9404ccfb00081ecfd0633d152b3597b9a6fda274e728864f322dfbcf11cc9156

Analysis

max time kernel
12s
max time network
117s
platform
windows10_x64
resource
win10v20210410
submitted
16-06-2021 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

unpacked.exe
Size

981KB
MD5

3be5f51314d027e399eaa49cf271ece4
SHA1

5567d87efd6b29a793b54237737f370aa2e7707d
SHA256

9404ccfb00081ecfd0633d152b3597b9a6fda274e728864f322dfbcf11cc9156
SHA512

0f4689975b4d07b802bc5f62000ea94e78e8b662788ef860d1cae7c918b9b24707899b12d888840bbc8872350f943a4f594fe1a863a409f525dc465682f0e613

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: RenamesItself 1 IoCs

Processes:

unpacked.exe

pid process

3188 unpacked.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

unpacked.exe

description pid process

Token: SeShutdownPrivilege 3188 unpacked.exe
Token: SeCreatePagefilePrivilege 3188 unpacked.exe

pid	process
3188	unpacked.exe

description	pid	process
Token: SeShutdownPrivilege	3188	unpacked.exe
Token: SeCreatePagefilePrivilege	3188	unpacked.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

unpacked.exe

description	pid	process	target process
PID 3188 wrote to memory of 2748	3188	unpacked.exe	cmd.exe
PID 3188 wrote to memory of 2748	3188	unpacked.exe	cmd.exe
PID 3188 wrote to memory of 2748	3188	unpacked.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\unpacked.exe
"C:\Users\Admin\AppData\Local\Temp\unpacked.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n5FoUwA6xhfQtMJS.bat" "
2⤵
PID:2748

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n5FoUwA6xhfQtMJS.bat
MD5
cfb906948a705b60bd7fb47fce45dc6f

SHA1
b23786ed22bcfca4d0f7ff4c5bf868f3760f8188

SHA256
dcb76f7bdef736e44fd41ecf2ba99649c22065d28d74023761e202161d0e68e0

SHA512
ae9a504061c2d4ae843603ca200479dc21d70847912ac15bc62c8ec7165bcaedda5a4ae4a8ce741bd813641e3340d9fc2070404aae890da3251fc1c1df0f53d8

Download Submit
memory/2748-114-0x0000000000000000-mapping.dmp

Download