Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
25-09-2021 07:07
Static task
static1
Behavioral task
behavioral1
Sample
d761f42a4df1938b43282d88e12c741a.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
d761f42a4df1938b43282d88e12c741a.exe
Resource
win10-en-20210920
General
-
Target
d761f42a4df1938b43282d88e12c741a.exe
-
Size
12KB
-
MD5
d761f42a4df1938b43282d88e12c741a
-
SHA1
fc1913d79b6f8c738bfdbb64cb99ac863ce42f05
-
SHA256
515fbf67c103e796658acaf24ae3762943a56ebf14337ab46bf9e140f61da0f4
-
SHA512
946cc5a7d60062ddc597b460f199dd28d35be42ab8092e5ad9a17e3dc31bdcf40ff4c875e5d44fc1896fdec28805edb3729edad36f2a3ae2d81d61f03379df24
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4164 powershell.exe 4164 powershell.exe 4164 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 3400 powershell.exe 3400 powershell.exe 3400 powershell.exe 4308 powershell.exe 4308 powershell.exe 4308 powershell.exe 2724 powershell.exe 2724 powershell.exe 2724 powershell.exe 3924 powershell.exe 3924 powershell.exe 3924 powershell.exe 1380 powershell.exe 1380 powershell.exe 1380 powershell.exe 4592 powershell.exe 4592 powershell.exe 4592 powershell.exe 4560 powershell.exe 4560 powershell.exe 4560 powershell.exe 584 powershell.exe 584 powershell.exe 584 powershell.exe 4992 powershell.exe 4992 powershell.exe 4992 powershell.exe 1136 powershell.exe 1136 powershell.exe 1136 powershell.exe 4600 powershell.exe 4600 powershell.exe 4600 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4164 powershell.exe Token: SeIncreaseQuotaPrivilege 4164 powershell.exe Token: SeSecurityPrivilege 4164 powershell.exe Token: SeTakeOwnershipPrivilege 4164 powershell.exe Token: SeLoadDriverPrivilege 4164 powershell.exe Token: SeSystemProfilePrivilege 4164 powershell.exe Token: SeSystemtimePrivilege 4164 powershell.exe Token: SeProfSingleProcessPrivilege 4164 powershell.exe Token: SeIncBasePriorityPrivilege 4164 powershell.exe Token: SeCreatePagefilePrivilege 4164 powershell.exe Token: SeBackupPrivilege 4164 powershell.exe Token: SeRestorePrivilege 4164 powershell.exe Token: SeShutdownPrivilege 4164 powershell.exe Token: SeDebugPrivilege 4164 powershell.exe Token: SeSystemEnvironmentPrivilege 4164 powershell.exe Token: SeRemoteShutdownPrivilege 4164 powershell.exe Token: SeUndockPrivilege 4164 powershell.exe Token: SeManageVolumePrivilege 4164 powershell.exe Token: 33 4164 powershell.exe Token: 34 4164 powershell.exe Token: 35 4164 powershell.exe Token: 36 4164 powershell.exe Token: SeIncreaseQuotaPrivilege 4164 powershell.exe Token: SeSecurityPrivilege 4164 powershell.exe Token: SeTakeOwnershipPrivilege 4164 powershell.exe Token: SeLoadDriverPrivilege 4164 powershell.exe Token: SeSystemProfilePrivilege 4164 powershell.exe Token: SeSystemtimePrivilege 4164 powershell.exe Token: SeProfSingleProcessPrivilege 4164 powershell.exe Token: SeIncBasePriorityPrivilege 4164 powershell.exe Token: SeCreatePagefilePrivilege 4164 powershell.exe Token: SeBackupPrivilege 4164 powershell.exe Token: SeRestorePrivilege 4164 powershell.exe Token: SeShutdownPrivilege 4164 powershell.exe Token: SeDebugPrivilege 4164 powershell.exe Token: SeSystemEnvironmentPrivilege 4164 powershell.exe Token: SeRemoteShutdownPrivilege 4164 powershell.exe Token: SeUndockPrivilege 4164 powershell.exe Token: SeManageVolumePrivilege 4164 powershell.exe Token: 33 4164 powershell.exe Token: 34 4164 powershell.exe Token: 35 4164 powershell.exe Token: 36 4164 powershell.exe Token: SeIncreaseQuotaPrivilege 4164 powershell.exe Token: SeSecurityPrivilege 4164 powershell.exe Token: SeTakeOwnershipPrivilege 4164 powershell.exe Token: SeLoadDriverPrivilege 4164 powershell.exe Token: SeSystemProfilePrivilege 4164 powershell.exe Token: SeSystemtimePrivilege 4164 powershell.exe Token: SeProfSingleProcessPrivilege 4164 powershell.exe Token: SeIncBasePriorityPrivilege 4164 powershell.exe Token: SeCreatePagefilePrivilege 4164 powershell.exe Token: SeBackupPrivilege 4164 powershell.exe Token: SeRestorePrivilege 4164 powershell.exe Token: SeShutdownPrivilege 4164 powershell.exe Token: SeDebugPrivilege 4164 powershell.exe Token: SeSystemEnvironmentPrivilege 4164 powershell.exe Token: SeRemoteShutdownPrivilege 4164 powershell.exe Token: SeUndockPrivilege 4164 powershell.exe Token: SeManageVolumePrivilege 4164 powershell.exe Token: 33 4164 powershell.exe Token: 34 4164 powershell.exe Token: 35 4164 powershell.exe Token: 36 4164 powershell.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
d761f42a4df1938b43282d88e12c741a.exedescription pid process target process PID 3556 wrote to memory of 4164 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 4164 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 4164 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 1588 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 1588 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 1588 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 3400 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 3400 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 3400 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 4308 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 4308 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 4308 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 2724 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 2724 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 2724 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 5080 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 5080 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 5080 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 3924 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 3924 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 3924 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 1380 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 1380 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 1380 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 4592 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 4592 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 4592 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 4560 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 4560 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 4560 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 584 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 584 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 584 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 4992 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 4992 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 4992 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 1136 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 1136 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 1136 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 4600 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 4600 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe PID 3556 wrote to memory of 4600 3556 d761f42a4df1938b43282d88e12c741a.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe"C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4164 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1588 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3400 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4308 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2724 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵PID:5080
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3924 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1380 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4592 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4560 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- Suspicious behavior: EnumeratesProcesses
PID:584 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4992 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1136 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4600
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1712dab0a1bf4e9e3ff666b9c431550d
SHA134d1dec8fa95f62c72cb3f92a22c13ad9eece10f
SHA2567184a35390c8d6549ef4ddf2909c8fc3446572229bb1788fe178332d80ebfa97
SHA5126ae29c37c11c851ed337afee3c3ad654593063e76df88a6974933e449ac8d86bfa005b9bf2e0ee29aad4647b8f8f32ac753587077fd745424be7f9765688e7b7
-
MD5
1c33ff599b382b705675229c91fc2f99
SHA1c20086746c14c5d57be9a3df47bd75fa77abe7e0
SHA256d46b6790776328125154bb8231deafcc7786911bea48fbcd2742c05fa1c4da0a
SHA5125b975f6b0d5407d8d43975c0fd0c26ecb155f6ee9b7416e39478f84e97deea590d1eb0cf2a972adcf96eba6745fdef472f6fcf51d85cd53c2da9b4c550ee413c
-
MD5
28fd92ee77dca337d61b47cbd757d60c
SHA1be5f44612ddab3ca36fa31fe2b065886f509f31b
SHA25656b08d2c7ea27f95f2c5379eff3c1dad7feed6174a0a2be4fb6f5f1cba02177d
SHA512df49842f9d545413fda96e3355966e1c64bc10d5031e41402725f121ba9474c1250ac0c839239dec3fd52126ad0eee230a2b2056710ea380a4d076474e429767
-
MD5
d72777286401dbed67fd1c2703fac947
SHA1d1c600a1dd8b349e2404d4dad0a0002f3e442ebb
SHA2564e2b0b4f436144965973c054ea207db8cb4f42d42ff6bce1fc7d0bf49b8fcad3
SHA512f95fddb6273bfa8b8f5fc8484cea4c20109277f2c52d92d0c5917a6a863208d5c570c640aaeff0b316eef145ebff5e8c94bd4621c01ea484d4e6c624b6e8d01c
-
MD5
752eecff888403570489a78d8680750f
SHA13ad9a67522bd87de3b0fa2d2c767594c11a91635
SHA256278c708a48e2b12e3b04ed1e20f4cfeaeafd6d68150fd7bd1692eb8283bf9314
SHA512d9245b4127d5f7f3b6e2cb9335ae33dc30bb77bb8d4b5c804a303a137c7bc04eda9a39adcc2765d233eee570e42f6b031073346f654b3fc32c82879ef22dfdce
-
MD5
f4f819c7e7c31107adc4cb7379c0060c
SHA17d831a76ea481122047049f0c7625ce6124ae4f3
SHA256dfd9a2f1807b9e766c2bc8758a4d331fe6a6a1a38ae6e929b2a4dd3611fdb5d8
SHA5127e85a95c4a5fef2c2e5afbc871e16d5f3432488ce26acd766c07f413207eb7fdd0897069cf3ec036b272013074193eb76818681794e08f93883cf0dbb86474ac
-
MD5
daa605ec5e31c5516917527c513b4076
SHA1ec15b4043775afd611aca17e7979b9b9a4d7b276
SHA25693dbf87ca1ec9483e929250228f7ddd3a299cff22ab68940dd97cebd17966d6c
SHA5128fa456db2fc695f40fb3c7f9d69ed87d71b5aa2690c806fde353641d4fb7678dccad45063aca3f9e07477f526d536295b24fd447afde76c934a7a856dd339c32
-
MD5
dadfadaf1dd2aede6f0f1c56a4f16ceb
SHA1b0e918bd8c36655a0f9b3455ef6015b72d8e4e1a
SHA256c164717e238058227f0423aaef4f55979a6634889e7e30f522c01cbc30352cda
SHA51275895927b6eab70e774c06febf453ab106c2277f27c4e6bff7ff5a82a9cb73465d0d1a844de789d5776b30fd641a23cff111ec65305a03bb83018afb6adba53d
-
MD5
c9889b2e49b62ef4a8f7b16c530943de
SHA1f780ca625ef74b2370f2026d61d2af14d51e1eaf
SHA256f57c9632e9aed5eec41588485d88e840b7096e2b4631fe137cf44ced5f20a325
SHA512438fcfd63e072476bec8683e883446421145e3d5277f1518fd4269177cab13f0e779fcf065ac1613943abf4c7ffda2f5cd9520f0070fa70e5cf7b0e21bd7a2d3
-
MD5
bdd4e84c0bb9a2688c3e2275e26809fa
SHA13db02d673b2deede4f423860e80204a8e2f4e102
SHA2561692398e8865cb745eb192cb47120f03e48a76777dfe8e40497adf1c29508fc7
SHA5123449a4866cb9b6aaae818c2c328ca3f53e6f2f4f3e58911e4829770bfef025fd22fa54df6ee8b0e98f5f7248295351f40f785c1703bd4a660b9ab6da58d591b6
-
MD5
49ed0b6cb1a815dfdc6d45188255e990
SHA1572c5e403980fc8633919bc9eb61c588f9bd23cd
SHA2563e99f3824de5fd3bc17a00c436cf68add647f23124370c1ba16492173e1a3a4f
SHA512665d726d36fd654ac239210f4f19fe93af7a56b8a64a897d5f9ef6537866f3b45f79bd90bfd6be361f9b448ce279f978475e3812a09e21ecb9b8c5259a0d6e82
-
MD5
1eaf67adaf75ad4500008cc2ccba0a75
SHA11e7399b592820f8c10b31cb6559c1a32ebdb4653
SHA2565c576893514dc9a1d072bef3f91dd12bcfd0ec55678833a5fd90570bd652136e
SHA512c92183dbf6f127c5d3332a5c52b73a12213a6d9fbdc334ffc4244b2042eef94f6bf1ff95dcb4033bf11db0e1dbdb477980871d5af230497537302c03f2f4f05c
-
MD5
430bb2adc8a192a7ca428ca035126130
SHA154e5d51d2780971a33e79fc5716ad09e2f88755e
SHA2560e14b878918b8c9a2abf383622adc7633baac1cc7330702611c6625ba98141b7
SHA5128ab53297a7c24817f9f0102ba7a70f02807206b051ce7ac507c5ea3c52f7ed7139072d44d056484268c6e0bb5ac3c45ae358688c80bb3b2809e5efb54dba8b3a
-
MD5
ff93134890bde08128013c82d129d474
SHA1ce01da8bec31b430ab8ea6a88758c4396c30dba0
SHA256a92c48f0454e6d6516e66497d74620865553d393a7b125e0c4c137f55665cc49
SHA51200d800357e12756b7481adb33a682d8aaafcc2fe1505d31e83c22f3ddbeb878ee02a3f69b85f728655c4cf605c60a3a3c49ee5f0317b7789f78d80a8131ee300