e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d

General

Target

e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe
Size

66KB
MD5

bd38a4e4d4c0903e094e4742c345d737
SHA1

40a89d66f0a2a6033ebfc25d03913dfca5e09dd4
SHA256

e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d
SHA512

5887f859e2ceda10dfd2f58997fa1920fb24f8ebaad3b29a79e8628b32cb251beaaaa924781eba604984b40dcce290d7302498aae932b19e02ab36aca24087c1

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

pkghost.exe

pid process

2560 pkghost.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

pid	process
2560	pkghost.exe

Drops file in Windows directory 3 IoCs

Processes:

e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exeattrib.exe

description	ioc	process
File created	C:\Windows\Debug\pkghost.exe	e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe
File opened for modification	C:\Windows\Debug\pkghost.exe	e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe
File opened for modification	C:\Windows\Debug\pkghost.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe

description pid process

Token: SeIncBasePriorityPrivilege 424 e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	424	e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe

description	pid	process	target process
PID 424 wrote to memory of 2480	424	e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe	attrib.exe
PID 424 wrote to memory of 2480	424	e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe	attrib.exe
PID 424 wrote to memory of 2480	424	e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe	attrib.exe
PID 424 wrote to memory of 804	424	e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe	cmd.exe
PID 424 wrote to memory of 804	424	e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe	cmd.exe
PID 424 wrote to memory of 804	424	e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2480 attrib.exe

pid	process
2480	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe
"C:\Users\Admin\AppData\Local\Temp\e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:424

C:\Windows\SysWOW64\attrib.exe
attrib +a +s +h +r C:\Windows\Debug\pkghost.exe
2⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E20E72~1.EXE > nul
2⤵
PID:804

C:\Windows\Debug\pkghost.exe
C:\Windows\Debug\pkghost.exe
1⤵
- Executes dropped EXE
PID:2560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Debug\pkghost.exe
MD5
a7478a65203f0509b92de196cfd0578d

SHA1
0bfe613c44609cafb929e8877413d93fb2efe8e0

SHA256
ab8326179b716198f38da4451a31ba8c04ccb4509394da4f30304c8123865695

SHA512
fa08caa2cb4dd36bfe8e66292ebfb6b08cf9d25c1f43d3dce9842defc99771d98bf9019b5b5f4d7b4edfb695bb0332af7c8ad9fbbf0b1e41b3f4394885057b6b

Download Submit
C:\Windows\debug\pkghost.exe
MD5
a7478a65203f0509b92de196cfd0578d

SHA1
0bfe613c44609cafb929e8877413d93fb2efe8e0

SHA256
ab8326179b716198f38da4451a31ba8c04ccb4509394da4f30304c8123865695

SHA512
fa08caa2cb4dd36bfe8e66292ebfb6b08cf9d25c1f43d3dce9842defc99771d98bf9019b5b5f4d7b4edfb695bb0332af7c8ad9fbbf0b1e41b3f4394885057b6b

Download Submit
memory/804-117-0x0000000000000000-mapping.dmp

Download
memory/2480-114-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing