b26af435a04aa06ce23d5858501a076e73708911506380d4c6b6bfc79fcdf27a

Analysis

max time kernel
71s
max time network
163s
platform
windows10_x64
resource
win10-en
submitted
17-09-2021 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b26af435a04aa06ce23d5858501a076e73708911506380d4c6b6bfc79fcdf27a.exe
Size

188KB
MD5

e74b2720eaf32bfc409eb52a3d5e937f
SHA1

c931871ebdb109ee7b8ad58e33245530cb346293
SHA256

b26af435a04aa06ce23d5858501a076e73708911506380d4c6b6bfc79fcdf27a
SHA512

b99118dd30125b6f512fd6e4b89a1bdb999c0701edc1698296cf2233d0f911fe70f04e3bceefd2fda99ba6e8a4e9c22cf37ecc909a6dba7bf6ad081daa12f150

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svchost64.exe

pid	Process
3064	svchost64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exesvchost64.exe

pid	Process
3292	powershell.exe
3292	powershell.exe
3292	powershell.exe
1444	powershell.exe
1444	powershell.exe
1444	powershell.exe
3800	powershell.exe
3800	powershell.exe
3800	powershell.exe
948	powershell.exe
948	powershell.exe
948	powershell.exe
3064	svchost64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeIncreaseQuotaPrivilege	3292	powershell.exe
Token: SeSecurityPrivilege	3292	powershell.exe
Token: SeTakeOwnershipPrivilege	3292	powershell.exe
Token: SeLoadDriverPrivilege	3292	powershell.exe
Token: SeSystemProfilePrivilege	3292	powershell.exe
Token: SeSystemtimePrivilege	3292	powershell.exe
Token: SeProfSingleProcessPrivilege	3292	powershell.exe
Token: SeIncBasePriorityPrivilege	3292	powershell.exe
Token: SeCreatePagefilePrivilege	3292	powershell.exe
Token: SeBackupPrivilege	3292	powershell.exe
Token: SeRestorePrivilege	3292	powershell.exe
Token: SeShutdownPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeSystemEnvironmentPrivilege	3292	powershell.exe
Token: SeRemoteShutdownPrivilege	3292	powershell.exe
Token: SeUndockPrivilege	3292	powershell.exe
Token: SeManageVolumePrivilege	3292	powershell.exe
Token: 33	3292	powershell.exe
Token: 34	3292	powershell.exe
Token: 35	3292	powershell.exe
Token: 36	3292	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeIncreaseQuotaPrivilege	1444	powershell.exe
Token: SeSecurityPrivilege	1444	powershell.exe
Token: SeTakeOwnershipPrivilege	1444	powershell.exe
Token: SeLoadDriverPrivilege	1444	powershell.exe
Token: SeSystemProfilePrivilege	1444	powershell.exe
Token: SeSystemtimePrivilege	1444	powershell.exe
Token: SeProfSingleProcessPrivilege	1444	powershell.exe
Token: SeIncBasePriorityPrivilege	1444	powershell.exe
Token: SeCreatePagefilePrivilege	1444	powershell.exe
Token: SeBackupPrivilege	1444	powershell.exe
Token: SeRestorePrivilege	1444	powershell.exe
Token: SeShutdownPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeSystemEnvironmentPrivilege	1444	powershell.exe
Token: SeRemoteShutdownPrivilege	1444	powershell.exe
Token: SeUndockPrivilege	1444	powershell.exe
Token: SeManageVolumePrivilege	1444	powershell.exe
Token: 33	1444	powershell.exe
Token: 34	1444	powershell.exe
Token: 35	1444	powershell.exe
Token: 36	1444	powershell.exe
Token: SeDebugPrivilege	3800	powershell.exe
Token: SeIncreaseQuotaPrivilege	3800	powershell.exe
Token: SeSecurityPrivilege	3800	powershell.exe
Token: SeTakeOwnershipPrivilege	3800	powershell.exe
Token: SeLoadDriverPrivilege	3800	powershell.exe
Token: SeSystemProfilePrivilege	3800	powershell.exe
Token: SeSystemtimePrivilege	3800	powershell.exe
Token: SeProfSingleProcessPrivilege	3800	powershell.exe
Token: SeIncBasePriorityPrivilege	3800	powershell.exe
Token: SeCreatePagefilePrivilege	3800	powershell.exe
Token: SeBackupPrivilege	3800	powershell.exe
Token: SeRestorePrivilege	3800	powershell.exe
Token: SeShutdownPrivilege	3800	powershell.exe
Token: SeDebugPrivilege	3800	powershell.exe
Token: SeSystemEnvironmentPrivilege	3800	powershell.exe
Token: SeRemoteShutdownPrivilege	3800	powershell.exe
Token: SeUndockPrivilege	3800	powershell.exe
Token: SeManageVolumePrivilege	3800	powershell.exe
Token: 33	3800	powershell.exe
Token: 34	3800	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

b26af435a04aa06ce23d5858501a076e73708911506380d4c6b6bfc79fcdf27a.execmd.execmd.exesvchost64.execmd.execmd.exe

description	pid	Process	procid_target
PID 3944 wrote to memory of 3748	3944	b26af435a04aa06ce23d5858501a076e73708911506380d4c6b6bfc79fcdf27a.exe	69
PID 3944 wrote to memory of 3748	3944	b26af435a04aa06ce23d5858501a076e73708911506380d4c6b6bfc79fcdf27a.exe	69
PID 3748 wrote to memory of 3292	3748	cmd.exe	71
PID 3748 wrote to memory of 3292	3748	cmd.exe	71
PID 3748 wrote to memory of 1444	3748	cmd.exe	73
PID 3748 wrote to memory of 1444	3748	cmd.exe	73
PID 3748 wrote to memory of 3800	3748	cmd.exe	74
PID 3748 wrote to memory of 3800	3748	cmd.exe	74
PID 3748 wrote to memory of 948	3748	cmd.exe	75
PID 3748 wrote to memory of 948	3748	cmd.exe	75
PID 3944 wrote to memory of 2180	3944	b26af435a04aa06ce23d5858501a076e73708911506380d4c6b6bfc79fcdf27a.exe	76
PID 3944 wrote to memory of 2180	3944	b26af435a04aa06ce23d5858501a076e73708911506380d4c6b6bfc79fcdf27a.exe	76
PID 2180 wrote to memory of 3064	2180	cmd.exe	78
PID 2180 wrote to memory of 3064	2180	cmd.exe	78
PID 3064 wrote to memory of 992	3064	svchost64.exe	79
PID 3064 wrote to memory of 992	3064	svchost64.exe	79
PID 992 wrote to memory of 748	992	cmd.exe	81
PID 992 wrote to memory of 748	992	cmd.exe	81
PID 3064 wrote to memory of 480	3064	svchost64.exe	82
PID 3064 wrote to memory of 480	3064	svchost64.exe	82
PID 480 wrote to memory of 2228	480	cmd.exe	84
PID 480 wrote to memory of 2228	480	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\b26af435a04aa06ce23d5858501a076e73708911506380d4c6b6bfc79fcdf27a.exe
"C:\Users\Admin\AppData\Local\Temp\b26af435a04aa06ce23d5858501a076e73708911506380d4c6b6bfc79fcdf27a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\b26af435a04aa06ce23d5858501a076e73708911506380d4c6b6bfc79fcdf27a.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Users\Admin\AppData\Local\Temp\svchost64.exe
    C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\b26af435a04aa06ce23d5858501a076e73708911506380d4c6b6bfc79fcdf27a.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:992
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:748
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:480
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
cb0ee17eebbafb1a42e415cb46f7326f

SHA1
492d9fa51d53279bc827d5ed50584cdabc5ae08b

SHA256
51e7a16adb70a86736e22777254e06ad6a850f8644b079f7d4e68168853e9f32

SHA512
d2a945b617b4b02c02b1d6f81119ee208535adf32470e9edcd1b133e86365d6fe17117762eed22c3e7081758fe9222ccd722ac4fb78e256447ec673bee966169

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
e143999977e4dcda42e956219322b1d7

SHA1
799cecfe0b347d76640db5a633fb2f66877199d7

SHA256
7be93a24a9921c45f8a6ae700c229a2fd22d6a7eca1ad547339783bee2352fc0

SHA512
c92e5842ce3bca37a1abf48d506c3f9a527ccca4fa017ac0b5a40d5472fc1d670ab5088b851ce9fe31d2a7ad1806ec2cdd6eaff26a5021a2270831befe7b6233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
b29bf10e778b2f17335c809de88c1b72

SHA1
8bc7cfa7752b06baef487443d35b4417440ac48c

SHA256
2efabc282938c0f61e101c2c9518dc7a1685196d028ba62c6282d18830c1983e

SHA512
2824bf56b4611b4bfad7ae3d82ccefc28c8a4d9f89753d25aa6a2c1794612adc7303d84ab494fe9bbf4bed431038e4d06c3b70f9325fb360e9fd48d3c740c3f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe

MD5
dcb4b25c427f6f177b2548b4607a2bc0

SHA1
e9cff09a5b701d029e700b2a1d94827d2b193f68

SHA256
5a219a59dddfc7f04727b3ce435a70c7be99452e8ebc43fe51821b23db8c9e05

SHA512
f2c774786f99de0745c1c5896d57dcfd438f32aeeb2d6be42e7a713a0f1fac4ae1dc7c4847066738816e8e0dfdcd578bd57cf9305ea168fafc5d5fc2331477e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe

MD5
dcb4b25c427f6f177b2548b4607a2bc0

SHA1
e9cff09a5b701d029e700b2a1d94827d2b193f68

SHA256
5a219a59dddfc7f04727b3ce435a70c7be99452e8ebc43fe51821b23db8c9e05

SHA512
f2c774786f99de0745c1c5896d57dcfd438f32aeeb2d6be42e7a713a0f1fac4ae1dc7c4847066738816e8e0dfdcd578bd57cf9305ea168fafc5d5fc2331477e2

Download Submit
memory/480-285-0x0000000000000000-mapping.dmp

Download
memory/748-283-0x0000000000000000-mapping.dmp

Download
memory/948-254-0x00000201FE9E3000-0x00000201FE9E5000-memory.dmp

Filesize
8KB

Download
memory/948-252-0x00000201FE9E0000-0x00000201FE9E2000-memory.dmp

Filesize
8KB

Download
memory/948-274-0x00000201FE9E8000-0x00000201FE9E9000-memory.dmp

Filesize
4KB

Download
memory/948-235-0x0000000000000000-mapping.dmp

Download
memory/948-255-0x00000201FE9E6000-0x00000201FE9E8000-memory.dmp

Filesize
8KB

Download
memory/992-282-0x0000000000000000-mapping.dmp

Download
memory/1444-156-0x0000000000000000-mapping.dmp

Download
memory/1444-195-0x000001F22C516000-0x000001F22C518000-memory.dmp

Filesize
8KB

Download
memory/1444-196-0x000001F22C518000-0x000001F22C519000-memory.dmp

Filesize
4KB

Download
memory/1444-169-0x000001F22C513000-0x000001F22C515000-memory.dmp

Filesize
8KB

Download
memory/1444-168-0x000001F22C510000-0x000001F22C512000-memory.dmp

Filesize
8KB

Download
memory/2180-275-0x0000000000000000-mapping.dmp

Download
memory/2228-286-0x0000000000000000-mapping.dmp

Download
memory/3064-276-0x0000000000000000-mapping.dmp

Download
memory/3064-279-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/3064-284-0x000000001C640000-0x000000001C642000-memory.dmp

Filesize
8KB

Download
memory/3064-281-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/3292-119-0x0000000000000000-mapping.dmp

Download
memory/3292-124-0x0000021D6DFC0000-0x0000021D6DFC1000-memory.dmp

Filesize
4KB

Download
memory/3292-166-0x0000021D6DA68000-0x0000021D6DA69000-memory.dmp

Filesize
4KB

Download
memory/3292-152-0x0000021D6DA66000-0x0000021D6DA68000-memory.dmp

Filesize
8KB

Download
memory/3292-130-0x0000021D6DA60000-0x0000021D6DA62000-memory.dmp

Filesize
8KB

Download
memory/3292-131-0x0000021D6DA63000-0x0000021D6DA65000-memory.dmp

Filesize
8KB

Download
memory/3292-127-0x0000021D6E2C0000-0x0000021D6E2C1000-memory.dmp

Filesize
4KB

Download
memory/3748-118-0x0000000000000000-mapping.dmp

Download
memory/3800-197-0x0000000000000000-mapping.dmp

Download
memory/3800-231-0x0000024F51E36000-0x0000024F51E38000-memory.dmp

Filesize
8KB

Download
memory/3800-249-0x0000024F51E38000-0x0000024F51E39000-memory.dmp

Filesize
4KB

Download
memory/3800-229-0x0000024F51E30000-0x0000024F51E32000-memory.dmp

Filesize
8KB

Download
memory/3800-230-0x0000024F51E33000-0x0000024F51E35000-memory.dmp

Filesize
8KB

Download
memory/3944-115-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3944-117-0x000000001BEF0000-0x000000001BEF2000-memory.dmp

Filesize
8KB

Download