0224ddb170df9a27dda9f0ffc95269230d3b7512fa8765c76eb3f571d1647a3b

General

Target

SOA.exe
Size

698KB
MD5

60ce0b8fc55a6060f5e01c9f8e179e2b
SHA1

ba86a7924b9bb84bfd34308f24bb2df9e720ba28
SHA256

0224ddb170df9a27dda9f0ffc95269230d3b7512fa8765c76eb3f571d1647a3b
SHA512

88ef2f5b92f8c4b1e378bff84a5920191e3d1666faea9f9e1a13db8ef2cc4cd568276bc0b5e1ac60d5d03ca21eb8089d9f4fd72f0b9facb36113a7759f256af1

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3936 schtasks.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

SOA.exe

pid process

508 SOA.exe
508 SOA.exe
508 SOA.exe
508 SOA.exe
508 SOA.exe
508 SOA.exe
508 SOA.exe
508 SOA.exe
508 SOA.exe
508 SOA.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SOA.exe

description pid process

Token: SeDebugPrivilege 508 SOA.exe

pid	process
3936	schtasks.exe

pid	process
508	SOA.exe
508	SOA.exe
508	SOA.exe
508	SOA.exe
508	SOA.exe
508	SOA.exe
508	SOA.exe
508	SOA.exe
508	SOA.exe
508	SOA.exe

description	pid	process
Token: SeDebugPrivilege	508	SOA.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

SOA.exe

description	pid	process	target process
PID 508 wrote to memory of 3936	508	SOA.exe	schtasks.exe
PID 508 wrote to memory of 3936	508	SOA.exe	schtasks.exe
PID 508 wrote to memory of 3936	508	SOA.exe	schtasks.exe
PID 508 wrote to memory of 2896	508	SOA.exe	SOA.exe
PID 508 wrote to memory of 2896	508	SOA.exe	SOA.exe
PID 508 wrote to memory of 2896	508	SOA.exe	SOA.exe
PID 508 wrote to memory of 2824	508	SOA.exe	SOA.exe
PID 508 wrote to memory of 2824	508	SOA.exe	SOA.exe
PID 508 wrote to memory of 2824	508	SOA.exe	SOA.exe
PID 508 wrote to memory of 3476	508	SOA.exe	SOA.exe
PID 508 wrote to memory of 3476	508	SOA.exe	SOA.exe
PID 508 wrote to memory of 3476	508	SOA.exe	SOA.exe
PID 508 wrote to memory of 2768	508	SOA.exe	SOA.exe
PID 508 wrote to memory of 2768	508	SOA.exe	SOA.exe
PID 508 wrote to memory of 2768	508	SOA.exe	SOA.exe
PID 508 wrote to memory of 424	508	SOA.exe	SOA.exe
PID 508 wrote to memory of 424	508	SOA.exe	SOA.exe
PID 508 wrote to memory of 424	508	SOA.exe	SOA.exe

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"C:\Users\Admin\AppData\Local\Temp\SOA.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eRApFxQbJlLn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA5BB.tmp"
2⤵
- Creates scheduled task(s)
PID:3936

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"{path}"
2⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"{path}"
2⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"{path}"
2⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"{path}"
2⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"{path}"
2⤵
PID:424

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA5BB.tmp
MD5
adefdd8981276dd2d270ec3c676a6c51

SHA1
db8709e97f43f74b5ad088fce90f62905caf72db

SHA256
999662be73d3f4ad4ac8dbb8bdf676e46f773f13335665855813f65ea2e4b7ee

SHA512
eb6d103ab567e060d3f53419956de4511b8520e4f6e97af8440f9b7d1bb629e9862d7a412d6dd2c5adb5be9b5dc78991241938e0832a6414bdd709b90ec14271

Download Submit
memory/508-115-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/508-117-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/508-118-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/508-119-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/508-120-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/508-121-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/508-122-0x00000000049B0000-0x0000000004EAE000-memory.dmp

Filesize
5.0MB

Download
memory/508-123-0x0000000002250000-0x000000000225E000-memory.dmp

Filesize
56KB

Download
memory/508-124-0x00000000094C0000-0x0000000009520000-memory.dmp

Filesize
384KB

Download
memory/508-125-0x0000000004D90000-0x0000000004D9C000-memory.dmp

Filesize
48KB

Download
memory/3936-126-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads