a80c84111f8051d4ab044b3e184f233dc141c5f73be9a3046104d4bf10e53848

General

Target

0F20E76E084D946DA9580D6BCB9E8F36.exe
Size

2.3MB
MD5

0f20e76e084d946da9580d6bcb9e8f36
SHA1

dbbf7c746f73d5cce936ffc4fa1dbedaeb7e883d
SHA256

a80c84111f8051d4ab044b3e184f233dc141c5f73be9a3046104d4bf10e53848
SHA512

d57e988e36845c24a4b0583e7c7dec3f3429bf545eee8b6406750a7b581f409806ecb0e074699e66dbdc0f5ad8be1a7c48b057f4f9f3b2d573774ff206f2d73b

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

dwim.exedwim.exe

pid process

1768 dwim.exe
292 dwim.exe

pid	process
1768	dwim.exe
292	dwim.exe

Drops startup file 2 IoCs

Processes:

dwim.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31da7ad4532d49133bf7c3d0d35a58b5.exe	dwim.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31da7ad4532d49133bf7c3d0d35a58b5.exe	dwim.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1716 PING.EXE

pid	process
1716	PING.EXE

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

dwim.exe

description	pid	process
Token: SeDebugPrivilege	292	dwim.exe
Token: 33	292	dwim.exe
Token: SeIncBasePriorityPrivilege	292	dwim.exe
Token: 33	292	dwim.exe
Token: SeIncBasePriorityPrivilege	292	dwim.exe
Token: 33	292	dwim.exe
Token: SeIncBasePriorityPrivilege	292	dwim.exe
Token: 33	292	dwim.exe
Token: SeIncBasePriorityPrivilege	292	dwim.exe
Token: 33	292	dwim.exe
Token: SeIncBasePriorityPrivilege	292	dwim.exe
Token: 33	292	dwim.exe
Token: SeIncBasePriorityPrivilege	292	dwim.exe
Token: 33	292	dwim.exe
Token: SeIncBasePriorityPrivilege	292	dwim.exe
Token: 33	292	dwim.exe
Token: SeIncBasePriorityPrivilege	292	dwim.exe
Token: 33	292	dwim.exe
Token: SeIncBasePriorityPrivilege	292	dwim.exe
Token: 33	292	dwim.exe
Token: SeIncBasePriorityPrivilege	292	dwim.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0F20E76E084D946DA9580D6BCB9E8F36.exedwim.exedwim.execmd.exe

description	pid	process	target process
PID 1816 wrote to memory of 1768	1816	0F20E76E084D946DA9580D6BCB9E8F36.exe	dwim.exe
PID 1816 wrote to memory of 1768	1816	0F20E76E084D946DA9580D6BCB9E8F36.exe	dwim.exe
PID 1816 wrote to memory of 1768	1816	0F20E76E084D946DA9580D6BCB9E8F36.exe	dwim.exe
PID 1768 wrote to memory of 292	1768	dwim.exe	dwim.exe
PID 1768 wrote to memory of 292	1768	dwim.exe	dwim.exe
PID 1768 wrote to memory of 292	1768	dwim.exe	dwim.exe
PID 292 wrote to memory of 1656	292	dwim.exe	cmd.exe
PID 292 wrote to memory of 1656	292	dwim.exe	cmd.exe
PID 292 wrote to memory of 1656	292	dwim.exe	cmd.exe
PID 1656 wrote to memory of 1716	1656	cmd.exe	PING.EXE
PID 1656 wrote to memory of 1716	1656	cmd.exe	PING.EXE
PID 1656 wrote to memory of 1716	1656	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\0F20E76E084D946DA9580D6BCB9E8F36.exe
"C:\Users\Admin\AppData\Local\Temp\0F20E76E084D946DA9580D6BCB9E8F36.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\dwim.exe
"C:\Users\Admin\AppData\Local\Temp\dwim.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Roaming\dwim.exe
"C:\Users\Admin\AppData\Roaming\dwim.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:292

C:\Windows\system32\cmd.exe
cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Roaming\dwim.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\system32\PING.EXE
ping 0 -n 2
5⤵
- Runs ping.exe
PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dwim.exe
MD5
c21eae02bd20abc7a67d1fe7e227df3a

SHA1
83982cf73326d597a9d813fb15b4e85ac8f40c8c

SHA256
6a027f2fff471682d087a19d6ff38d0234c58688f28c9b9db5d8ef118c93ef67

SHA512
fed8dc8f46f9f687a328baa86bd1dc58a2fa9f0b92675d55dd2101252b7e7b77847cfc0d0ab921f5c095b110e1bb81e9365eaedfd4a78dfa4fb16ad99406c2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwim.exe
MD5
c21eae02bd20abc7a67d1fe7e227df3a

SHA1
83982cf73326d597a9d813fb15b4e85ac8f40c8c

SHA256
6a027f2fff471682d087a19d6ff38d0234c58688f28c9b9db5d8ef118c93ef67

SHA512
fed8dc8f46f9f687a328baa86bd1dc58a2fa9f0b92675d55dd2101252b7e7b77847cfc0d0ab921f5c095b110e1bb81e9365eaedfd4a78dfa4fb16ad99406c2cd

Download Submit
C:\Users\Admin\AppData\Roaming\dwim.exe
MD5
c21eae02bd20abc7a67d1fe7e227df3a

SHA1
83982cf73326d597a9d813fb15b4e85ac8f40c8c

SHA256
6a027f2fff471682d087a19d6ff38d0234c58688f28c9b9db5d8ef118c93ef67

SHA512
fed8dc8f46f9f687a328baa86bd1dc58a2fa9f0b92675d55dd2101252b7e7b77847cfc0d0ab921f5c095b110e1bb81e9365eaedfd4a78dfa4fb16ad99406c2cd

Download Submit
C:\Users\Admin\AppData\Roaming\dwim.exe
MD5
c21eae02bd20abc7a67d1fe7e227df3a

SHA1
83982cf73326d597a9d813fb15b4e85ac8f40c8c

SHA256
6a027f2fff471682d087a19d6ff38d0234c58688f28c9b9db5d8ef118c93ef67

SHA512
fed8dc8f46f9f687a328baa86bd1dc58a2fa9f0b92675d55dd2101252b7e7b77847cfc0d0ab921f5c095b110e1bb81e9365eaedfd4a78dfa4fb16ad99406c2cd

Download Submit
memory/292-67-0x0000000000AE6000-0x0000000000B05000-memory.dmp

Filesize
124KB

Download
memory/292-70-0x0000000000B07000-0x0000000000B08000-memory.dmp

Filesize
4KB

Download
memory/292-71-0x0000000000B08000-0x0000000000B09000-memory.dmp

Filesize
4KB

Download
memory/292-69-0x0000000000B06000-0x0000000000B07000-memory.dmp

Filesize
4KB

Download
memory/292-68-0x0000000000B05000-0x0000000000B06000-memory.dmp

Filesize
4KB

Download
memory/292-66-0x000007FEEEB90000-0x000007FEEFC26000-memory.dmp

Filesize
16.6MB

Download
memory/292-65-0x0000000000AE0000-0x0000000000AE2000-memory.dmp

Filesize
8KB

Download
memory/292-62-0x0000000000000000-mapping.dmp

Download
memory/1656-72-0x0000000000000000-mapping.dmp

Download
memory/1716-73-0x0000000000000000-mapping.dmp

Download
memory/1768-57-0x0000000002110000-0x0000000002112000-memory.dmp

Filesize
8KB

Download
memory/1768-61-0x0000000002136000-0x0000000002137000-memory.dmp

Filesize
4KB

Download
memory/1768-53-0x0000000000000000-mapping.dmp

Download
memory/1768-59-0x0000000002116000-0x0000000002135000-memory.dmp

Filesize
124KB

Download
memory/1768-58-0x000007FEF2450000-0x000007FEF34E6000-memory.dmp

Filesize
16.6MB

Download
memory/1768-60-0x0000000002135000-0x0000000002136000-memory.dmp

Filesize
4KB

Download
memory/1816-56-0x0000000002290000-0x0000000002292000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads