d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095

Analysis

max time kernel
2s
max time network
38s
platform
windows7_x64
resource
win7v20210408
submitted
15-05-2021 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe
Size

788KB
MD5

bf7a7748c4499a6d44c688ba37896a53
SHA1

45c68363fdb2eeae08c827307206f6f9fe7bf944
SHA256

d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095
SHA512

60089da79f1b8e72ce6e0ebcfc9fac7e3b1b82cc49b64be89556b4c89b4b117db95c158eb6126be2a3291a22cca5640ffe5f4710f0a3fab42ac40d8151ec4602

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe

Suspicious behavior: MapViewOfSection 19 IoCs

pid	Process
1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe
1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe
1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe
1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe
1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe
1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe
1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe
1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe
1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe
1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe
1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe
1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe
1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe
1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe
1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe
1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe
1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe
1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe
1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 376	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	5
PID 1844 wrote to memory of 376	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	5
PID 1844 wrote to memory of 376	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	5
PID 1844 wrote to memory of 376	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	5
PID 1844 wrote to memory of 376	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	5
PID 1844 wrote to memory of 376	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	5
PID 1844 wrote to memory of 376	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	5
PID 1844 wrote to memory of 384	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	4
PID 1844 wrote to memory of 384	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	4
PID 1844 wrote to memory of 384	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	4
PID 1844 wrote to memory of 384	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	4
PID 1844 wrote to memory of 384	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	4
PID 1844 wrote to memory of 384	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	4
PID 1844 wrote to memory of 384	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	4
PID 1844 wrote to memory of 424	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	3
PID 1844 wrote to memory of 424	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	3
PID 1844 wrote to memory of 424	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	3
PID 1844 wrote to memory of 424	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	3
PID 1844 wrote to memory of 424	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	3
PID 1844 wrote to memory of 424	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	3
PID 1844 wrote to memory of 424	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	3
PID 1844 wrote to memory of 468	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	2
PID 1844 wrote to memory of 468	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	2
PID 1844 wrote to memory of 468	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	2
PID 1844 wrote to memory of 468	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	2
PID 1844 wrote to memory of 468	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	2
PID 1844 wrote to memory of 468	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	2
PID 1844 wrote to memory of 468	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	2
PID 1844 wrote to memory of 484	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	1
PID 1844 wrote to memory of 484	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	1
PID 1844 wrote to memory of 484	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	1
PID 1844 wrote to memory of 484	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	1
PID 1844 wrote to memory of 484	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	1
PID 1844 wrote to memory of 484	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	1
PID 1844 wrote to memory of 484	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	1
PID 1844 wrote to memory of 492	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	23
PID 1844 wrote to memory of 492	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	23
PID 1844 wrote to memory of 492	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	23
PID 1844 wrote to memory of 492	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	23
PID 1844 wrote to memory of 492	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	23
PID 1844 wrote to memory of 492	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	23
PID 1844 wrote to memory of 492	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	23
PID 1844 wrote to memory of 592	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	8
PID 1844 wrote to memory of 592	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	8
PID 1844 wrote to memory of 592	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	8
PID 1844 wrote to memory of 592	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	8
PID 1844 wrote to memory of 592	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	8
PID 1844 wrote to memory of 592	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	8
PID 1844 wrote to memory of 592	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	8
PID 1844 wrote to memory of 668	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	22
PID 1844 wrote to memory of 668	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	22
PID 1844 wrote to memory of 668	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	22
PID 1844 wrote to memory of 668	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	22
PID 1844 wrote to memory of 668	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	22
PID 1844 wrote to memory of 668	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	22
PID 1844 wrote to memory of 668	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	22
PID 1844 wrote to memory of 744	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	21
PID 1844 wrote to memory of 744	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	21
PID 1844 wrote to memory of 744	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	21
PID 1844 wrote to memory of 744	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	21
PID 1844 wrote to memory of 744	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	21
PID 1844 wrote to memory of 744	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	21
PID 1844 wrote to memory of 744	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	21
PID 1844 wrote to memory of 808	1844	d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe	20

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:484

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:468
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:592
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1140
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1056
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:652
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:284
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:876
- - C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    3⤵
    PID:2036
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:836
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:808
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:744
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:668

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:376
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:492

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe
  "C:\Users\Admin\AppData\Local\Temp\d21aef628fbb7f3ac19b13c3a10f838179798a2c442c26bf68fd444e9c5d3095.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1844

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1844-59-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download