377030b4311c86adfdbab3a625400cfeae0288f71bb6a3530ed022a9ff87b04e

Analysis

Target

6803ee8f500080b6a72a7e391bc4778e.exe
Size

384KB
MD5

6803ee8f500080b6a72a7e391bc4778e
SHA1

82119534bf1f452e9c98352577075073c671da59
SHA256

377030b4311c86adfdbab3a625400cfeae0288f71bb6a3530ed022a9ff87b04e
SHA512

9aee22f0c85862b03d9beebab042f84b2c5b7091181757b06404a3bf2dd4d67be72aff6a283d62897833e90f06a9b02dd396f54d64439b9b8110d643b4a44442

Score

7^/10

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

324 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1056 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1056 taskkill.exe

pid	process
324	cmd.exe

pid	process
1056	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1056	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

6803ee8f500080b6a72a7e391bc4778e.execmd.exe

description	pid	process	target process
PID 1980 wrote to memory of 324	1980	6803ee8f500080b6a72a7e391bc4778e.exe	cmd.exe
PID 1980 wrote to memory of 324	1980	6803ee8f500080b6a72a7e391bc4778e.exe	cmd.exe
PID 1980 wrote to memory of 324	1980	6803ee8f500080b6a72a7e391bc4778e.exe	cmd.exe
PID 1980 wrote to memory of 324	1980	6803ee8f500080b6a72a7e391bc4778e.exe	cmd.exe
PID 324 wrote to memory of 1056	324	cmd.exe	taskkill.exe
PID 324 wrote to memory of 1056	324	cmd.exe	taskkill.exe
PID 324 wrote to memory of 1056	324	cmd.exe	taskkill.exe
PID 324 wrote to memory of 1056	324	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\6803ee8f500080b6a72a7e391bc4778e.exe
"C:\Users\Admin\AppData\Local\Temp\6803ee8f500080b6a72a7e391bc4778e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1980

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/324-62-0x0000000000000000-mapping.dmp

Download
memory/1056-63-0x0000000000000000-mapping.dmp

Download
memory/1980-59-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/1980-60-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1980-61-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download