8b0d359eb8167b044bf25b943820a3b71e94bc3f0c26d9ba295dee1df014a7c0

General

Target

RansomWare.exe
Size

158KB
MD5

d3c355a11849cbd0d4f3937a79c81c96
SHA1

bdc7567d33da81654395d8fefc7500d124d87a31
SHA256

8b0d359eb8167b044bf25b943820a3b71e94bc3f0c26d9ba295dee1df014a7c0
SHA512

a9091d36341135e74ba7918bc1f1f3960d8d1e049361ccea700662311bdbaa6e8c23a224ca0d640c596d5f8b269839e50104de5e5f96fcfe57ef8523d8a0ce7d

Score

8^/10

evasion

Drops desktop.ini file(s) 4 IoCs

Processes:

RansomWare.exe

description	ioc	process
File created	C:\Users\Admin\Desktop\desktop.ini	RansomWare.exe
File created	C:\Users\Admin\Pictures\desktop.ini	RansomWare.exe
File created	C:\Users\Admin\Videos\desktop.ini	RansomWare.exe
File created	C:\Users\Admin\Documents\desktop.ini	RansomWare.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

RansomWare.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

RansomWare.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	956	RansomWare.exe
Token: 33	1748	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1748	AUDIODG.EXE
Token: 33	1748	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1748	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

RansomWare.exe

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748

memory/956-55-0x00000000013D0000-0x00000000013D1000-memory.dmp

Filesize
4KB

Download
memory/956-57-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download
memory/956-58-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/956-59-0x00000000009C5000-0x00000000009D6000-memory.dmp

Filesize
68KB

Download
memory/1760-60-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmp

Filesize
8KB

Download