7c951b9e67eecab3f17784c87cad4d4db86eff91a5c464535ac39beb333c1ded

General

Target

vaultFile12434153038098896463.exe
Size

87.1MB
MD5

0f14001e7b7c9a24c46296e25074b39a
SHA1

b10d1a303d0e9f481fd9bb675122c0dcd24f33d9
SHA256

3a3883dcdca19be0d1132e943682aece990494ce58e40d679b2a0b9cde481eff
SHA512

7ecd5aa169c3bc17f74b49951e201cf14cf115994b1e763cc02cf71080929696807bde45c583c355a41670a0a977a3078b251a1a783e6a5a3e458f49131119f1
SSDEEP

1572864:Dl7/l8tMEFBMv19JNKgUkoMm+q5s0fpbVMsINs03/OpZUuSASFe4bt6l4xnqKsm6:Dl7/zEcv19Jd/Dq5soVM5a0POpquSzFE

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4488	vaultFile12434153038098896463.tmp

Loads dropped DLL 6 IoCs

pid	Process
4488	vaultFile12434153038098896463.tmp
4488	vaultFile12434153038098896463.tmp
4488	vaultFile12434153038098896463.tmp
4488	vaultFile12434153038098896463.tmp
4488	vaultFile12434153038098896463.tmp
4488	vaultFile12434153038098896463.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2768	4488	WerFault.exe	85
1304	4488	WerFault.exe	85

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4488	vaultFile12434153038098896463.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4488	vaultFile12434153038098896463.tmp
4488	vaultFile12434153038098896463.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 4488	3068	vaultFile12434153038098896463.exe	85
PID 3068 wrote to memory of 4488	3068	vaultFile12434153038098896463.exe	85
PID 3068 wrote to memory of 4488	3068	vaultFile12434153038098896463.exe	85

C:\Users\Admin\AppData\Local\Temp\vaultFile12434153038098896463.exe
"C:\Users\Admin\AppData\Local\Temp\vaultFile12434153038098896463.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\is-2VL5M.tmp\vaultFile12434153038098896463.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-2VL5M.tmp\vaultFile12434153038098896463.tmp" /SL5="$801E8,90456719,806400,C:\Users\Admin\AppData\Local\Temp\vaultFile12434153038098896463.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1680
    3⤵
    - Program crash
    PID:2768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 2284
    3⤵
    - Program crash
    PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4488 -ip 4488
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4488 -ip 4488
1⤵
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-2VL5M.tmp\vaultFile12434153038098896463.tmp

Filesize
3.0MB

MD5
032a47886b37474c68e22c9c9fd2d1c3

SHA1
0d9311f561d96860f06a9d00d451ccf25006b4ec

SHA256
e35a3c699c57413fd079e35bca26665eae12344a2c0e1157a9626d244fcda127

SHA512
e86abbefda47701b09542f28d4e784a14b1e4fb70deaf368326892cdebecf41e5b778a9c4e8647a6d82ef64a1a75cb8636494194a1e0c4dad26d908bd1a74d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VER1N.tmp\HtmlInstaller.dll

Filesize
189KB

MD5
44d765266942c3504553a6531bf8463a

SHA1
40cbae17fde4c9dfe76495cde3b87abdeb4ce248

SHA256
0a961b983903269f0f1be0a26c66435c92c827e0b9d59f531db4de4dd0a06955

SHA512
7f64b95981a6dcaa5947e71a8f25a69ec0086d59ea446e921fa018b4529de15bc2d4f31183a978a55ae0cdf4fe79133cec541dffc15e02ed04a59501a15f9645

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VER1N.tmp\Networking.dll

Filesize
33KB

MD5
2b3aeef8e06946089cc268ad84b1d66e

SHA1
87c28686b7c81681a9f21946243fec4c9715022f

SHA256
259702b8a727488eab22d885edfdbffba715b8a608db1609f0136ca3d9fbd899

SHA512
b35120423e1dea0397ce316013f7838bf6c31e229ec933cc026e411b25b42704a01c7779145c0f7a25c4aa523af22fb40d56844cc767f828349ba72a40f4aeeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VER1N.tmp\html\index-clear.html

Filesize
4KB

MD5
b2dffed6951e5b72c050483a62f66f66

SHA1
52a5e7eeea957f96a5bb7a654f5dd5661784091f

SHA256
20047b963b358e6853012294d67ed6ef8e81d423635c8be51f462ad7e579a3a9

SHA512
f5993933bb36360578bc9cc544fce767c9e68b4d5d1384a3f57cdfd9dcb7b713e3dfc815f9498d36e1b93c6e2a7f9c063c4d5ef41f4ef6f3c0f6fe818851974f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VER1N.tmp\html\js\installer.js

Filesize
13KB

MD5
3246b9289398e5d3668129fd1f6aa5be

SHA1
b4ed4c02a2a83d7ab8dafa62f77bfc990d8924b0

SHA256
21338f7a6c7200113e6d2cb19577d223bd9886096ad27e91b7749036247dd117

SHA512
75b2f6fffbfa116df001c0f594ba82a814adbaf5707a875ad12af9e35da2c9f3397788fc267bc67cb9930dc13f247a5bec52ebfc1c48aafd8d50f177bfbf56d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VER1N.tmp\html\js\knockout.js

Filesize
66KB

MD5
052e3cbd4009f65055d36541ce9cc91d

SHA1
9dc0a7035afd04236b673389833b6c56affd64e2

SHA256
7eb9dab1c04d4abce6749ad9d94ddd0690e3c99c6890f979f07efe4775ee1eab

SHA512
5260ef11ba932c309c615caad7bb063f0a6d1d15376145ab1078c60a9dca375b2baf50bc741d31bd01c9b26c857f57eeb3266ae6ecf5e5a6c308e6c2c4739811

Download Submit
memory/3068-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3068-0-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3068-100-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4488-62-0x0000000000400000-0x000000000070D000-memory.dmp

Filesize
3.1MB

Download
memory/4488-70-0x00000000037C0000-0x0000000003900000-memory.dmp

Filesize
1.2MB

Download
memory/4488-59-0x0000000007AB0000-0x0000000008054000-memory.dmp

Filesize
5.6MB

Download
memory/4488-60-0x0000000008260000-0x00000000082F2000-memory.dmp

Filesize
584KB

Download
memory/4488-61-0x0000000008340000-0x000000000834A000-memory.dmp

Filesize
40KB

Download
memory/4488-58-0x0000000074000000-0x0000000074038000-memory.dmp

Filesize
224KB

Download
memory/4488-66-0x00000000037C0000-0x0000000003900000-memory.dmp

Filesize
1.2MB

Download
memory/4488-64-0x00000000037C0000-0x0000000003900000-memory.dmp

Filesize
1.2MB

Download
memory/4488-69-0x00000000037C0000-0x0000000003900000-memory.dmp

Filesize
1.2MB

Download
memory/4488-57-0x0000000006500000-0x0000000006538000-memory.dmp

Filesize
224KB

Download
memory/4488-67-0x0000000002480000-0x00000000025C0000-memory.dmp

Filesize
1.2MB

Download
memory/4488-68-0x00000000037C0000-0x0000000003900000-memory.dmp

Filesize
1.2MB

Download
memory/4488-65-0x00000000037C0000-0x0000000003900000-memory.dmp

Filesize
1.2MB

Download
memory/4488-63-0x00000000037C0000-0x0000000003900000-memory.dmp

Filesize
1.2MB

Download
memory/4488-31-0x0000000073F00000-0x0000000073F10000-memory.dmp

Filesize
64KB

Download
memory/4488-87-0x0000000000400000-0x000000000070D000-memory.dmp

Filesize
3.1MB

Download
memory/4488-30-0x00000000041E0000-0x00000000041F0000-memory.dmp

Filesize
64KB

Download
memory/4488-26-0x0000000000400000-0x000000000070D000-memory.dmp

Filesize
3.1MB

Download
memory/4488-99-0x0000000000400000-0x000000000070D000-memory.dmp

Filesize
3.1MB

Download
memory/4488-6-0x0000000000400000-0x000000000070D000-memory.dmp

Filesize
3.1MB

Download

Resubmissions

Analysis

Sharing