f3ccd6ebcd9c34379b314386bb05060e17f8fffd4795081b46830e3832590900

Analysis

max time kernel
15s
max time network
124s
platform
windows10_x64
resource
win10v20210410
submitted
05-06-2021 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Автономная Установка.exe
Size

6KB
MD5

6ea57e7f9246d44f91fd33c08a68c4a5
SHA1

8c0998c1c3b4fd419c24d9f951e8a7cf0a09b6cf
SHA256

9db749b9a3a2790b136548a7fdbada5e45428db659a95a05e13691fbb467e605
SHA512

d81902bddb500417cef1a1dbde64fbc060a66898e8b11de8a38acdb95b31058c8c2092d0a6d7d4c3a981f701e7fce4ef077b6d61bc59bd2b52ae4b8a47e3151f

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3992	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3368	Автономная Установка.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 3260	3368	Автономная Установка.exe	76
PID 3368 wrote to memory of 3260	3368	Автономная Установка.exe	76
PID 3368 wrote to memory of 3260	3368	Автономная Установка.exe	76
PID 3260 wrote to memory of 200	3260	cmd.exe	78
PID 3260 wrote to memory of 200	3260	cmd.exe	78
PID 3260 wrote to memory of 200	3260	cmd.exe	78
PID 3260 wrote to memory of 3992	3260	cmd.exe	81
PID 3260 wrote to memory of 3992	3260	cmd.exe	81
PID 3260 wrote to memory of 3992	3260	cmd.exe	81

C:\Users\Admin\AppData\Local\Temp\Автономная Установка.exe
"C:\Users\Admin\AppData\Local\Temp\Автономная Установка.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Автономная Установка.exe" & schtasks /create /tn \ljqtue1y\csgi01ws /tr C:\Users\Admin\AppData\Roaming\svchost.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:200
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn \ljqtue1y\csgi01ws /tr C:\Users\Admin\AppData\Roaming\svchost.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:3992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3368-114-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/3368-116-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/3368-117-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads