1252078421caf8c3415891ca9012a285c509a1b952b56cc84d163000155def0a

General

Target

Product Range #2828915.exe
Size

648KB
MD5

a38866790c8c35700168dcbf70c451a4
SHA1

1c465c58bafc50427e4facab66bbbbc576dfee0e
SHA256

1252078421caf8c3415891ca9012a285c509a1b952b56cc84d163000155def0a
SHA512

99af98c49bdbf2bbbe040f79e3cbd7e837478ec98a11e34a9e2c38580620f4327eb6025174ec593ae1bfd59c31f1ef01145d3ada8e2e1cd68401d850757feaeb

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1084 schtasks.exe

pid	process
1084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Product Range #2828915.exe

pid	process
2020	Product Range #2828915.exe
2020	Product Range #2828915.exe
2020	Product Range #2828915.exe
2020	Product Range #2828915.exe
2020	Product Range #2828915.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Product Range #2828915.exe

description pid process

Token: SeDebugPrivilege 2020 Product Range #2828915.exe

description	pid	process
Token: SeDebugPrivilege	2020	Product Range #2828915.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Product Range #2828915.exe

description	pid	process	target process
PID 2020 wrote to memory of 1084	2020	Product Range #2828915.exe	schtasks.exe
PID 2020 wrote to memory of 1084	2020	Product Range #2828915.exe	schtasks.exe
PID 2020 wrote to memory of 1084	2020	Product Range #2828915.exe	schtasks.exe
PID 2020 wrote to memory of 1084	2020	Product Range #2828915.exe	schtasks.exe
PID 2020 wrote to memory of 924	2020	Product Range #2828915.exe	Product Range #2828915.exe
PID 2020 wrote to memory of 924	2020	Product Range #2828915.exe	Product Range #2828915.exe
PID 2020 wrote to memory of 924	2020	Product Range #2828915.exe	Product Range #2828915.exe
PID 2020 wrote to memory of 924	2020	Product Range #2828915.exe	Product Range #2828915.exe
PID 2020 wrote to memory of 640	2020	Product Range #2828915.exe	Product Range #2828915.exe
PID 2020 wrote to memory of 640	2020	Product Range #2828915.exe	Product Range #2828915.exe
PID 2020 wrote to memory of 640	2020	Product Range #2828915.exe	Product Range #2828915.exe
PID 2020 wrote to memory of 640	2020	Product Range #2828915.exe	Product Range #2828915.exe
PID 2020 wrote to memory of 1156	2020	Product Range #2828915.exe	Product Range #2828915.exe
PID 2020 wrote to memory of 1156	2020	Product Range #2828915.exe	Product Range #2828915.exe
PID 2020 wrote to memory of 1156	2020	Product Range #2828915.exe	Product Range #2828915.exe
PID 2020 wrote to memory of 1156	2020	Product Range #2828915.exe	Product Range #2828915.exe
PID 2020 wrote to memory of 544	2020	Product Range #2828915.exe	Product Range #2828915.exe
PID 2020 wrote to memory of 544	2020	Product Range #2828915.exe	Product Range #2828915.exe
PID 2020 wrote to memory of 544	2020	Product Range #2828915.exe	Product Range #2828915.exe
PID 2020 wrote to memory of 544	2020	Product Range #2828915.exe	Product Range #2828915.exe
PID 2020 wrote to memory of 1964	2020	Product Range #2828915.exe	Product Range #2828915.exe
PID 2020 wrote to memory of 1964	2020	Product Range #2828915.exe	Product Range #2828915.exe
PID 2020 wrote to memory of 1964	2020	Product Range #2828915.exe	Product Range #2828915.exe
PID 2020 wrote to memory of 1964	2020	Product Range #2828915.exe	Product Range #2828915.exe

C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe
"C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pecnQZLi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE5DC.tmp"
2⤵
- Creates scheduled task(s)
PID:1084

C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe
"C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe"
2⤵
PID:924

C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe
"C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe"
2⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe
"C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe"
2⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe
"C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe"
2⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe
"C:\Users\Admin\AppData\Local\Temp\Product Range #2828915.exe"
2⤵
PID:1964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE5DC.tmp
MD5
3b5b6099ff32b77222d725a441b7df39

SHA1
9ca57c44a5759057d6a1401e9de64e494b9d762b

SHA256
81afc7604df06bcf82de37ce1588341b373fa0d66afa3a61880a017337e71099

SHA512
a772a940ccc066964ce754810c43cb94f85aca756848cfaec622fcce23d7808e8cab7755a14288e364fabbae99f1054316d270b3a039167bba3a22da479f8f54

Download Submit
memory/1084-66-0x0000000000000000-mapping.dmp

Download
memory/2020-60-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2020-62-0x0000000000490000-0x0000000000494000-memory.dmp

Filesize
16KB

Download
memory/2020-63-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2020-64-0x0000000005160000-0x00000000051DE000-memory.dmp

Filesize
504KB

Download
memory/2020-65-0x0000000000750000-0x0000000000791000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads