d8d40e68b4b4d5c40807b0d0a2f39906595803eec3b1becbb4419081fbf0efd0

General

Target

your-file_iFMs6qyg.exe
Size

4.7MB
MD5

e97d32814a26065eab7a2ec822333504
SHA1

a17b566e1e8124820954489e1e3ba3135f2017cc
SHA256

486bdb6d9d9697bed6d19b91b5b130e70aa02814d98062748ea46312f5a3e446
SHA512

18739d0e382a86db4ca9274884ea350259e04ffe104ca68db79d25b33a14896621194082c350196e0733dc6f64e2b7fce9283d89823a56a758006a102bf7f62d
SSDEEP

98304:XBdZ++DNoLX/xD8q6TbB8imPIpg/iMDC/mNTTgBOECkycN8YHDHjj88Q:xdzNy/xDxw8pPInMxNTUMFc+YHFQ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

is-RHHVI.tmpIC331.exeIC331.exe

pid process

644 is-RHHVI.tmp
3960 IC331.exe
536 IC331.exe
Loads dropped DLL 1 IoCs

Processes:

is-RHHVI.tmp

pid process

644 is-RHHVI.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
644	is-RHHVI.tmp
3960	IC331.exe
536	IC331.exe

pid	process
644	is-RHHVI.tmp

Drops file in Program Files directory 38 IoCs

Processes:

is-RHHVI.tmp

description	ioc	process
File created	C:\Program Files (x86)\ImageComparer\languages\is-QE7KB.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-1H60E.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-ANURB.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\is-8TL9J.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-8HD8F.tmp	is-RHHVI.tmp
File opened for modification	C:\Program Files (x86)\ImageComparer\IC331.exe	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\is-QJVKQ.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-3FC2O.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-UGLES.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-QG6HB.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-UO8N2.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-TH9SP.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\is-VDI69.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\is-53QVT.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-O7GEN.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\is-PILT3.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-DAJIS.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-ONDMP.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-VIS63.tmp	is-RHHVI.tmp
File opened for modification	C:\Program Files (x86)\ImageComparer\ImageComparer.url	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\is-6HO4D.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-MC0PS.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-OBJBP.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-EKEDT.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-EAIRV.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-LE034.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-N9JKI.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-T15S6.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\is-8MIN8.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-PNMM3.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-LMP1U.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-7Q92A.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\languages\is-T8VDK.tmp	is-RHHVI.tmp
File opened for modification	C:\Program Files (x86)\ImageComparer\unins000.dat	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\is-NQAUR.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\is-F3OUF.tmp	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\unins000.dat	is-RHHVI.tmp
File created	C:\Program Files (x86)\ImageComparer\is-RBB4C.tmp	is-RHHVI.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 20 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2064	3960	WerFault.exe	IC331.exe
4744	3960	WerFault.exe	IC331.exe
4384	3960	WerFault.exe	IC331.exe
4528	3960	WerFault.exe	IC331.exe
1152	536	WerFault.exe	IC331.exe
3952	536	WerFault.exe	IC331.exe
3612	536	WerFault.exe	IC331.exe
4996	536	WerFault.exe	IC331.exe
4904	536	WerFault.exe	IC331.exe
2736	536	WerFault.exe	IC331.exe
4104	536	WerFault.exe	IC331.exe
4836	536	WerFault.exe	IC331.exe
728	536	WerFault.exe	IC331.exe
4556	536	WerFault.exe	IC331.exe
224	536	WerFault.exe	IC331.exe
1516	536	WerFault.exe	IC331.exe
3676	536	WerFault.exe	IC331.exe
2976	536	WerFault.exe	IC331.exe
784	536	WerFault.exe	IC331.exe
5056	536	WerFault.exe	IC331.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

IC331.exe

pid process

536 IC331.exe
536 IC331.exe

pid	process
536	IC331.exe
536	IC331.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

your-file_iFMs6qyg.exeis-RHHVI.tmpnet.exenet.exe

description	pid	process	target process
PID 1636 wrote to memory of 644	1636	your-file_iFMs6qyg.exe	is-RHHVI.tmp
PID 1636 wrote to memory of 644	1636	your-file_iFMs6qyg.exe	is-RHHVI.tmp
PID 1636 wrote to memory of 644	1636	your-file_iFMs6qyg.exe	is-RHHVI.tmp
PID 644 wrote to memory of 440	644	is-RHHVI.tmp	net.exe
PID 644 wrote to memory of 440	644	is-RHHVI.tmp	net.exe
PID 644 wrote to memory of 440	644	is-RHHVI.tmp	net.exe
PID 644 wrote to memory of 3960	644	is-RHHVI.tmp	IC331.exe
PID 644 wrote to memory of 3960	644	is-RHHVI.tmp	IC331.exe
PID 644 wrote to memory of 3960	644	is-RHHVI.tmp	IC331.exe
PID 440 wrote to memory of 2596	440	net.exe	net1.exe
PID 440 wrote to memory of 2596	440	net.exe	net1.exe
PID 440 wrote to memory of 2596	440	net.exe	net1.exe
PID 644 wrote to memory of 3900	644	is-RHHVI.tmp	net.exe
PID 644 wrote to memory of 3900	644	is-RHHVI.tmp	net.exe
PID 644 wrote to memory of 3900	644	is-RHHVI.tmp	net.exe
PID 644 wrote to memory of 536	644	is-RHHVI.tmp	IC331.exe
PID 644 wrote to memory of 536	644	is-RHHVI.tmp	IC331.exe
PID 644 wrote to memory of 536	644	is-RHHVI.tmp	IC331.exe
PID 3900 wrote to memory of 2244	3900	net.exe	net1.exe
PID 3900 wrote to memory of 2244	3900	net.exe	net1.exe
PID 3900 wrote to memory of 2244	3900	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\your-file_iFMs6qyg.exe
"C:\Users\Admin\AppData\Local\Temp\your-file_iFMs6qyg.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\is-CU5OC.tmp\is-RHHVI.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CU5OC.tmp\is-RHHVI.tmp" /SL4 $B0048 "C:\Users\Admin\AppData\Local\Temp\your-file_iFMs6qyg.exe" 4603888 53248
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 25
3⤵
- Suspicious use of WriteProcessMemory
PID:440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 25
4⤵
PID:2596

C:\Program Files (x86)\ImageComparer\IC331.exe
"C:\Program Files (x86)\ImageComparer\IC331.exe"
3⤵
- Executes dropped EXE
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 860
4⤵
- Program crash
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 860
4⤵
- Program crash
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 972
4⤵
- Program crash
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 140
4⤵
- Program crash
PID:4528

C:\Program Files (x86)\ImageComparer\IC331.exe
"C:\Program Files (x86)\ImageComparer\IC331.exe" 4ea1618a938237a268e5b8ef216deb23
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 852
4⤵
- Program crash
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 860
4⤵
- Program crash
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 940
4⤵
- Program crash
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1048
4⤵
- Program crash
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1052
4⤵
- Program crash
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1168
4⤵
- Program crash
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1196
4⤵
- Program crash
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1280
4⤵
- Program crash
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1304
4⤵
- Program crash
PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1332
4⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 976
4⤵
- Program crash
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1468
4⤵
- Program crash
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1432
4⤵
- Program crash
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1432
4⤵
- Program crash
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1468
4⤵
- Program crash
PID:784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1496
4⤵
- Program crash
PID:5056

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" pause ImageComparer331
3⤵
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 pause ImageComparer331
4⤵
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3960 -ip 3960
1⤵
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3960 -ip 3960
1⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3960 -ip 3960
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3960 -ip 3960
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 536 -ip 536
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 536 -ip 536
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 536 -ip 536
1⤵
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 536 -ip 536
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 536 -ip 536
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 536 -ip 536
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 536 -ip 536
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 536 -ip 536
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 536 -ip 536
1⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 536 -ip 536
1⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 536 -ip 536
1⤵
PID:324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 536 -ip 536
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 536 -ip 536
1⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 536 -ip 536
1⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 536 -ip 536
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 536 -ip 536
1⤵
PID:760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ImageComparer\IC331.exe
Filesize
5.3MB

MD5
8a9aace178239f11422abb517f2b70df

SHA1
a08ee03ab30754d41fa7a99a1e09089fc039ffaa

SHA256
2c9ef696103651ac708b5dc150cec492af0d651b5c3840877b4e47dcb5248db0

SHA512
eb5664c11685764778c97f848f41b036963bbd79d0ba4e31d0c0a1ec0041c2c85e5645d23fdf20760cdd11be21f1a33c16ab873a50d70e3bdc6a4028eaf53aec

Download Submit
C:\Program Files (x86)\ImageComparer\IC331.exe
Filesize
5.3MB

MD5
8a9aace178239f11422abb517f2b70df

SHA1
a08ee03ab30754d41fa7a99a1e09089fc039ffaa

SHA256
2c9ef696103651ac708b5dc150cec492af0d651b5c3840877b4e47dcb5248db0

SHA512
eb5664c11685764778c97f848f41b036963bbd79d0ba4e31d0c0a1ec0041c2c85e5645d23fdf20760cdd11be21f1a33c16ab873a50d70e3bdc6a4028eaf53aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CU5OC.tmp\is-RHHVI.tmp
Filesize
656KB

MD5
f27688e08d7e37a05550cb5f54638ceb

SHA1
c13ebc3e39b70f41462073a8521c390ab88b85d8

SHA256
d1e139d7b26cfe14880626639a10cab84b75f88dbd276d0d60cbd7bf6b97d068

SHA512
8007fb4d021c0f28cab0ea03233d89d8e956cc9055d1fcc18894af3f356c221c93247c7c112d1f39aa7bf763a9892c13b59a7d8a70df26122069cbb822b797ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CU5OC.tmp\is-RHHVI.tmp
Filesize
656KB

MD5
f27688e08d7e37a05550cb5f54638ceb

SHA1
c13ebc3e39b70f41462073a8521c390ab88b85d8

SHA256
d1e139d7b26cfe14880626639a10cab84b75f88dbd276d0d60cbd7bf6b97d068

SHA512
8007fb4d021c0f28cab0ea03233d89d8e956cc9055d1fcc18894af3f356c221c93247c7c112d1f39aa7bf763a9892c13b59a7d8a70df26122069cbb822b797ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T634I.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/536-231-0x0000000000400000-0x0000000001744000-memory.dmp

Filesize
19.3MB

Download
memory/536-241-0x0000000000400000-0x0000000001744000-memory.dmp

Filesize
19.3MB

Download
memory/536-238-0x0000000000400000-0x0000000001744000-memory.dmp

Filesize
19.3MB

Download
memory/536-237-0x0000000004130000-0x0000000004131000-memory.dmp

Filesize
4KB

Download
memory/536-234-0x0000000000400000-0x0000000001744000-memory.dmp

Filesize
19.3MB

Download
memory/536-232-0x0000000004130000-0x0000000004131000-memory.dmp

Filesize
4KB

Download
memory/644-148-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/644-233-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1636-230-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1636-133-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3960-226-0x0000000000400000-0x0000000001744000-memory.dmp

Filesize
19.3MB

Download
memory/3960-224-0x00000000045B0000-0x00000000045B1000-memory.dmp

Filesize
4KB

Download
memory/3960-223-0x0000000000400000-0x0000000001744000-memory.dmp

Filesize
19.3MB

Download
memory/3960-222-0x0000000000400000-0x0000000001744000-memory.dmp

Filesize
19.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads