6a156918ff4ace56113e28bfc878aab413d3021fc89f0e6dad59744ac25874fe

General

Target

4HwMTLRFvpnRf2a.exe
Size

2.2MB
MD5

ec835ba0c96c625b726e90871fa4408e
SHA1

f4f79d8c5d99dd6435f72bcf9c1d90aab96e47ab
SHA256

6a156918ff4ace56113e28bfc878aab413d3021fc89f0e6dad59744ac25874fe
SHA512

eb40160fc4e8911920e8f0537c38d665eaa644b3d48159e8143b0e6cae076ca3c81aab59c28e3440c052280d5664798db37399e4855a5c82649f0a4c8fd1ee6b

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

780 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

4HwMTLRFvpnRf2a.exe

pid process

1040 4HwMTLRFvpnRf2a.exe
1040 4HwMTLRFvpnRf2a.exe
1040 4HwMTLRFvpnRf2a.exe
1040 4HwMTLRFvpnRf2a.exe
1040 4HwMTLRFvpnRf2a.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4HwMTLRFvpnRf2a.exe

description pid process

Token: SeDebugPrivilege 1040 4HwMTLRFvpnRf2a.exe

pid	process
780	schtasks.exe

pid	process
1040	4HwMTLRFvpnRf2a.exe
1040	4HwMTLRFvpnRf2a.exe
1040	4HwMTLRFvpnRf2a.exe
1040	4HwMTLRFvpnRf2a.exe
1040	4HwMTLRFvpnRf2a.exe

description	pid	process
Token: SeDebugPrivilege	1040	4HwMTLRFvpnRf2a.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

4HwMTLRFvpnRf2a.exe

description	pid	process	target process
PID 1040 wrote to memory of 780	1040	4HwMTLRFvpnRf2a.exe	schtasks.exe
PID 1040 wrote to memory of 780	1040	4HwMTLRFvpnRf2a.exe	schtasks.exe
PID 1040 wrote to memory of 780	1040	4HwMTLRFvpnRf2a.exe	schtasks.exe
PID 1040 wrote to memory of 780	1040	4HwMTLRFvpnRf2a.exe	schtasks.exe
PID 1040 wrote to memory of 1472	1040	4HwMTLRFvpnRf2a.exe	4HwMTLRFvpnRf2a.exe
PID 1040 wrote to memory of 1472	1040	4HwMTLRFvpnRf2a.exe	4HwMTLRFvpnRf2a.exe
PID 1040 wrote to memory of 1472	1040	4HwMTLRFvpnRf2a.exe	4HwMTLRFvpnRf2a.exe
PID 1040 wrote to memory of 1472	1040	4HwMTLRFvpnRf2a.exe	4HwMTLRFvpnRf2a.exe
PID 1040 wrote to memory of 700	1040	4HwMTLRFvpnRf2a.exe	4HwMTLRFvpnRf2a.exe
PID 1040 wrote to memory of 700	1040	4HwMTLRFvpnRf2a.exe	4HwMTLRFvpnRf2a.exe
PID 1040 wrote to memory of 700	1040	4HwMTLRFvpnRf2a.exe	4HwMTLRFvpnRf2a.exe
PID 1040 wrote to memory of 700	1040	4HwMTLRFvpnRf2a.exe	4HwMTLRFvpnRf2a.exe
PID 1040 wrote to memory of 1480	1040	4HwMTLRFvpnRf2a.exe	4HwMTLRFvpnRf2a.exe
PID 1040 wrote to memory of 1480	1040	4HwMTLRFvpnRf2a.exe	4HwMTLRFvpnRf2a.exe
PID 1040 wrote to memory of 1480	1040	4HwMTLRFvpnRf2a.exe	4HwMTLRFvpnRf2a.exe
PID 1040 wrote to memory of 1480	1040	4HwMTLRFvpnRf2a.exe	4HwMTLRFvpnRf2a.exe
PID 1040 wrote to memory of 1312	1040	4HwMTLRFvpnRf2a.exe	4HwMTLRFvpnRf2a.exe
PID 1040 wrote to memory of 1312	1040	4HwMTLRFvpnRf2a.exe	4HwMTLRFvpnRf2a.exe
PID 1040 wrote to memory of 1312	1040	4HwMTLRFvpnRf2a.exe	4HwMTLRFvpnRf2a.exe
PID 1040 wrote to memory of 1312	1040	4HwMTLRFvpnRf2a.exe	4HwMTLRFvpnRf2a.exe
PID 1040 wrote to memory of 1152	1040	4HwMTLRFvpnRf2a.exe	4HwMTLRFvpnRf2a.exe
PID 1040 wrote to memory of 1152	1040	4HwMTLRFvpnRf2a.exe	4HwMTLRFvpnRf2a.exe
PID 1040 wrote to memory of 1152	1040	4HwMTLRFvpnRf2a.exe	4HwMTLRFvpnRf2a.exe
PID 1040 wrote to memory of 1152	1040	4HwMTLRFvpnRf2a.exe	4HwMTLRFvpnRf2a.exe

C:\Users\Admin\AppData\Local\Temp\4HwMTLRFvpnRf2a.exe
"C:\Users\Admin\AppData\Local\Temp\4HwMTLRFvpnRf2a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UXnYcxbuH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp96D3.tmp"
2⤵
- Creates scheduled task(s)
PID:780

C:\Users\Admin\AppData\Local\Temp\4HwMTLRFvpnRf2a.exe
"C:\Users\Admin\AppData\Local\Temp\4HwMTLRFvpnRf2a.exe"
2⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\4HwMTLRFvpnRf2a.exe
"C:\Users\Admin\AppData\Local\Temp\4HwMTLRFvpnRf2a.exe"
2⤵
PID:700

C:\Users\Admin\AppData\Local\Temp\4HwMTLRFvpnRf2a.exe
"C:\Users\Admin\AppData\Local\Temp\4HwMTLRFvpnRf2a.exe"
2⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\4HwMTLRFvpnRf2a.exe
"C:\Users\Admin\AppData\Local\Temp\4HwMTLRFvpnRf2a.exe"
2⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\4HwMTLRFvpnRf2a.exe
"C:\Users\Admin\AppData\Local\Temp\4HwMTLRFvpnRf2a.exe"
2⤵
PID:1152

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp96D3.tmp
MD5
41a9bf8d52203f10b617ef62e4a582cc

SHA1
42d6bd2370aa813da0eb5fed5664de335e801e5b

SHA256
a61ddba7dfb71c62db282b6864d9452552ccf31e3116eed4d5dc886e6be40c88

SHA512
166333a5a902398d01e78b688e4e0c047c588b74ed7d6efca48dd8b9e789d6f2a0eb7264308422f6c0b12e0024eaa8180327f8b6821af00346ca35668f3b4b15

Download Submit
memory/780-65-0x0000000000000000-mapping.dmp

Download
memory/1040-59-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1040-61-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/1040-62-0x00000000002B0000-0x00000000002BE000-memory.dmp

Filesize
56KB

Download
memory/1040-63-0x0000000005170000-0x00000000051EC000-memory.dmp

Filesize
496KB

Download
memory/1040-64-0x00000000049D0000-0x0000000004A0E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads