c3e1fb98c978c699c79b569c14c7bc41fce17a1846e9d66757ad579e3c97ceda

General

Target

bank TT slip.exe
Size

922KB
MD5

f92972c4d6cb28b350e6fa0ce897ebf2
SHA1

edb8413f28ccda47f892f0ecdb85d80f5412cd93
SHA256

c3e1fb98c978c699c79b569c14c7bc41fce17a1846e9d66757ad579e3c97ceda
SHA512

0d761dac89dba988763cb86bf756f0ea17f3e2eee1badf545491bb8b56090a955e0b6b10c11835638256ac7cb69c73e2ca489db35480271bc7f3c90e4e5e4ccb

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1852 schtasks.exe

pid	process
1852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

bank TT slip.exe

pid	process
1064	bank TT slip.exe
1064	bank TT slip.exe
1064	bank TT slip.exe
1064	bank TT slip.exe
1064	bank TT slip.exe
1064	bank TT slip.exe
1064	bank TT slip.exe
1064	bank TT slip.exe
1064	bank TT slip.exe
1064	bank TT slip.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bank TT slip.exe

description pid process

Token: SeDebugPrivilege 1064 bank TT slip.exe

description	pid	process
Token: SeDebugPrivilege	1064	bank TT slip.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

bank TT slip.exe

description	pid	process	target process
PID 1064 wrote to memory of 1852	1064	bank TT slip.exe	schtasks.exe
PID 1064 wrote to memory of 1852	1064	bank TT slip.exe	schtasks.exe
PID 1064 wrote to memory of 1852	1064	bank TT slip.exe	schtasks.exe
PID 1064 wrote to memory of 1852	1064	bank TT slip.exe	schtasks.exe
PID 1064 wrote to memory of 1372	1064	bank TT slip.exe	bank TT slip.exe
PID 1064 wrote to memory of 1372	1064	bank TT slip.exe	bank TT slip.exe
PID 1064 wrote to memory of 1372	1064	bank TT slip.exe	bank TT slip.exe
PID 1064 wrote to memory of 1372	1064	bank TT slip.exe	bank TT slip.exe
PID 1064 wrote to memory of 932	1064	bank TT slip.exe	bank TT slip.exe
PID 1064 wrote to memory of 932	1064	bank TT slip.exe	bank TT slip.exe
PID 1064 wrote to memory of 932	1064	bank TT slip.exe	bank TT slip.exe
PID 1064 wrote to memory of 932	1064	bank TT slip.exe	bank TT slip.exe
PID 1064 wrote to memory of 864	1064	bank TT slip.exe	bank TT slip.exe
PID 1064 wrote to memory of 864	1064	bank TT slip.exe	bank TT slip.exe
PID 1064 wrote to memory of 864	1064	bank TT slip.exe	bank TT slip.exe
PID 1064 wrote to memory of 864	1064	bank TT slip.exe	bank TT slip.exe
PID 1064 wrote to memory of 408	1064	bank TT slip.exe	bank TT slip.exe
PID 1064 wrote to memory of 408	1064	bank TT slip.exe	bank TT slip.exe
PID 1064 wrote to memory of 408	1064	bank TT slip.exe	bank TT slip.exe
PID 1064 wrote to memory of 408	1064	bank TT slip.exe	bank TT slip.exe
PID 1064 wrote to memory of 812	1064	bank TT slip.exe	bank TT slip.exe
PID 1064 wrote to memory of 812	1064	bank TT slip.exe	bank TT slip.exe
PID 1064 wrote to memory of 812	1064	bank TT slip.exe	bank TT slip.exe
PID 1064 wrote to memory of 812	1064	bank TT slip.exe	bank TT slip.exe

C:\Users\Admin\AppData\Local\Temp\bank TT slip.exe
"C:\Users\Admin\AppData\Local\Temp\bank TT slip.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fzoFhfGhuG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6680.tmp"
2⤵
- Creates scheduled task(s)
PID:1852

C:\Users\Admin\AppData\Local\Temp\bank TT slip.exe
"{path}"
2⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\bank TT slip.exe
"{path}"
2⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\bank TT slip.exe
"{path}"
2⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\bank TT slip.exe
"{path}"
2⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\bank TT slip.exe
"{path}"
2⤵
PID:812

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6680.tmp
MD5
e153b2fb476e57b7030a797778b91396

SHA1
b4285201dd40f37779402f913f3836c530733bc2

SHA256
85f46bd8e348306cd4bef8773625deca8b23b30114047a4245c2745ae43cfa64

SHA512
dd19dbcb529fbd638e7b8de7fc62110c2fcd30d5c042054dea85e33773713c370dd1d08a6efb3f3d96acf04585aa1bee22934736103e658b1da5e46643d0c69d

Download Submit
memory/1064-55-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1064-57-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download
memory/1064-58-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/1064-59-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/1064-60-0x0000000005C50000-0x0000000005CD0000-memory.dmp

Filesize
512KB

Download
memory/1064-61-0x0000000000620000-0x0000000000658000-memory.dmp

Filesize
224KB

Download
memory/1852-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads