b916cd21d5759f9c2e98aed2297b0d2f0201f8390347856b37e493e808132153

General

Target

541bb6e026f837faa2b64b31b0a2ec0c.exe
Size

814KB
MD5

541bb6e026f837faa2b64b31b0a2ec0c
SHA1

1cd6d3ceae4177bba8add5ef473b80edb6bc55d3
SHA256

b916cd21d5759f9c2e98aed2297b0d2f0201f8390347856b37e493e808132153
SHA512

2c880847e2fbf0f221eeae08c8997ad9b36c8f32e00d93ca3fdf9283bf895160378f3839770643353bb2fdccf7a529f02040881efef7d5cb2b91732c66ccede9

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1536 schtasks.exe

pid	process
1536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

541bb6e026f837faa2b64b31b0a2ec0c.exe

pid	process
736	541bb6e026f837faa2b64b31b0a2ec0c.exe
736	541bb6e026f837faa2b64b31b0a2ec0c.exe
736	541bb6e026f837faa2b64b31b0a2ec0c.exe
736	541bb6e026f837faa2b64b31b0a2ec0c.exe
736	541bb6e026f837faa2b64b31b0a2ec0c.exe
736	541bb6e026f837faa2b64b31b0a2ec0c.exe
736	541bb6e026f837faa2b64b31b0a2ec0c.exe
736	541bb6e026f837faa2b64b31b0a2ec0c.exe
736	541bb6e026f837faa2b64b31b0a2ec0c.exe
736	541bb6e026f837faa2b64b31b0a2ec0c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

541bb6e026f837faa2b64b31b0a2ec0c.exe

description pid process

Token: SeDebugPrivilege 736 541bb6e026f837faa2b64b31b0a2ec0c.exe

description	pid	process
Token: SeDebugPrivilege	736	541bb6e026f837faa2b64b31b0a2ec0c.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

541bb6e026f837faa2b64b31b0a2ec0c.exe

C:\Users\Admin\AppData\Local\Temp\541bb6e026f837faa2b64b31b0a2ec0c.exe
"C:\Users\Admin\AppData\Local\Temp\541bb6e026f837faa2b64b31b0a2ec0c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dNmETqTEL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4395.tmp"
2⤵
- Creates scheduled task(s)
PID:1536

C:\Users\Admin\AppData\Local\Temp\541bb6e026f837faa2b64b31b0a2ec0c.exe
"C:\Users\Admin\AppData\Local\Temp\541bb6e026f837faa2b64b31b0a2ec0c.exe"
2⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\541bb6e026f837faa2b64b31b0a2ec0c.exe
"C:\Users\Admin\AppData\Local\Temp\541bb6e026f837faa2b64b31b0a2ec0c.exe"
2⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\541bb6e026f837faa2b64b31b0a2ec0c.exe
"C:\Users\Admin\AppData\Local\Temp\541bb6e026f837faa2b64b31b0a2ec0c.exe"
2⤵
PID:456

C:\Users\Admin\AppData\Local\Temp\541bb6e026f837faa2b64b31b0a2ec0c.exe
"C:\Users\Admin\AppData\Local\Temp\541bb6e026f837faa2b64b31b0a2ec0c.exe"
2⤵
PID:1460

C:\Users\Admin\AppData\Local\Temp\541bb6e026f837faa2b64b31b0a2ec0c.exe
"C:\Users\Admin\AppData\Local\Temp\541bb6e026f837faa2b64b31b0a2ec0c.exe"
2⤵
PID:1112

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4395.tmp
MD5
d8dbc0039cb06a6b705ea5a3c56cff5c

SHA1
a520fa24c43edeba6c3ab55d5efc71cb5e75fa4b

SHA256
d83ee109ef8cc610c5e49a90f307e9d25c4f77cedabc2ce4f50ec749cd129bed

SHA512
0dec0ac93d94f4b72bc5b564e7ca6857bf04dbf102a6dd0e9884ebdd31491333abcd195021910f1e26ddd9797ecd01c95cf9c68e89ebf9be569cef9772e31645

Download Submit
memory/736-60-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/736-62-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/736-63-0x00000000005B0000-0x00000000005CB000-memory.dmp

Filesize
108KB

Download
memory/736-64-0x0000000007F60000-0x0000000007FC4000-memory.dmp

Filesize
400KB

Download
memory/736-65-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

Filesize
128KB

Download
memory/1536-66-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 736 wrote to memory of 1536	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	schtasks.exe
PID 736 wrote to memory of 1536	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	schtasks.exe
PID 736 wrote to memory of 1536	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	schtasks.exe
PID 736 wrote to memory of 1536	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	schtasks.exe
PID 736 wrote to memory of 1148	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	541bb6e026f837faa2b64b31b0a2ec0c.exe
PID 736 wrote to memory of 1148	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	541bb6e026f837faa2b64b31b0a2ec0c.exe
PID 736 wrote to memory of 1148	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	541bb6e026f837faa2b64b31b0a2ec0c.exe
PID 736 wrote to memory of 1148	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	541bb6e026f837faa2b64b31b0a2ec0c.exe
PID 736 wrote to memory of 904	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	541bb6e026f837faa2b64b31b0a2ec0c.exe
PID 736 wrote to memory of 904	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	541bb6e026f837faa2b64b31b0a2ec0c.exe
PID 736 wrote to memory of 904	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	541bb6e026f837faa2b64b31b0a2ec0c.exe
PID 736 wrote to memory of 904	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	541bb6e026f837faa2b64b31b0a2ec0c.exe
PID 736 wrote to memory of 456	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	541bb6e026f837faa2b64b31b0a2ec0c.exe
PID 736 wrote to memory of 456	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	541bb6e026f837faa2b64b31b0a2ec0c.exe
PID 736 wrote to memory of 456	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	541bb6e026f837faa2b64b31b0a2ec0c.exe
PID 736 wrote to memory of 456	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	541bb6e026f837faa2b64b31b0a2ec0c.exe
PID 736 wrote to memory of 1460	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	541bb6e026f837faa2b64b31b0a2ec0c.exe
PID 736 wrote to memory of 1460	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	541bb6e026f837faa2b64b31b0a2ec0c.exe
PID 736 wrote to memory of 1460	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	541bb6e026f837faa2b64b31b0a2ec0c.exe
PID 736 wrote to memory of 1460	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	541bb6e026f837faa2b64b31b0a2ec0c.exe
PID 736 wrote to memory of 1112	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	541bb6e026f837faa2b64b31b0a2ec0c.exe
PID 736 wrote to memory of 1112	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	541bb6e026f837faa2b64b31b0a2ec0c.exe
PID 736 wrote to memory of 1112	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	541bb6e026f837faa2b64b31b0a2ec0c.exe
PID 736 wrote to memory of 1112	736	541bb6e026f837faa2b64b31b0a2ec0c.exe	541bb6e026f837faa2b64b31b0a2ec0c.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads