c528680ef0513bfc735743cd09cf4c3bec0802a16bbf13f29c007a133afc1086

General

Target

8c04fcb936e6be3d9f302b0c4660c4ac.exe
Size

784KB
MD5

8c04fcb936e6be3d9f302b0c4660c4ac
SHA1

b8d83ff678f41aba3a77216a93e445a1fd407ff7
SHA256

c528680ef0513bfc735743cd09cf4c3bec0802a16bbf13f29c007a133afc1086
SHA512

9822a09a7f7ae51520ce632ca9c3745863f4aa2fcbf265ba921c0f3f3c5fed8502954b4f5e4e11d82eb533181b3a5c398a73e05796909d20cb0454ea0a2641ad

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1604 schtasks.exe

pid	process
1604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

8c04fcb936e6be3d9f302b0c4660c4ac.exe

pid	process
1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe
1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe
1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe
1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe
1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe
1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe
1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe
1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe
1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe
1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8c04fcb936e6be3d9f302b0c4660c4ac.exe

description pid process

Token: SeDebugPrivilege 1668 8c04fcb936e6be3d9f302b0c4660c4ac.exe

description	pid	process
Token: SeDebugPrivilege	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

8c04fcb936e6be3d9f302b0c4660c4ac.exe

C:\Users\Admin\AppData\Local\Temp\8c04fcb936e6be3d9f302b0c4660c4ac.exe
"C:\Users\Admin\AppData\Local\Temp\8c04fcb936e6be3d9f302b0c4660c4ac.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JxwXyvj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp563B.tmp"
2⤵
- Creates scheduled task(s)
PID:1604

C:\Users\Admin\AppData\Local\Temp\8c04fcb936e6be3d9f302b0c4660c4ac.exe
"C:\Users\Admin\AppData\Local\Temp\8c04fcb936e6be3d9f302b0c4660c4ac.exe"
2⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\8c04fcb936e6be3d9f302b0c4660c4ac.exe
"C:\Users\Admin\AppData\Local\Temp\8c04fcb936e6be3d9f302b0c4660c4ac.exe"
2⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\8c04fcb936e6be3d9f302b0c4660c4ac.exe
"C:\Users\Admin\AppData\Local\Temp\8c04fcb936e6be3d9f302b0c4660c4ac.exe"
2⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\8c04fcb936e6be3d9f302b0c4660c4ac.exe
"C:\Users\Admin\AppData\Local\Temp\8c04fcb936e6be3d9f302b0c4660c4ac.exe"
2⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\8c04fcb936e6be3d9f302b0c4660c4ac.exe
"C:\Users\Admin\AppData\Local\Temp\8c04fcb936e6be3d9f302b0c4660c4ac.exe"
2⤵
PID:296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp563B.tmp

MD5
11b05949f3861d739978828da26c4990

SHA1
a81ebecade03b2af1d41b2c94b86d12cb1f3184a

SHA256
3320376b14bf894d4ae0ba7fd6c0b9d1bf3e43ff16fb13366566b7f3bc00e43f

SHA512
a3a7ea1263f555a5283d6edbe4bdcd767eeda7a33bd0395ab222da6e3fa74878abbaea594e76d184a6a6c4250ba404bef610667c8b75fae02a8a6f6596ec45dc

Download Submit
memory/1604-8-0x0000000000000000-mapping.dmp

Download
memory/1668-2-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/1668-3-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1668-5-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/1668-6-0x0000000000390000-0x0000000000393000-memory.dmp

Filesize
12KB

Download
memory/1668-7-0x0000000004FE0000-0x000000000504B000-memory.dmp

Filesize
428KB

Download

description	pid	process	target process
PID 1668 wrote to memory of 1604	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	schtasks.exe
PID 1668 wrote to memory of 1604	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	schtasks.exe
PID 1668 wrote to memory of 1604	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	schtasks.exe
PID 1668 wrote to memory of 1604	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	schtasks.exe
PID 1668 wrote to memory of 1520	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	8c04fcb936e6be3d9f302b0c4660c4ac.exe
PID 1668 wrote to memory of 1520	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	8c04fcb936e6be3d9f302b0c4660c4ac.exe
PID 1668 wrote to memory of 1520	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	8c04fcb936e6be3d9f302b0c4660c4ac.exe
PID 1668 wrote to memory of 1520	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	8c04fcb936e6be3d9f302b0c4660c4ac.exe
PID 1668 wrote to memory of 1508	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	8c04fcb936e6be3d9f302b0c4660c4ac.exe
PID 1668 wrote to memory of 1508	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	8c04fcb936e6be3d9f302b0c4660c4ac.exe
PID 1668 wrote to memory of 1508	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	8c04fcb936e6be3d9f302b0c4660c4ac.exe
PID 1668 wrote to memory of 1508	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	8c04fcb936e6be3d9f302b0c4660c4ac.exe
PID 1668 wrote to memory of 1512	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	8c04fcb936e6be3d9f302b0c4660c4ac.exe
PID 1668 wrote to memory of 1512	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	8c04fcb936e6be3d9f302b0c4660c4ac.exe
PID 1668 wrote to memory of 1512	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	8c04fcb936e6be3d9f302b0c4660c4ac.exe
PID 1668 wrote to memory of 1512	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	8c04fcb936e6be3d9f302b0c4660c4ac.exe
PID 1668 wrote to memory of 324	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	8c04fcb936e6be3d9f302b0c4660c4ac.exe
PID 1668 wrote to memory of 324	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	8c04fcb936e6be3d9f302b0c4660c4ac.exe
PID 1668 wrote to memory of 324	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	8c04fcb936e6be3d9f302b0c4660c4ac.exe
PID 1668 wrote to memory of 324	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	8c04fcb936e6be3d9f302b0c4660c4ac.exe
PID 1668 wrote to memory of 296	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	8c04fcb936e6be3d9f302b0c4660c4ac.exe
PID 1668 wrote to memory of 296	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	8c04fcb936e6be3d9f302b0c4660c4ac.exe
PID 1668 wrote to memory of 296	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	8c04fcb936e6be3d9f302b0c4660c4ac.exe
PID 1668 wrote to memory of 296	1668	8c04fcb936e6be3d9f302b0c4660c4ac.exe	8c04fcb936e6be3d9f302b0c4660c4ac.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads