ae4880c5a68803603035f104e8adaea661841411738bd571341a4a3458a2fa9f

Analysis

Target

ae4880c5a68803603035f104e8adaea661841411738bd571341a4a3458a2fa9f.exe
Size

533KB
MD5

c2c43964cea610bcde9a71a9f83072ff
SHA1

bf3f54e6878bf2a5d96db2f90e0c4661b144fea0
SHA256

ae4880c5a68803603035f104e8adaea661841411738bd571341a4a3458a2fa9f
SHA512

15e599538ab2775a0296654d3487db7391871e0e2c153edfa34b436452c11cc22fb095e672f17106d31217671cc076e5db51e90caf12c5a100de68ba7ab91411

Score

6^/10

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

ae4880c5a68803603035f104e8adaea661841411738bd571341a4a3458a2fa9f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ae4880c5a68803603035f104e8adaea661841411738bd571341a4a3458a2fa9f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ae4880c5a68803603035f104e8adaea661841411738bd571341a4a3458a2fa9f.exe

C:\Users\Admin\AppData\Local\Temp\ae4880c5a68803603035f104e8adaea661841411738bd571341a4a3458a2fa9f.exe
"C:\Users\Admin\AppData\Local\Temp\ae4880c5a68803603035f104e8adaea661841411738bd571341a4a3458a2fa9f.exe"
1⤵
- Checks processor information in registry
PID:2348

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

memory/2348-115-0x0000000002280000-0x000000000234F000-memory.dmp

Filesize
828KB

Download
memory/2348-116-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download