aa438f22db488466ed39153b302b4f7557ca4bcc44ba35f83ad2dc8a04903398

General

Target

Privacy By Design - Training Module.exe
Size

724KB
MD5

82126e6a1d3b1bb5b1d1c3ddbb256b0e
SHA1

2259e9b89fcfd3e01d2e1554b32b478fc0f6396c
SHA256

aa438f22db488466ed39153b302b4f7557ca4bcc44ba35f83ad2dc8a04903398
SHA512

6795d4872554840c5a1bb4ed415c3d948c3384348ea8c18e30d74c8d800d554956003a048a4d7bceac9b670f7fd350c1a2aaa8d07725cce3138cf1fa036ac4f9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
784	Privacy By Design - Training Module.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
752	784	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2028	Privacy By Design - Training Module.exe
2028	Privacy By Design - Training Module.exe
784	Privacy By Design - Training Module.exe
784	Privacy By Design - Training Module.exe
784	Privacy By Design - Training Module.exe
784	Privacy By Design - Training Module.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
752	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	Privacy By Design - Training Module.exe
Token: SeDebugPrivilege	784	Privacy By Design - Training Module.exe
Token: SeDebugPrivilege	752	WerFault.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 784	2028	Privacy By Design - Training Module.exe	29
PID 2028 wrote to memory of 784	2028	Privacy By Design - Training Module.exe	29
PID 2028 wrote to memory of 784	2028	Privacy By Design - Training Module.exe	29
PID 784 wrote to memory of 752	784	Privacy By Design - Training Module.exe	30
PID 784 wrote to memory of 752	784	Privacy By Design - Training Module.exe	30
PID 784 wrote to memory of 752	784	Privacy By Design - Training Module.exe	30

C:\Users\Admin\AppData\Local\Temp\Privacy By Design - Training Module.exe
"C:\Users\Admin\AppData\Local\Temp\Privacy By Design - Training Module.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Roaming\Privacy By Design - Training Module.exe
  "C:\Users\Admin\AppData\Roaming\Privacy By Design - Training Module.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:784
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 784 -s 568
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/752-68-0x000007FEFC411000-0x000007FEFC413000-memory.dmp

Filesize
8KB

Download
memory/752-69-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/784-65-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2028-60-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing