8ade2070b8a527d59b2ab9c16de81449f368f286b7a826ee33f2182701cf7447

General

Target

77fa451708d26a3f3ed7f8e8cd448a5d.exe
Size

1.1MB
MD5

77fa451708d26a3f3ed7f8e8cd448a5d
SHA1

dbb910ce9121220c4baae79884ebfbf7ce86e632
SHA256

8ade2070b8a527d59b2ab9c16de81449f368f286b7a826ee33f2182701cf7447
SHA512

344e8b4d2544499882bab0d933777b0b4380cde8640288d0084989bbd42eb29093bb2f0a916b2585608197af17d7f817176c50433a16c396f0d31830e1aa95a1
SSDEEP

24576:lUXvfNa2/Bjq8y+DtBkRollGQdKnWYwP1Am6xoaF+0OHB4XY513Vd0ZkA:lq/B+8yiDllEQA+uy/hHBOY51ekA

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2364	rundll32.exe
7	2364	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
1684	f77eaad.exe

Loads dropped DLL 10 IoCs

pid	Process
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2404	WerFault.exe
2404	WerFault.exe
2404	WerFault.exe
2404	WerFault.exe
2404	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2404	1684	WerFault.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2364	2652	77fa451708d26a3f3ed7f8e8cd448a5d.exe	28
PID 2652 wrote to memory of 2364	2652	77fa451708d26a3f3ed7f8e8cd448a5d.exe	28
PID 2652 wrote to memory of 2364	2652	77fa451708d26a3f3ed7f8e8cd448a5d.exe	28
PID 2652 wrote to memory of 2364	2652	77fa451708d26a3f3ed7f8e8cd448a5d.exe	28
PID 2652 wrote to memory of 2364	2652	77fa451708d26a3f3ed7f8e8cd448a5d.exe	28
PID 2652 wrote to memory of 2364	2652	77fa451708d26a3f3ed7f8e8cd448a5d.exe	28
PID 2652 wrote to memory of 2364	2652	77fa451708d26a3f3ed7f8e8cd448a5d.exe	28
PID 2364 wrote to memory of 1684	2364	rundll32.exe	34
PID 2364 wrote to memory of 1684	2364	rundll32.exe	34
PID 2364 wrote to memory of 1684	2364	rundll32.exe	34
PID 2364 wrote to memory of 1684	2364	rundll32.exe	34
PID 1684 wrote to memory of 2404	1684	f77eaad.exe	33
PID 1684 wrote to memory of 2404	1684	f77eaad.exe	33
PID 1684 wrote to memory of 2404	1684	f77eaad.exe	33
PID 1684 wrote to memory of 2404	1684	f77eaad.exe	33

C:\Users\Admin\AppData\Local\Temp\77fa451708d26a3f3ed7f8e8cd448a5d.exe
"C:\Users\Admin\AppData\Local\Temp\77fa451708d26a3f3ed7f8e8cd448a5d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" .\JWSQ16.z sxsC
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Users\Admin\AppData\Local\Temp\f77eaad.exe
    "C:\Users\Admin\AppData\Local\Temp\f77eaad.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 532
1⤵
- Loads dropped DLL
- Program crash
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JWSQ16.z

Filesize
1.2MB

MD5
371f44551edf257371a2ab7e70ef9bfd

SHA1
6dad5ae9d0cca8bc9d2d8cb76e8cdd4d7384f375

SHA256
680264905bcd27b0629bfe6b506c1ba2f2239c94636900f9ddc22e34372cbde4

SHA512
0ef3c23108e16828f5fb7aee61bd32278d9ed8c0ff3330f51f713604948382745b75d014d807d82f484cde03989a3f97e7639983754006b8bae1ebb8074710b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\f77eaad.exe

Filesize
21KB

MD5
858939a54a0406e5be7220b92b6eb2b3

SHA1
da24c0b6f723a74a8ec59e58c9c0aea3e86b7109

SHA256
a30f30a109cb78d5eb1969f6c13f01a1e0a5f07b7ad8b133f5d2616223c1ce0a

SHA512
8875d1e43ea59314695747796894a2f171e92f7b04024dbc529af1497331489e279cd06ea03061288089d2f07ad437178b9d62f0bae2e16ae0b95c5681569401

Download Submit
memory/1684-58-0x0000000072750000-0x0000000072E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1684-49-0x0000000072750000-0x0000000072E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1684-48-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/2364-20-0x0000000003700000-0x00000000041FE000-memory.dmp

Filesize
11.0MB

Download
memory/2364-22-0x00000000042A0000-0x000000000432E000-memory.dmp

Filesize
568KB

Download
memory/2364-12-0x0000000003660000-0x00000000036FA000-memory.dmp

Filesize
616KB

Download
memory/2364-15-0x0000000003660000-0x00000000036FA000-memory.dmp

Filesize
616KB

Download
memory/2364-19-0x0000000003660000-0x00000000036FA000-memory.dmp

Filesize
616KB

Download
memory/2364-8-0x0000000000990000-0x0000000000ACE000-memory.dmp

Filesize
1.2MB

Download
memory/2364-21-0x0000000004200000-0x0000000004294000-memory.dmp

Filesize
592KB

Download
memory/2364-11-0x00000000035B0000-0x000000000365E000-memory.dmp

Filesize
696KB

Download
memory/2364-25-0x00000000042A0000-0x000000000432E000-memory.dmp

Filesize
568KB

Download
memory/2364-26-0x0000000000090000-0x0000000000094000-memory.dmp

Filesize
16KB

Download
memory/2364-27-0x00000000000A0000-0x00000000000A6000-memory.dmp

Filesize
24KB

Download
memory/2364-7-0x00000000024A0000-0x0000000002555000-memory.dmp

Filesize
724KB

Download
memory/2364-6-0x00000000023C0000-0x0000000002491000-memory.dmp

Filesize
836KB

Download
memory/2364-5-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2364-4-0x0000000000990000-0x0000000000ACE000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing