ffb3be6dd62f3dff6a879c8c3517e29cc6def1d675553efa45d40897295ec862

Analysis

Target

dfaeb668b7033674dc2743ef5f891b45.exe
Size

365KB
MD5

dfaeb668b7033674dc2743ef5f891b45
SHA1

9a1457c856d4f11a751a70b33294e297e7a24d60
SHA256

ffb3be6dd62f3dff6a879c8c3517e29cc6def1d675553efa45d40897295ec862
SHA512

1a2472ec076036c40e007d3572ad7db556e98a77f65108152b6ada6c3edef672adb5dacfe8c779f12582e9905ff887dd7a8df6b1a40fb2ca9619f39ac11a8415

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1968	dfaeb668b7033674dc2743ef5f891b45.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1968	dfaeb668b7033674dc2743ef5f891b45.exe
Token: SeCreatePagefilePrivilege	1968	dfaeb668b7033674dc2743ef5f891b45.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 3952	1968	dfaeb668b7033674dc2743ef5f891b45.exe	78
PID 1968 wrote to memory of 3952	1968	dfaeb668b7033674dc2743ef5f891b45.exe	78
PID 1968 wrote to memory of 3952	1968	dfaeb668b7033674dc2743ef5f891b45.exe	78

C:\Users\Admin\AppData\Local\Temp\dfaeb668b7033674dc2743ef5f891b45.exe
"C:\Users\Admin\AppData\Local\Temp\dfaeb668b7033674dc2743ef5f891b45.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h78CuQAV1smuIpyb.bat" "
  2⤵
  PID:3952

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact