377030b4311c86adfdbab3a625400cfeae0288f71bb6a3530ed022a9ff87b04e

Analysis

Target

6803ee8f500080b6a72a7e391bc4778e.exe
Size

384KB
MD5

6803ee8f500080b6a72a7e391bc4778e
SHA1

82119534bf1f452e9c98352577075073c671da59
SHA256

377030b4311c86adfdbab3a625400cfeae0288f71bb6a3530ed022a9ff87b04e
SHA512

9aee22f0c85862b03d9beebab042f84b2c5b7091181757b06404a3bf2dd4d67be72aff6a283d62897833e90f06a9b02dd396f54d64439b9b8110d643b4a44442

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3720 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 3720 taskkill.exe

pid	process
3720	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	3720	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6803ee8f500080b6a72a7e391bc4778e.execmd.exe

description	pid	process	target process
PID 3172 wrote to memory of 2292	3172	6803ee8f500080b6a72a7e391bc4778e.exe	cmd.exe
PID 3172 wrote to memory of 2292	3172	6803ee8f500080b6a72a7e391bc4778e.exe	cmd.exe
PID 3172 wrote to memory of 2292	3172	6803ee8f500080b6a72a7e391bc4778e.exe	cmd.exe
PID 2292 wrote to memory of 3720	2292	cmd.exe	taskkill.exe
PID 2292 wrote to memory of 3720	2292	cmd.exe	taskkill.exe
PID 2292 wrote to memory of 3720	2292	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\6803ee8f500080b6a72a7e391bc4778e.exe
"C:\Users\Admin\AppData\Local\Temp\6803ee8f500080b6a72a7e391bc4778e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "6803ee8f500080b6a72a7e391bc4778e.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\6803ee8f500080b6a72a7e391bc4778e.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2292

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/2292-114-0x0000000000000000-mapping.dmp

Download
memory/3172-115-0x0000000002070000-0x000000000209F000-memory.dmp

Filesize
188KB

Download
memory/3172-116-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3720-117-0x0000000000000000-mapping.dmp

Download