f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8

General

Target

f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe
Size

17KB
MD5

c5d712f82d5d37bb284acd4468ab3533
SHA1

3426e8dcb104d9b01874498fb44c6e460228a9a0
SHA256

f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8
SHA512

be69319e023ccd23557edc3178a3b6775a771927a0e6d34f409b8d26cbe09fb27ff4bf92abdb0c344100404029b4e3f38963a0c27bd7a4ae35e5de2e779c6649

Score

5^/10

ransomware

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Kills process with taskkill 3 IoCs

evasion

pid	Process
4044	taskkill.exe
2680	taskkill.exe
1096	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4044	taskkill.exe
Token: SeDebugPrivilege	2680	taskkill.exe
Token: SeDebugPrivilege	1096	taskkill.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 1544	3108	f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe	74
PID 3108 wrote to memory of 1544	3108	f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe	74
PID 1544 wrote to memory of 2844	1544	cmd.exe	76
PID 1544 wrote to memory of 2844	1544	cmd.exe	76
PID 2844 wrote to memory of 3084	2844	net.exe	77
PID 2844 wrote to memory of 3084	2844	net.exe	77
PID 1544 wrote to memory of 4024	1544	cmd.exe	79
PID 1544 wrote to memory of 4024	1544	cmd.exe	79
PID 4024 wrote to memory of 3388	4024	net.exe	80
PID 4024 wrote to memory of 3388	4024	net.exe	80
PID 1544 wrote to memory of 2644	1544	cmd.exe	81
PID 1544 wrote to memory of 2644	1544	cmd.exe	81
PID 1544 wrote to memory of 4020	1544	cmd.exe	82
PID 1544 wrote to memory of 4020	1544	cmd.exe	82
PID 1544 wrote to memory of 216	1544	cmd.exe	83
PID 1544 wrote to memory of 216	1544	cmd.exe	83
PID 1544 wrote to memory of 208	1544	cmd.exe	84
PID 1544 wrote to memory of 208	1544	cmd.exe	84
PID 1544 wrote to memory of 4044	1544	cmd.exe	85
PID 1544 wrote to memory of 4044	1544	cmd.exe	85
PID 1544 wrote to memory of 2680	1544	cmd.exe	87
PID 1544 wrote to memory of 2680	1544	cmd.exe	87
PID 1544 wrote to memory of 1096	1544	cmd.exe	88
PID 1544 wrote to memory of 1096	1544	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kill.bat" "C:\Users\Admin\AppData\Local\Temp\f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\system32\net.exe
    net stop BMR Boot Service /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BMR Boot Service /y
      4⤵
      PID:3084
- - C:\Windows\system32\net.exe
    net stop NetBackup BMR MTFTP Service /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4024
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
      4⤵
      PID:3388
- - C:\Windows\system32\sc.exe
    sc config SQLTELEMETRY start= disabled
    3⤵
    PID:2644
- - C:\Windows\system32\sc.exe
    sc config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:4020
- - C:\Windows\system32\sc.exe
    sc config SQLWriter start= disabled
    3⤵
    PID:216
- - C:\Windows\system32\sc.exe
    sc config SstpSvc start= disabled
    3⤵
    PID:208
- - C:\Windows\system32\taskkill.exe
    taskkill /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4044
- - C:\Windows\system32\taskkill.exe
    taskkill /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- - C:\Windows\system32\taskkill.exe
    taskkill /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3108-3-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/3108-2-0x00007FFFD26D0000-0x00007FFFD30BC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing