59fc44577bd89c7f6ae86b0b13e7e19c4d17612b4d5696e6c70d2e88d5d8115e

General

Target

proof of payment.scr.exe
Size

873KB
MD5

693fc4eb901d82a09678e506960fd24d
SHA1

8fcfb6ea44062af4557b2820591f75126b5edf81
SHA256

59fc44577bd89c7f6ae86b0b13e7e19c4d17612b4d5696e6c70d2e88d5d8115e
SHA512

0c076cf5b30edb1c8f51c11e52778cd20eaf88736467e1c0f401b48154ae54ed31433efa898c0be883bab6a9ed435540d16974858eb691410787f787870d464a

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

836 schtasks.exe

pid	process
836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

proof of payment.scr.exe

pid	process
1672	proof of payment.scr.exe
1672	proof of payment.scr.exe
1672	proof of payment.scr.exe
1672	proof of payment.scr.exe
1672	proof of payment.scr.exe
1672	proof of payment.scr.exe
1672	proof of payment.scr.exe
1672	proof of payment.scr.exe
1672	proof of payment.scr.exe
1672	proof of payment.scr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

proof of payment.scr.exe

description pid process

Token: SeDebugPrivilege 1672 proof of payment.scr.exe

description	pid	process
Token: SeDebugPrivilege	1672	proof of payment.scr.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

proof of payment.scr.exe

description	pid	process	target process
PID 1672 wrote to memory of 836	1672	proof of payment.scr.exe	schtasks.exe
PID 1672 wrote to memory of 836	1672	proof of payment.scr.exe	schtasks.exe
PID 1672 wrote to memory of 836	1672	proof of payment.scr.exe	schtasks.exe
PID 1672 wrote to memory of 836	1672	proof of payment.scr.exe	schtasks.exe
PID 1672 wrote to memory of 412	1672	proof of payment.scr.exe	proof of payment.scr.exe
PID 1672 wrote to memory of 412	1672	proof of payment.scr.exe	proof of payment.scr.exe
PID 1672 wrote to memory of 412	1672	proof of payment.scr.exe	proof of payment.scr.exe
PID 1672 wrote to memory of 412	1672	proof of payment.scr.exe	proof of payment.scr.exe
PID 1672 wrote to memory of 332	1672	proof of payment.scr.exe	proof of payment.scr.exe
PID 1672 wrote to memory of 332	1672	proof of payment.scr.exe	proof of payment.scr.exe
PID 1672 wrote to memory of 332	1672	proof of payment.scr.exe	proof of payment.scr.exe
PID 1672 wrote to memory of 332	1672	proof of payment.scr.exe	proof of payment.scr.exe
PID 1672 wrote to memory of 1008	1672	proof of payment.scr.exe	proof of payment.scr.exe
PID 1672 wrote to memory of 1008	1672	proof of payment.scr.exe	proof of payment.scr.exe
PID 1672 wrote to memory of 1008	1672	proof of payment.scr.exe	proof of payment.scr.exe
PID 1672 wrote to memory of 1008	1672	proof of payment.scr.exe	proof of payment.scr.exe
PID 1672 wrote to memory of 1392	1672	proof of payment.scr.exe	proof of payment.scr.exe
PID 1672 wrote to memory of 1392	1672	proof of payment.scr.exe	proof of payment.scr.exe
PID 1672 wrote to memory of 1392	1672	proof of payment.scr.exe	proof of payment.scr.exe
PID 1672 wrote to memory of 1392	1672	proof of payment.scr.exe	proof of payment.scr.exe
PID 1672 wrote to memory of 576	1672	proof of payment.scr.exe	proof of payment.scr.exe
PID 1672 wrote to memory of 576	1672	proof of payment.scr.exe	proof of payment.scr.exe
PID 1672 wrote to memory of 576	1672	proof of payment.scr.exe	proof of payment.scr.exe
PID 1672 wrote to memory of 576	1672	proof of payment.scr.exe	proof of payment.scr.exe

C:\Users\Admin\AppData\Local\Temp\proof of payment.scr.exe
"C:\Users\Admin\AppData\Local\Temp\proof of payment.scr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emYsBrAgw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7C70.tmp"
2⤵
- Creates scheduled task(s)
PID:836

C:\Users\Admin\AppData\Local\Temp\proof of payment.scr.exe
"{path}"
2⤵
PID:412

C:\Users\Admin\AppData\Local\Temp\proof of payment.scr.exe
"{path}"
2⤵
PID:332

C:\Users\Admin\AppData\Local\Temp\proof of payment.scr.exe
"{path}"
2⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\proof of payment.scr.exe
"{path}"
2⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\proof of payment.scr.exe
"{path}"
2⤵
PID:576

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7C70.tmp
MD5
a6ce7ab2fd6a5a115935d6195d950644

SHA1
736f92314d097686d6d15e3c09f563999ceda315

SHA256
dbf18af809b0f75e0080ba00c40211d826b1a2d32fa86afc94154c812fa46a9f

SHA512
546798bff0fa9c4c72e909e75f1f9634e4e44321889cf302a296032a064b98d54d32467e3c39b9f32f080443152f2edb1db5547c67241630ca45f320d8e1908f

Download Submit
memory/836-66-0x0000000000000000-mapping.dmp

Download
memory/1672-60-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1672-62-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/1672-63-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/1672-64-0x0000000005840000-0x00000000058F7000-memory.dmp

Filesize
732KB

Download
memory/1672-65-0x0000000005150000-0x00000000051BB000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads