Analysis
-
max time kernel
18s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-07-2021 08:02
General
-
Target
3b352f748c8f3829315700687daa73af.exe
-
Size
90KB
-
MD5
3b352f748c8f3829315700687daa73af
-
SHA1
4b394128d30734821dcd1fdf4c4a8b1e32d1617a
-
SHA256
ef131c0526ddab283ce5ffd35fe49678bc1c9065439faf06813f5c15a714b727
-
SHA512
3210a33fa272da62170c3d46a7dc45100dbe2459f301cc956845b36eb5d84dccfc6835987cf4e4ee43132265c67f1e9200699d6fb7fb09b4f51159c69106c6fa
Score
10/10
Malware Config
Signatures
-
UAC bypass 3 TTPs
-
Windows security bypass 2 TTPs
-
Windows security modification 2 TTPs 3 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b352f748c8f3829315700687daa73af.exe"C:\Users\Admin\AppData\Local\Temp\3b352f748c8f3829315700687daa73af.exe"1⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3b352f748c8f3829315700687daa73af.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\3b352f748c8f3829315700687daa73af.exe"C:\Users\Admin\AppData\Local\Temp\3b352f748c8f3829315700687daa73af.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/412-135-0x0000000007D00000-0x0000000007D01000-memory.dmpFilesize
4KB
-
memory/412-144-0x0000000008A50000-0x0000000008A83000-memory.dmpFilesize
204KB
-
memory/412-129-0x00000000074E0000-0x00000000074E1000-memory.dmpFilesize
4KB
-
memory/412-130-0x0000000007550000-0x0000000007551000-memory.dmpFilesize
4KB
-
memory/412-352-0x0000000008F20000-0x0000000008F21000-memory.dmpFilesize
4KB
-
memory/412-227-0x0000000000CE3000-0x0000000000CE4000-memory.dmpFilesize
4KB
-
memory/412-158-0x0000000008F70000-0x0000000008F71000-memory.dmpFilesize
4KB
-
memory/412-157-0x000000007EA70000-0x000000007EA71000-memory.dmpFilesize
4KB
-
memory/412-123-0x0000000000000000-mapping.dmp
-
memory/412-126-0x0000000000D70000-0x0000000000D71000-memory.dmpFilesize
4KB
-
memory/412-127-0x0000000006E40000-0x0000000006E41000-memory.dmpFilesize
4KB
-
memory/412-128-0x0000000006C10000-0x0000000006C11000-memory.dmpFilesize
4KB
-
memory/412-131-0x00000000076D0000-0x00000000076D1000-memory.dmpFilesize
4KB
-
memory/412-358-0x0000000008F10000-0x0000000008F11000-memory.dmpFilesize
4KB
-
memory/412-156-0x0000000008E20000-0x0000000008E21000-memory.dmpFilesize
4KB
-
memory/412-132-0x0000000000CE0000-0x0000000000CE1000-memory.dmpFilesize
4KB
-
memory/412-133-0x0000000000CE2000-0x0000000000CE3000-memory.dmpFilesize
4KB
-
memory/412-134-0x0000000007470000-0x0000000007471000-memory.dmpFilesize
4KB
-
memory/412-151-0x0000000008A30000-0x0000000008A31000-memory.dmpFilesize
4KB
-
memory/3984-116-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/3984-114-0x00000000006D0000-0x00000000006D1000-memory.dmpFilesize
4KB
-
memory/3984-117-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/3984-122-0x0000000005D10000-0x0000000005D11000-memory.dmpFilesize
4KB
-
memory/3984-121-0x0000000005BD0000-0x0000000005BD1000-memory.dmpFilesize
4KB
-
memory/3984-120-0x0000000005FD0000-0x0000000005FD1000-memory.dmpFilesize
4KB
-
memory/3984-119-0x0000000005A60000-0x0000000005AAF000-memory.dmpFilesize
316KB
-
memory/3984-118-0x0000000005A40000-0x0000000005A41000-memory.dmpFilesize
4KB