7110725acbacccb5dc022fc2eb1b1b7c9e30f2a6b24ef77abfed8cea3d297966

General

Target

2e0d574bf00170bb5a448510c2226408.exe
Size

1021KB
MD5

2e0d574bf00170bb5a448510c2226408
SHA1

05c599f0ffc3a7474a51ecbda9de51f8dce0ba62
SHA256

7110725acbacccb5dc022fc2eb1b1b7c9e30f2a6b24ef77abfed8cea3d297966
SHA512

7363d04e59ba5c2c1c5765d56e6656294847c3115e4caf37340d9b65fe3025bd26e113fedfca4661c69d9fb90b1021dfb81ba204289330f2782203b46c00c505

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

2e0d574bf00170bb5a448510c2226408.exepowershell.exe

pid	process
1092	2e0d574bf00170bb5a448510c2226408.exe
1092	2e0d574bf00170bb5a448510c2226408.exe
1092	2e0d574bf00170bb5a448510c2226408.exe
1092	2e0d574bf00170bb5a448510c2226408.exe
1092	2e0d574bf00170bb5a448510c2226408.exe
1092	2e0d574bf00170bb5a448510c2226408.exe
1092	2e0d574bf00170bb5a448510c2226408.exe
872	powershell.exe
872	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2e0d574bf00170bb5a448510c2226408.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1092 2e0d574bf00170bb5a448510c2226408.exe
Token: SeDebugPrivilege 872 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1092	2e0d574bf00170bb5a448510c2226408.exe
Token: SeDebugPrivilege	872	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

2e0d574bf00170bb5a448510c2226408.exe

C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe
"C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe
"C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe"
2⤵
PID:532

C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe
"C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe"
2⤵
PID:680

C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe
"C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe"
2⤵
PID:824

C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe
"C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe"
2⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe
"C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe"
2⤵
PID:340

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/872-70-0x0000000001E12000-0x0000000001E13000-memory.dmp

Filesize
4KB

Download
memory/872-88-0x0000000006240000-0x0000000006241000-memory.dmp

Filesize
4KB

Download
memory/872-105-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/872-72-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/872-71-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/872-65-0x0000000000000000-mapping.dmp

Download
memory/872-66-0x00000000757D1000-0x00000000757D3000-memory.dmp

Filesize
8KB

Download
memory/872-67-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/872-68-0x00000000046D0000-0x00000000046D1000-memory.dmp

Filesize
4KB

Download
memory/872-69-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/872-104-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/872-97-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/872-89-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/872-75-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/872-80-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/872-81-0x0000000006150000-0x0000000006151000-memory.dmp

Filesize
4KB

Download
memory/1092-61-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/1092-63-0x0000000002180000-0x00000000021EE000-memory.dmp

Filesize
440KB

Download
memory/1092-64-0x00000000021F0000-0x0000000002227000-memory.dmp

Filesize
220KB

Download
memory/1092-62-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/1092-59-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 1092 wrote to memory of 872	1092	2e0d574bf00170bb5a448510c2226408.exe	powershell.exe
PID 1092 wrote to memory of 872	1092	2e0d574bf00170bb5a448510c2226408.exe	powershell.exe
PID 1092 wrote to memory of 872	1092	2e0d574bf00170bb5a448510c2226408.exe	powershell.exe
PID 1092 wrote to memory of 872	1092	2e0d574bf00170bb5a448510c2226408.exe	powershell.exe
PID 1092 wrote to memory of 532	1092	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1092 wrote to memory of 532	1092	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1092 wrote to memory of 532	1092	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1092 wrote to memory of 532	1092	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1092 wrote to memory of 680	1092	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1092 wrote to memory of 680	1092	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1092 wrote to memory of 680	1092	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1092 wrote to memory of 680	1092	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1092 wrote to memory of 824	1092	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1092 wrote to memory of 824	1092	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1092 wrote to memory of 824	1092	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1092 wrote to memory of 824	1092	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1092 wrote to memory of 1908	1092	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1092 wrote to memory of 1908	1092	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1092 wrote to memory of 1908	1092	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1092 wrote to memory of 1908	1092	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1092 wrote to memory of 340	1092	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1092 wrote to memory of 340	1092	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1092 wrote to memory of 340	1092	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1092 wrote to memory of 340	1092	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe

Analysis

Sharing