129e52b2c93cc026192d8cc216c345ec4492e9f67e6e0a80daa3619c6857574e

General

Target

3f7feb8491c4b21321d60b2422d82e97.exe
Size

6.1MB
MD5

3f7feb8491c4b21321d60b2422d82e97
SHA1

4718dd599d5ae6f08093d1bc251b3564d71b1fc2
SHA256

129e52b2c93cc026192d8cc216c345ec4492e9f67e6e0a80daa3619c6857574e
SHA512

24342cff0dfea810c5df9ef11d933d1d630fdfff6576b930d10db089ffac341cedd18fce9f1dc7d824578259cf4bd5fce443ca7a32ab15c90c5275a4e02e93c9

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe3f7feb8491c4b21321d60b2422d82e97.exe

pid	process
3960	powershell.exe
3960	powershell.exe
3960	powershell.exe
2204	powershell.exe
2204	powershell.exe
2204	powershell.exe
3192	powershell.exe
3192	powershell.exe
3192	powershell.exe
3420	powershell.exe
3420	powershell.exe
3420	powershell.exe
776	3f7feb8491c4b21321d60b2422d82e97.exe
776	3f7feb8491c4b21321d60b2422d82e97.exe
776	3f7feb8491c4b21321d60b2422d82e97.exe
776	3f7feb8491c4b21321d60b2422d82e97.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeIncreaseQuotaPrivilege	3960	powershell.exe
Token: SeSecurityPrivilege	3960	powershell.exe
Token: SeTakeOwnershipPrivilege	3960	powershell.exe
Token: SeLoadDriverPrivilege	3960	powershell.exe
Token: SeSystemProfilePrivilege	3960	powershell.exe
Token: SeSystemtimePrivilege	3960	powershell.exe
Token: SeProfSingleProcessPrivilege	3960	powershell.exe
Token: SeIncBasePriorityPrivilege	3960	powershell.exe
Token: SeCreatePagefilePrivilege	3960	powershell.exe
Token: SeBackupPrivilege	3960	powershell.exe
Token: SeRestorePrivilege	3960	powershell.exe
Token: SeShutdownPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeSystemEnvironmentPrivilege	3960	powershell.exe
Token: SeRemoteShutdownPrivilege	3960	powershell.exe
Token: SeUndockPrivilege	3960	powershell.exe
Token: SeManageVolumePrivilege	3960	powershell.exe
Token: 33	3960	powershell.exe
Token: 34	3960	powershell.exe
Token: 35	3960	powershell.exe
Token: 36	3960	powershell.exe
Token: SeIncreaseQuotaPrivilege	3960	powershell.exe
Token: SeSecurityPrivilege	3960	powershell.exe
Token: SeTakeOwnershipPrivilege	3960	powershell.exe
Token: SeLoadDriverPrivilege	3960	powershell.exe
Token: SeSystemProfilePrivilege	3960	powershell.exe
Token: SeSystemtimePrivilege	3960	powershell.exe
Token: SeProfSingleProcessPrivilege	3960	powershell.exe
Token: SeIncBasePriorityPrivilege	3960	powershell.exe
Token: SeCreatePagefilePrivilege	3960	powershell.exe
Token: SeBackupPrivilege	3960	powershell.exe
Token: SeRestorePrivilege	3960	powershell.exe
Token: SeShutdownPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeSystemEnvironmentPrivilege	3960	powershell.exe
Token: SeRemoteShutdownPrivilege	3960	powershell.exe
Token: SeUndockPrivilege	3960	powershell.exe
Token: SeManageVolumePrivilege	3960	powershell.exe
Token: 33	3960	powershell.exe
Token: 34	3960	powershell.exe
Token: 35	3960	powershell.exe
Token: 36	3960	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeIncreaseQuotaPrivilege	2204	powershell.exe
Token: SeSecurityPrivilege	2204	powershell.exe
Token: SeTakeOwnershipPrivilege	2204	powershell.exe
Token: SeLoadDriverPrivilege	2204	powershell.exe
Token: SeSystemProfilePrivilege	2204	powershell.exe
Token: SeSystemtimePrivilege	2204	powershell.exe
Token: SeProfSingleProcessPrivilege	2204	powershell.exe
Token: SeIncBasePriorityPrivilege	2204	powershell.exe
Token: SeCreatePagefilePrivilege	2204	powershell.exe
Token: SeBackupPrivilege	2204	powershell.exe
Token: SeRestorePrivilege	2204	powershell.exe
Token: SeShutdownPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeSystemEnvironmentPrivilege	2204	powershell.exe
Token: SeRemoteShutdownPrivilege	2204	powershell.exe
Token: SeUndockPrivilege	2204	powershell.exe
Token: SeManageVolumePrivilege	2204	powershell.exe
Token: 33	2204	powershell.exe
Token: 34	2204	powershell.exe
Token: 35	2204	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3f7feb8491c4b21321d60b2422d82e97.exe

description	pid	process	target process
PID 776 wrote to memory of 3960	776	3f7feb8491c4b21321d60b2422d82e97.exe	powershell.exe
PID 776 wrote to memory of 3960	776	3f7feb8491c4b21321d60b2422d82e97.exe	powershell.exe
PID 776 wrote to memory of 2204	776	3f7feb8491c4b21321d60b2422d82e97.exe	powershell.exe
PID 776 wrote to memory of 2204	776	3f7feb8491c4b21321d60b2422d82e97.exe	powershell.exe
PID 776 wrote to memory of 3192	776	3f7feb8491c4b21321d60b2422d82e97.exe	powershell.exe
PID 776 wrote to memory of 3192	776	3f7feb8491c4b21321d60b2422d82e97.exe	powershell.exe
PID 776 wrote to memory of 3420	776	3f7feb8491c4b21321d60b2422d82e97.exe	powershell.exe
PID 776 wrote to memory of 3420	776	3f7feb8491c4b21321d60b2422d82e97.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\3f7feb8491c4b21321d60b2422d82e97.exe
"C:\Users\Admin\AppData\Local\Temp\3f7feb8491c4b21321d60b2422d82e97.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
cd7fb3d11c938541ac33d6fd4089e437

SHA1
dcb4c9240c96520dfa600dd31c1f9b1f59564a18

SHA256
275f6b0e155160d6c34d9a60887766ceec17fdf2e5ec0088cb293fd92b773cd6

SHA512
735a5a41fb938921d87ca078e8fe1194576ab6ab4754eda675a957582ca8acc02639b7caabc60578b8a147f60bc99a0c1e1d943418a4b98dc23a241cb9ed72ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9501dd44b3ef6d273367be866458623c

SHA1
08ce543286f1c517e8a0eac038cd26319ce553fc

SHA256
34bbf0b5eeee8233edb3671b6ba9a30ba8e65fc9a846f09a9bf591f47bb8be75

SHA512
73b2703246318616cf43287b21094b16281a8434f86c28b7b2629c886cd031ef4864045a81531686dc296c50f9465fd78f491799aa66d3eed2ccce22670bf4d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4e02d83468112ed54fc8384f0a0bd021

SHA1
a242322bb8cdf70bac846891607169beb7042e13

SHA256
666e919bb7da408e21fbb9e136b2482876e0d3eaf29b57ca83356340708f7c8c

SHA512
53ad27a4498acc7c6572e23780a79d984ab0ce9db5a9dee65929c99adde3c4b4affcb1a5f79a000b89cb26adbb5731efbca9f8160b0f27ff2215fd423a4df44a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d4ef5d9417ce7a28130fce6ec6f7d1f9

SHA1
2605311ae12465cd34eb836f7b206b8756de9757

SHA256
862179fc95f427e954d8fc9ee0c602aef545af583fbd83b24b6d4127c446000e

SHA512
0e4bf73e73ed895e2fe1981f5e751c7451847934f32bb573e2fc049f309d0ef812b5e854e83f59e0ef8ce6219acc39f2e1abd259bed7f43321e45c44dbc21c01

Download Submit
memory/776-114-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/776-354-0x000000001DF70000-0x000000001E5AC000-memory.dmp

Filesize
6.2MB

Download
memory/776-355-0x000000001C2D0000-0x000000001C2D2000-memory.dmp

Filesize
8KB

Download
memory/2204-175-0x0000000000000000-mapping.dmp

Download
memory/2204-192-0x000001DD7A0B0000-0x000001DD7A0B2000-memory.dmp

Filesize
8KB

Download
memory/2204-193-0x000001DD7A0B3000-0x000001DD7A0B5000-memory.dmp

Filesize
8KB

Download
memory/2204-218-0x000001DD7A0B6000-0x000001DD7A0B8000-memory.dmp

Filesize
8KB

Download
memory/3192-277-0x0000022753F96000-0x0000022753F98000-memory.dmp

Filesize
8KB

Download
memory/3192-248-0x0000022753F93000-0x0000022753F95000-memory.dmp

Filesize
8KB

Download
memory/3192-247-0x0000022753F90000-0x0000022753F92000-memory.dmp

Filesize
8KB

Download
memory/3192-236-0x0000000000000000-mapping.dmp

Download
memory/3420-295-0x0000000000000000-mapping.dmp

Download
memory/3420-303-0x000001D69D590000-0x000001D69D592000-memory.dmp

Filesize
8KB

Download
memory/3420-304-0x000001D69D593000-0x000001D69D595000-memory.dmp

Filesize
8KB

Download
memory/3420-336-0x000001D69D596000-0x000001D69D598000-memory.dmp

Filesize
8KB

Download
memory/3960-139-0x0000022DEE496000-0x0000022DEE498000-memory.dmp

Filesize
8KB

Download
memory/3960-128-0x0000022DEE493000-0x0000022DEE495000-memory.dmp

Filesize
8KB

Download
memory/3960-127-0x0000022DEE490000-0x0000022DEE492000-memory.dmp

Filesize
8KB

Download
memory/3960-126-0x0000022DF07C0000-0x0000022DF07C1000-memory.dmp

Filesize
4KB

Download
memory/3960-122-0x0000022DF0610000-0x0000022DF0611000-memory.dmp

Filesize
4KB

Download
memory/3960-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads