9404ccfb00081ecfd0633d152b3597b9a6fda274e728864f322dfbcf11cc9156

Analysis

Target

unpacked.exe
Size

981KB
MD5

3be5f51314d027e399eaa49cf271ece4
SHA1

5567d87efd6b29a793b54237737f370aa2e7707d
SHA256

9404ccfb00081ecfd0633d152b3597b9a6fda274e728864f322dfbcf11cc9156
SHA512

0f4689975b4d07b802bc5f62000ea94e78e8b662788ef860d1cae7c918b9b24707899b12d888840bbc8872350f943a4f594fe1a863a409f525dc465682f0e613

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

Processes:

unpacked.exe

pid	Process
3188	unpacked.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

unpacked.exe

description	pid	Process
Token: SeShutdownPrivilege	3188	unpacked.exe
Token: SeCreatePagefilePrivilege	3188	unpacked.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

unpacked.exe

description	pid	Process	procid_target
PID 3188 wrote to memory of 2748	3188	unpacked.exe	78
PID 3188 wrote to memory of 2748	3188	unpacked.exe	78
PID 3188 wrote to memory of 2748	3188	unpacked.exe	78

C:\Users\Admin\AppData\Local\Temp\unpacked.exe
"C:\Users\Admin\AppData\Local\Temp\unpacked.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n5FoUwA6xhfQtMJS.bat" "
  2⤵
  PID:2748

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\n5FoUwA6xhfQtMJS.bat

MD5
cfb906948a705b60bd7fb47fce45dc6f

SHA1
b23786ed22bcfca4d0f7ff4c5bf868f3760f8188

SHA256
dcb76f7bdef736e44fd41ecf2ba99649c22065d28d74023761e202161d0e68e0

SHA512
ae9a504061c2d4ae843603ca200479dc21d70847912ac15bc62c8ec7165bcaedda5a4ae4a8ce741bd813641e3340d9fc2070404aae890da3251fc1c1df0f53d8

Download Submit
memory/2748-114-0x0000000000000000-mapping.dmp

Download