76938d4e2c8778bce2177462dd2875d041e69e43036c0b8e3c2f8b6e650232dd

General

Target

d07003cbc330579112e9ed1bffc1905b.exe
Size

641KB
MD5

d07003cbc330579112e9ed1bffc1905b
SHA1

fb68a99eeb0f33366398b2dbc499a0e74b64d584
SHA256

76938d4e2c8778bce2177462dd2875d041e69e43036c0b8e3c2f8b6e650232dd
SHA512

dfa6414a6d48dd0ecff853cb730301f21c99efb9b77746f4da4f755e5f326f755f97a5a3652399e2dc3aa739b62444974a7be7079a544fe9eb5c8b9babaeb649

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

432 schtasks.exe

pid	process
432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

d07003cbc330579112e9ed1bffc1905b.exe

pid	process
1756	d07003cbc330579112e9ed1bffc1905b.exe
1756	d07003cbc330579112e9ed1bffc1905b.exe
1756	d07003cbc330579112e9ed1bffc1905b.exe
1756	d07003cbc330579112e9ed1bffc1905b.exe
1756	d07003cbc330579112e9ed1bffc1905b.exe
1756	d07003cbc330579112e9ed1bffc1905b.exe
1756	d07003cbc330579112e9ed1bffc1905b.exe
1756	d07003cbc330579112e9ed1bffc1905b.exe
1756	d07003cbc330579112e9ed1bffc1905b.exe
1756	d07003cbc330579112e9ed1bffc1905b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d07003cbc330579112e9ed1bffc1905b.exe

description pid process

Token: SeDebugPrivilege 1756 d07003cbc330579112e9ed1bffc1905b.exe

description	pid	process
Token: SeDebugPrivilege	1756	d07003cbc330579112e9ed1bffc1905b.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

d07003cbc330579112e9ed1bffc1905b.exe

C:\Users\Admin\AppData\Local\Temp\d07003cbc330579112e9ed1bffc1905b.exe
"C:\Users\Admin\AppData\Local\Temp\d07003cbc330579112e9ed1bffc1905b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GBhgDENmNLJQb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9F4B.tmp"
2⤵
- Creates scheduled task(s)
PID:432

C:\Users\Admin\AppData\Local\Temp\d07003cbc330579112e9ed1bffc1905b.exe
"{path}"
2⤵
PID:860

C:\Users\Admin\AppData\Local\Temp\d07003cbc330579112e9ed1bffc1905b.exe
"{path}"
2⤵
PID:572

C:\Users\Admin\AppData\Local\Temp\d07003cbc330579112e9ed1bffc1905b.exe
"{path}"
2⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\d07003cbc330579112e9ed1bffc1905b.exe
"{path}"
2⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\d07003cbc330579112e9ed1bffc1905b.exe
"{path}"
2⤵
PID:840

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9F4B.tmp
MD5
a804f2ec364289c88be387ab3aa0478a

SHA1
b6dc81f584dab1bba94320cf6e9961209d529b77

SHA256
b9d188287b5ec9eb9007d87d3ee1486df39ad8ab9fe7e2bbfec81fef9f44313a

SHA512
cf87089999ab9562be0f75f8712772acf798400e8605f5fa8764d81e6356bfaff9e8160599ac1f1a7f6ffcf971b146f7850798446355d8d8537c3fc8d511fdd7

Download Submit
memory/432-66-0x0000000000000000-mapping.dmp

Download
memory/1756-60-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1756-62-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/1756-63-0x00000000002A0000-0x00000000002A2000-memory.dmp

Filesize
8KB

Download
memory/1756-64-0x0000000005110000-0x0000000005191000-memory.dmp

Filesize
516KB

Download
memory/1756-65-0x0000000004110000-0x000000000414E000-memory.dmp

Filesize
248KB

Download

description	pid	process	target process
PID 1756 wrote to memory of 432	1756	d07003cbc330579112e9ed1bffc1905b.exe	schtasks.exe
PID 1756 wrote to memory of 432	1756	d07003cbc330579112e9ed1bffc1905b.exe	schtasks.exe
PID 1756 wrote to memory of 432	1756	d07003cbc330579112e9ed1bffc1905b.exe	schtasks.exe
PID 1756 wrote to memory of 432	1756	d07003cbc330579112e9ed1bffc1905b.exe	schtasks.exe
PID 1756 wrote to memory of 860	1756	d07003cbc330579112e9ed1bffc1905b.exe	d07003cbc330579112e9ed1bffc1905b.exe
PID 1756 wrote to memory of 860	1756	d07003cbc330579112e9ed1bffc1905b.exe	d07003cbc330579112e9ed1bffc1905b.exe
PID 1756 wrote to memory of 860	1756	d07003cbc330579112e9ed1bffc1905b.exe	d07003cbc330579112e9ed1bffc1905b.exe
PID 1756 wrote to memory of 860	1756	d07003cbc330579112e9ed1bffc1905b.exe	d07003cbc330579112e9ed1bffc1905b.exe
PID 1756 wrote to memory of 572	1756	d07003cbc330579112e9ed1bffc1905b.exe	d07003cbc330579112e9ed1bffc1905b.exe
PID 1756 wrote to memory of 572	1756	d07003cbc330579112e9ed1bffc1905b.exe	d07003cbc330579112e9ed1bffc1905b.exe
PID 1756 wrote to memory of 572	1756	d07003cbc330579112e9ed1bffc1905b.exe	d07003cbc330579112e9ed1bffc1905b.exe
PID 1756 wrote to memory of 572	1756	d07003cbc330579112e9ed1bffc1905b.exe	d07003cbc330579112e9ed1bffc1905b.exe
PID 1756 wrote to memory of 1512	1756	d07003cbc330579112e9ed1bffc1905b.exe	d07003cbc330579112e9ed1bffc1905b.exe
PID 1756 wrote to memory of 1512	1756	d07003cbc330579112e9ed1bffc1905b.exe	d07003cbc330579112e9ed1bffc1905b.exe
PID 1756 wrote to memory of 1512	1756	d07003cbc330579112e9ed1bffc1905b.exe	d07003cbc330579112e9ed1bffc1905b.exe
PID 1756 wrote to memory of 1512	1756	d07003cbc330579112e9ed1bffc1905b.exe	d07003cbc330579112e9ed1bffc1905b.exe
PID 1756 wrote to memory of 888	1756	d07003cbc330579112e9ed1bffc1905b.exe	d07003cbc330579112e9ed1bffc1905b.exe
PID 1756 wrote to memory of 888	1756	d07003cbc330579112e9ed1bffc1905b.exe	d07003cbc330579112e9ed1bffc1905b.exe
PID 1756 wrote to memory of 888	1756	d07003cbc330579112e9ed1bffc1905b.exe	d07003cbc330579112e9ed1bffc1905b.exe
PID 1756 wrote to memory of 888	1756	d07003cbc330579112e9ed1bffc1905b.exe	d07003cbc330579112e9ed1bffc1905b.exe
PID 1756 wrote to memory of 840	1756	d07003cbc330579112e9ed1bffc1905b.exe	d07003cbc330579112e9ed1bffc1905b.exe
PID 1756 wrote to memory of 840	1756	d07003cbc330579112e9ed1bffc1905b.exe	d07003cbc330579112e9ed1bffc1905b.exe
PID 1756 wrote to memory of 840	1756	d07003cbc330579112e9ed1bffc1905b.exe	d07003cbc330579112e9ed1bffc1905b.exe
PID 1756 wrote to memory of 840	1756	d07003cbc330579112e9ed1bffc1905b.exe	d07003cbc330579112e9ed1bffc1905b.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads