4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596

General

Target

4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Size

917KB
MD5

172580d9a126a781cc2aa5cc8a22ad21
SHA1

577bb13437762cd8a1b58991e352043d32f83dc5
SHA256

4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596
SHA512

f00c3900e9938c438981f5ae47dc9623fb0088b41f8353f3572e2da3f5c4d7d7eb074a0cd7d0e3c6b9c4c1185b6205c54fd9ffedc2219db202ea44f38f922bcf

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1772 schtasks.exe

pid	process
1772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe

pid	process
1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe

description pid process

Token: SeDebugPrivilege 1396 4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe

description	pid	process
Token: SeDebugPrivilege	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe

C:\Users\Admin\AppData\Local\Temp\4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
"C:\Users\Admin\AppData\Local\Temp\4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BvFpflchD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp32A4.tmp"
2⤵
- Creates scheduled task(s)
PID:1772

C:\Users\Admin\AppData\Local\Temp\4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
"{path}"
2⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
"{path}"
2⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
"{path}"
2⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
"{path}"
2⤵
PID:268

C:\Users\Admin\AppData\Local\Temp\4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
"{path}"
2⤵
PID:1320

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp32A4.tmp
MD5
6e3cd32bf5edba4a9b948cc948f6152d

SHA1
20fd4a2c07c9a10674c4e0c9b600b07fdcd1c8a3

SHA256
9121ae2df3981d167c1871612143c81b9877e87ca9c2f5d6ed8348e6e18ded29

SHA512
1f04372ed2bc4a551a358335ca771068d52ef5e4bf512faa9ee7069e5dc92e9f872afc7539eaebc9c334899457f1de714bec5fddbce019de0c76883b72726458

Download Submit
memory/1772-33-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1396 wrote to memory of 1772	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	schtasks.exe
PID 1396 wrote to memory of 1772	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	schtasks.exe
PID 1396 wrote to memory of 1772	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	schtasks.exe
PID 1396 wrote to memory of 1772	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	schtasks.exe
PID 1396 wrote to memory of 1252	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 1396 wrote to memory of 1252	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 1396 wrote to memory of 1252	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 1396 wrote to memory of 1252	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 1396 wrote to memory of 1160	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 1396 wrote to memory of 1160	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 1396 wrote to memory of 1160	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 1396 wrote to memory of 1160	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 1396 wrote to memory of 1220	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 1396 wrote to memory of 1220	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 1396 wrote to memory of 1220	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 1396 wrote to memory of 1220	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 1396 wrote to memory of 268	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 1396 wrote to memory of 268	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 1396 wrote to memory of 268	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 1396 wrote to memory of 268	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 1396 wrote to memory of 1320	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 1396 wrote to memory of 1320	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 1396 wrote to memory of 1320	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 1396 wrote to memory of 1320	1396	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads