8d73747ba178784cf760985cb4254b8d178ec2a8ce07b58e782fcd3cd40ada51

General

Target

76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe
Size

622KB
MD5

4a35d67996cdcde8da42ba8e40015738
SHA1

21342be12a055a2c1caffd73cc7866c81cb3e585
SHA256

76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c
SHA512

96f3904de25540397b1a499828f1781c943ffba4d42e2028b6ab322dbb3916bc03adf5ca084bf2afa3a90272a9c986e7d11b23e26ab86856225b0d0aef9f8ad2
SSDEEP

12288:U/C3Xp1sthiBKo+NJv9B3K6EwC2EQcmowOmA9BRMsrLS3t5r0I1Uu:e+Xp14hiBr+NJDvEwFQBPMqLS3kIC

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

DSFHJ7.EXE

pid process

692 DSFHJ7.EXE
Loads dropped DLL 6 IoCs

Processes:

RegAsm.exeWerFault.exe

pid process

2044 RegAsm.exe
2044 RegAsm.exe
268 WerFault.exe
268 WerFault.exe
268 WerFault.exe
268 WerFault.exe

pid	process
692	DSFHJ7.EXE

pid	process
2044	RegAsm.exe
2044	RegAsm.exe
268	WerFault.exe
268	WerFault.exe
268	WerFault.exe
268	WerFault.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\DSFHJ7.EXE	upx
C:\Users\Admin\AppData\Roaming\DSFHJ7.EXE	upx
C:\Users\Admin\AppData\Roaming\DSFHJ7.EXE	upx
\Users\Admin\AppData\Roaming\DSFHJ7.EXE	upx
behavioral1/memory/692-76-0x000000013F480000-0x000000013F5DD000-memory.dmp	upx
\Users\Admin\AppData\Roaming\DSFHJ7.EXE	upx
\Users\Admin\AppData\Roaming\DSFHJ7.EXE	upx
\Users\Admin\AppData\Roaming\DSFHJ7.EXE	upx
\Users\Admin\AppData\Roaming\DSFHJ7.EXE	upx
behavioral1/memory/692-81-0x000000013F480000-0x000000013F5DD000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe

description	pid	process	target process
PID 2036 set thread context of 2044	2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

268 692 WerFault.exe DSFHJ7.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe

pid process

2036 76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe

description pid process

Token: SeDebugPrivilege 2036 76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe

pid	pid_target	process	target process
268	692	WerFault.exe	DSFHJ7.EXE

pid	process
2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe

description	pid	process
Token: SeDebugPrivilege	2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exeRegAsm.exeDSFHJ7.EXE

description	pid	process	target process
PID 2036 wrote to memory of 1468	2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe	RegAsm.exe
PID 2036 wrote to memory of 1468	2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe	RegAsm.exe
PID 2036 wrote to memory of 1468	2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe	RegAsm.exe
PID 2036 wrote to memory of 1468	2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe	RegAsm.exe
PID 2036 wrote to memory of 1468	2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe	RegAsm.exe
PID 2036 wrote to memory of 1468	2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe	RegAsm.exe
PID 2036 wrote to memory of 1468	2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe	RegAsm.exe
PID 2036 wrote to memory of 2044	2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe	RegAsm.exe
PID 2036 wrote to memory of 2044	2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe	RegAsm.exe
PID 2036 wrote to memory of 2044	2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe	RegAsm.exe
PID 2036 wrote to memory of 2044	2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe	RegAsm.exe
PID 2036 wrote to memory of 2044	2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe	RegAsm.exe
PID 2036 wrote to memory of 2044	2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe	RegAsm.exe
PID 2036 wrote to memory of 2044	2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe	RegAsm.exe
PID 2036 wrote to memory of 2044	2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe	RegAsm.exe
PID 2036 wrote to memory of 2044	2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe	RegAsm.exe
PID 2036 wrote to memory of 2044	2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe	RegAsm.exe
PID 2036 wrote to memory of 2044	2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe	RegAsm.exe
PID 2036 wrote to memory of 2044	2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe	RegAsm.exe
PID 2036 wrote to memory of 2044	2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe	RegAsm.exe
PID 2036 wrote to memory of 2044	2036	76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe	RegAsm.exe
PID 2044 wrote to memory of 692	2044	RegAsm.exe	DSFHJ7.EXE
PID 2044 wrote to memory of 692	2044	RegAsm.exe	DSFHJ7.EXE
PID 2044 wrote to memory of 692	2044	RegAsm.exe	DSFHJ7.EXE
PID 2044 wrote to memory of 692	2044	RegAsm.exe	DSFHJ7.EXE
PID 692 wrote to memory of 268	692	DSFHJ7.EXE	WerFault.exe
PID 692 wrote to memory of 268	692	DSFHJ7.EXE	WerFault.exe
PID 692 wrote to memory of 268	692	DSFHJ7.EXE	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe
"C:\Users\Admin\AppData\Local\Temp\76a794c86b0f80ae8ec3461e05e0fb0fb219e57f7e85ebdae3cc10901a99791c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
2⤵
PID:1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Roaming\DSFHJ7.EXE
"C:\Users\Admin\AppData\Roaming\DSFHJ7.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 692 -s 284
4⤵
- Loads dropped DLL
- Program crash
PID:268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DSFHJ7.EXE
Filesize
534KB

MD5
6abd3d438f8486a139bd53e83d33914f

SHA1
126b1a440a8bef3a10c697ea76f33709489380bc

SHA256
9c2271c16306e1a12d3c9f9b9ccbeeab9b16106f27187c35e33628c9911c09e1

SHA512
affff8f3611bb65e4e57731998e45de8a5edab731305b7a6c3f1b545d8369244320b4a3a7b93f108fea2cb60806eaa1e5c922407effad7cf95a4caf806b84950

Download Submit
C:\Users\Admin\AppData\Roaming\DSFHJ7.EXE
Filesize
534KB

MD5
6abd3d438f8486a139bd53e83d33914f

SHA1
126b1a440a8bef3a10c697ea76f33709489380bc

SHA256
9c2271c16306e1a12d3c9f9b9ccbeeab9b16106f27187c35e33628c9911c09e1

SHA512
affff8f3611bb65e4e57731998e45de8a5edab731305b7a6c3f1b545d8369244320b4a3a7b93f108fea2cb60806eaa1e5c922407effad7cf95a4caf806b84950

Download Submit
\Users\Admin\AppData\Roaming\DSFHJ7.EXE
Filesize
534KB

MD5
6abd3d438f8486a139bd53e83d33914f

SHA1
126b1a440a8bef3a10c697ea76f33709489380bc

SHA256
9c2271c16306e1a12d3c9f9b9ccbeeab9b16106f27187c35e33628c9911c09e1

SHA512
affff8f3611bb65e4e57731998e45de8a5edab731305b7a6c3f1b545d8369244320b4a3a7b93f108fea2cb60806eaa1e5c922407effad7cf95a4caf806b84950

Download Submit
\Users\Admin\AppData\Roaming\DSFHJ7.EXE
Filesize
534KB

MD5
6abd3d438f8486a139bd53e83d33914f

SHA1
126b1a440a8bef3a10c697ea76f33709489380bc

SHA256
9c2271c16306e1a12d3c9f9b9ccbeeab9b16106f27187c35e33628c9911c09e1

SHA512
affff8f3611bb65e4e57731998e45de8a5edab731305b7a6c3f1b545d8369244320b4a3a7b93f108fea2cb60806eaa1e5c922407effad7cf95a4caf806b84950

Download Submit
\Users\Admin\AppData\Roaming\DSFHJ7.EXE
Filesize
534KB

MD5
6abd3d438f8486a139bd53e83d33914f

SHA1
126b1a440a8bef3a10c697ea76f33709489380bc

SHA256
9c2271c16306e1a12d3c9f9b9ccbeeab9b16106f27187c35e33628c9911c09e1

SHA512
affff8f3611bb65e4e57731998e45de8a5edab731305b7a6c3f1b545d8369244320b4a3a7b93f108fea2cb60806eaa1e5c922407effad7cf95a4caf806b84950

Download Submit
\Users\Admin\AppData\Roaming\DSFHJ7.EXE
Filesize
534KB

MD5
6abd3d438f8486a139bd53e83d33914f

SHA1
126b1a440a8bef3a10c697ea76f33709489380bc

SHA256
9c2271c16306e1a12d3c9f9b9ccbeeab9b16106f27187c35e33628c9911c09e1

SHA512
affff8f3611bb65e4e57731998e45de8a5edab731305b7a6c3f1b545d8369244320b4a3a7b93f108fea2cb60806eaa1e5c922407effad7cf95a4caf806b84950

Download Submit
\Users\Admin\AppData\Roaming\DSFHJ7.EXE
Filesize
534KB

MD5
6abd3d438f8486a139bd53e83d33914f

SHA1
126b1a440a8bef3a10c697ea76f33709489380bc

SHA256
9c2271c16306e1a12d3c9f9b9ccbeeab9b16106f27187c35e33628c9911c09e1

SHA512
affff8f3611bb65e4e57731998e45de8a5edab731305b7a6c3f1b545d8369244320b4a3a7b93f108fea2cb60806eaa1e5c922407effad7cf95a4caf806b84950

Download Submit
\Users\Admin\AppData\Roaming\DSFHJ7.EXE
Filesize
534KB

MD5
6abd3d438f8486a139bd53e83d33914f

SHA1
126b1a440a8bef3a10c697ea76f33709489380bc

SHA256
9c2271c16306e1a12d3c9f9b9ccbeeab9b16106f27187c35e33628c9911c09e1

SHA512
affff8f3611bb65e4e57731998e45de8a5edab731305b7a6c3f1b545d8369244320b4a3a7b93f108fea2cb60806eaa1e5c922407effad7cf95a4caf806b84950

Download Submit
memory/692-76-0x000000013F480000-0x000000013F5DD000-memory.dmp

Filesize
1.4MB

Download
memory/692-81-0x000000013F480000-0x000000013F5DD000-memory.dmp

Filesize
1.4MB

Download
memory/2036-54-0x0000000000E90000-0x0000000000F32000-memory.dmp

Filesize
648KB

Download
memory/2044-64-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2044-62-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2044-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2044-75-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2044-58-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2044-60-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2044-59-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2044-57-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2044-56-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2044-55-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads