a8d4ca0069b58c

SHA512
bd0c537a38202fa73f4057a82fecf871b6f1026138bf31d3a7acad5d6dc451be4f12eab11862b6cf8fb8791eeb772b0cd72bb6ca34b3d6dc4c8149fa5d706eae

Download Submit
\Users\Admin\AppData\Local\Temp\ExpressVids.exe

Filesize
75KB

MD5
7316d2bd622b30459ee64ef2e914b0f0

SHA1
0ab8ab57519e5c114e744429e34a758098ae6812

SHA256
fb7950f9c4e8199c2d139205b71b8cb3feec9719bb4faf3459a8d4ca0069b58c

SHA512
bd0c537a38202fa73f4057a82fecf871b6f1026138bf31d3a7acad5d6dc451be4f12eab11862b6cf8fb8791eeb772b0cd72bb6ca34b3d6dc4c8149fa5d706eae

Download Submit
\Users\Admin\AppData\Local\Temp\ExpressVids.exe

Filesize
75KB

MD5
7316d2bd622b30459ee64ef2e914b0f0

SHA1
0ab8ab57519e5c114e744429e34a758098ae6812

SHA256
fb7950f9c4e8199c2d139205b71b8cb3feec9719bb4faf3459a8d4ca0069b58c

SHA512
bd0c537a38202fa73f4057a82fecf871b6f1026138bf31d3a7acad5d6dc451be4f12eab11862b6cf8fb8791eeb772b0cd72bb6ca34b3d6dc4c8149fa5d706eae

Download Submit
\Users\Admin\AppData\Local\Temp\ExpressVids.exe

Filesize
75KB

MD5
7316d2bd622b30459ee64ef2e914b0f0

SHA1
0ab8ab57519e5c114e744429e34a758098ae6812

SHA256
fb7950f9c4e8199c2d139205b71b8cb3feec9719bb4faf3459a8d4ca0069b58c

SHA512
bd0c537a38202fa73f4057a82fecf871b6f1026138bf31d3a7acad5d6dc451be4f12eab11862b6cf8fb8791eeb772b0cd72bb6ca34b3d6dc4c8149fa5d706eae

Download Submit
\Users\Admin\AppData\Local\Temp\ExpressVids.exe

Filesize
75KB

MD5
7316d2bd622b30459ee64ef2e914b0f0

SHA1
0ab8ab57519e5c114e744429e34a758098ae6812

SHA256
fb7950f9c4e8199c2d139205b71b8cb3feec9719bb4faf3459a8d4ca0069b58c

SHA512
bd0c537a38202fa73f4057a82fecf871b6f1026138bf31d3a7acad5d6dc451be4f12eab11862b6cf8fb8791eeb772b0cd72bb6ca34b3d6dc4c8149fa5d706eae

Download Submit
\Users\Admin\AppData\Local\Temp\ExpressVids.exe

Filesize
75KB

MD5
7316d2bd622b30459ee64ef2e914b0f0

SHA1
0ab8ab57519e5c114e744429e34a758098ae6812

SHA256
fb7950f9c4e8199c2d139205b71b8cb3feec9719bb4faf3459a8d4ca0069b58c

SHA512
bd0c537a38202fa73f4057a82fecf871b6f1026138bf31d3a7acad5d6dc451be4f12eab11862b6cf8fb8791eeb772b0cd72bb6ca34b3d6dc4c8149fa5d706eae

Download Submit
\Users\Admin\AppData\Local\Temp\ExpressVids.exe

Filesize
75KB

MD5
7316d2bd622b30459ee64ef2e914b0f0

SHA1
0ab8ab57519e5c114e744429e34a758098ae6812

SHA256
fb7950f9c4e8199c2d139205b71b8cb3feec9719bb4faf3459a8d4ca0069b58c

SHA512
bd0c537a38202fa73f4057a82fecf871b6f1026138bf31d3a7acad5d6dc451be4f12eab11862b6cf8fb8791eeb772b0cd72bb6ca34b3d6dc4c8149fa5d706eae

Download Submit
\Users\Admin\AppData\Local\Temp\ExpressVids.exe

Filesize
75KB

MD5
7316d2bd622b30459ee64ef2e914b0f0

SHA1
0ab8ab57519e5c114e744429e34a758098ae6812

SHA256
fb7950f9c4e8199c2d139205b71b8cb3feec9719bb4faf3459a8d4ca0069b58c

SHA512
bd0c537a38202fa73f4057a82fecf871b6f1026138bf31d3a7acad5d6dc451be4f12eab11862b6cf8fb8791eeb772b0cd72bb6ca34b3d6dc4c8149fa5d706eae

Download Submit
memory/1712-59-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1712-65-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1836-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing