129e52b2c93cc026192d8cc216c345ec4492e9f67e6e0a80daa3619c6857574e

General

Target

3f7feb8491c4b21321d60b2422d82e97.exe
Size

6.1MB
MD5

3f7feb8491c4b21321d60b2422d82e97
SHA1

4718dd599d5ae6f08093d1bc251b3564d71b1fc2
SHA256

129e52b2c93cc026192d8cc216c345ec4492e9f67e6e0a80daa3619c6857574e
SHA512

24342cff0dfea810c5df9ef11d933d1d630fdfff6576b930d10db089ffac341cedd18fce9f1dc7d824578259cf4bd5fce443ca7a32ab15c90c5275a4e02e93c9

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe3f7feb8491c4b21321d60b2422d82e97.exe

pid	process
1700	powershell.exe
1700	powershell.exe
1776	powershell.exe
1776	powershell.exe
1296	powershell.exe
1296	powershell.exe
1860	powershell.exe
1860	powershell.exe
1668	3f7feb8491c4b21321d60b2422d82e97.exe
1668	3f7feb8491c4b21321d60b2422d82e97.exe
1668	3f7feb8491c4b21321d60b2422d82e97.exe
1668	3f7feb8491c4b21321d60b2422d82e97.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeIncreaseQuotaPrivilege	1700	powershell.exe
Token: SeSecurityPrivilege	1700	powershell.exe
Token: SeTakeOwnershipPrivilege	1700	powershell.exe
Token: SeLoadDriverPrivilege	1700	powershell.exe
Token: SeSystemProfilePrivilege	1700	powershell.exe
Token: SeSystemtimePrivilege	1700	powershell.exe
Token: SeProfSingleProcessPrivilege	1700	powershell.exe
Token: SeIncBasePriorityPrivilege	1700	powershell.exe
Token: SeCreatePagefilePrivilege	1700	powershell.exe
Token: SeBackupPrivilege	1700	powershell.exe
Token: SeRestorePrivilege	1700	powershell.exe
Token: SeShutdownPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeSystemEnvironmentPrivilege	1700	powershell.exe
Token: SeRemoteShutdownPrivilege	1700	powershell.exe
Token: SeUndockPrivilege	1700	powershell.exe
Token: SeManageVolumePrivilege	1700	powershell.exe
Token: 33	1700	powershell.exe
Token: 34	1700	powershell.exe
Token: 35	1700	powershell.exe
Token: SeIncreaseQuotaPrivilege	1700	powershell.exe
Token: SeSecurityPrivilege	1700	powershell.exe
Token: SeTakeOwnershipPrivilege	1700	powershell.exe
Token: SeLoadDriverPrivilege	1700	powershell.exe
Token: SeSystemProfilePrivilege	1700	powershell.exe
Token: SeSystemtimePrivilege	1700	powershell.exe
Token: SeProfSingleProcessPrivilege	1700	powershell.exe
Token: SeIncBasePriorityPrivilege	1700	powershell.exe
Token: SeCreatePagefilePrivilege	1700	powershell.exe
Token: SeBackupPrivilege	1700	powershell.exe
Token: SeRestorePrivilege	1700	powershell.exe
Token: SeShutdownPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeSystemEnvironmentPrivilege	1700	powershell.exe
Token: SeRemoteShutdownPrivilege	1700	powershell.exe
Token: SeUndockPrivilege	1700	powershell.exe
Token: SeManageVolumePrivilege	1700	powershell.exe
Token: 33	1700	powershell.exe
Token: 34	1700	powershell.exe
Token: 35	1700	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeIncreaseQuotaPrivilege	1776	powershell.exe
Token: SeSecurityPrivilege	1776	powershell.exe
Token: SeTakeOwnershipPrivilege	1776	powershell.exe
Token: SeLoadDriverPrivilege	1776	powershell.exe
Token: SeSystemProfilePrivilege	1776	powershell.exe
Token: SeSystemtimePrivilege	1776	powershell.exe
Token: SeProfSingleProcessPrivilege	1776	powershell.exe
Token: SeIncBasePriorityPrivilege	1776	powershell.exe
Token: SeCreatePagefilePrivilege	1776	powershell.exe
Token: SeBackupPrivilege	1776	powershell.exe
Token: SeRestorePrivilege	1776	powershell.exe
Token: SeShutdownPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeSystemEnvironmentPrivilege	1776	powershell.exe
Token: SeRemoteShutdownPrivilege	1776	powershell.exe
Token: SeUndockPrivilege	1776	powershell.exe
Token: SeManageVolumePrivilege	1776	powershell.exe
Token: 33	1776	powershell.exe
Token: 34	1776	powershell.exe
Token: 35	1776	powershell.exe
Token: SeIncreaseQuotaPrivilege	1776	powershell.exe
Token: SeSecurityPrivilege	1776	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3f7feb8491c4b21321d60b2422d82e97.exe

description	pid	process	target process
PID 1668 wrote to memory of 1700	1668	3f7feb8491c4b21321d60b2422d82e97.exe	powershell.exe
PID 1668 wrote to memory of 1700	1668	3f7feb8491c4b21321d60b2422d82e97.exe	powershell.exe
PID 1668 wrote to memory of 1700	1668	3f7feb8491c4b21321d60b2422d82e97.exe	powershell.exe
PID 1668 wrote to memory of 1776	1668	3f7feb8491c4b21321d60b2422d82e97.exe	powershell.exe
PID 1668 wrote to memory of 1776	1668	3f7feb8491c4b21321d60b2422d82e97.exe	powershell.exe
PID 1668 wrote to memory of 1776	1668	3f7feb8491c4b21321d60b2422d82e97.exe	powershell.exe
PID 1668 wrote to memory of 1296	1668	3f7feb8491c4b21321d60b2422d82e97.exe	powershell.exe
PID 1668 wrote to memory of 1296	1668	3f7feb8491c4b21321d60b2422d82e97.exe	powershell.exe
PID 1668 wrote to memory of 1296	1668	3f7feb8491c4b21321d60b2422d82e97.exe	powershell.exe
PID 1668 wrote to memory of 1860	1668	3f7feb8491c4b21321d60b2422d82e97.exe	powershell.exe
PID 1668 wrote to memory of 1860	1668	3f7feb8491c4b21321d60b2422d82e97.exe	powershell.exe
PID 1668 wrote to memory of 1860	1668	3f7feb8491c4b21321d60b2422d82e97.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\3f7feb8491c4b21321d60b2422d82e97.exe
"C:\Users\Admin\AppData\Local\Temp\3f7feb8491c4b21321d60b2422d82e97.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
df5d307cf1e09eb7d0ef276a8dbddc94

SHA1
ca87ac98fcab054ab217fc9148b00bc4f052169c

SHA256
9add8be4fa1bcbbd35d292f538ad08f5f21a1a072a7cabca7e6e9417604d341e

SHA512
621dcb7115d29afc9a99dc15aaa2c14e07697666747e9d3e2717f1549610170134695560e49290d0bd73cd2fc156eef4c3967a80f8e6f558c7820bcdf0b0be6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
8a2c251bf5d563636cb61e956ed5c16f

SHA1
7e88f5f111b215b3aaf91e93cf273ce75d2d2227

SHA256
8166b17aa99daf2e370a76ce57fc29fd7279988fb39f8f8c9609066f94381158

SHA512
6ca84303965802bb033fbfc83228228e14395f5725019191643cdd87ef2615bc556ac54c742041c813b6b1f5c56d56b467ce29e5dc00bdc07c3e434ee1c9f34f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
8a2c251bf5d563636cb61e956ed5c16f

SHA1
7e88f5f111b215b3aaf91e93cf273ce75d2d2227

SHA256
8166b17aa99daf2e370a76ce57fc29fd7279988fb39f8f8c9609066f94381158

SHA512
6ca84303965802bb033fbfc83228228e14395f5725019191643cdd87ef2615bc556ac54c742041c813b6b1f5c56d56b467ce29e5dc00bdc07c3e434ee1c9f34f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
8a2c251bf5d563636cb61e956ed5c16f

SHA1
7e88f5f111b215b3aaf91e93cf273ce75d2d2227

SHA256
8166b17aa99daf2e370a76ce57fc29fd7279988fb39f8f8c9609066f94381158

SHA512
6ca84303965802bb033fbfc83228228e14395f5725019191643cdd87ef2615bc556ac54c742041c813b6b1f5c56d56b467ce29e5dc00bdc07c3e434ee1c9f34f

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1296-92-0x000000001ABB4000-0x000000001ABB6000-memory.dmp

Filesize
8KB

Download
memory/1296-91-0x000000001ABB0000-0x000000001ABB2000-memory.dmp

Filesize
8KB

Download
memory/1296-84-0x0000000000000000-mapping.dmp

Download
memory/1668-108-0x000000001B4C0000-0x000000001B4C2000-memory.dmp

Filesize
8KB

Download
memory/1668-107-0x000000001DA20000-0x000000001E05C000-memory.dmp

Filesize
6.2MB

Download
memory/1668-60-0x000000013F960000-0x000000013F961000-memory.dmp

Filesize
4KB

Download
memory/1700-69-0x000000001AC94000-0x000000001AC96000-memory.dmp

Filesize
8KB

Download
memory/1700-70-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/1700-62-0x0000000000000000-mapping.dmp

Download
memory/1700-63-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp

Filesize
8KB

Download
memory/1700-64-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/1700-65-0x000000001AD10000-0x000000001AD11000-memory.dmp

Filesize
4KB

Download
memory/1700-66-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1700-67-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1700-71-0x000000001C5C0000-0x000000001C5C1000-memory.dmp

Filesize
4KB

Download
memory/1700-68-0x000000001AC90000-0x000000001AC92000-memory.dmp

Filesize
8KB

Download
memory/1776-79-0x000000001AAF4000-0x000000001AAF6000-memory.dmp

Filesize
8KB

Download
memory/1776-83-0x000000001C790000-0x000000001C791000-memory.dmp

Filesize
4KB

Download
memory/1776-82-0x000000001AA50000-0x000000001AA51000-memory.dmp

Filesize
4KB

Download
memory/1776-80-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1776-72-0x0000000000000000-mapping.dmp

Download
memory/1776-78-0x000000001AAF0000-0x000000001AAF2000-memory.dmp

Filesize
8KB

Download
memory/1776-77-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/1776-76-0x000000001AB70000-0x000000001AB71000-memory.dmp

Filesize
4KB

Download
memory/1776-75-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1860-96-0x0000000000000000-mapping.dmp

Download
memory/1860-103-0x000000001AD34000-0x000000001AD36000-memory.dmp

Filesize
8KB

Download
memory/1860-102-0x000000001AD30000-0x000000001AD32000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads