0fc52ab540452b524dadb3a7dbcd2a7f1c2d5c553229d77cfbff0d800f8c0f44

Analysis

Target

0fc52ab540452b524dadb3a7dbcd2a7f1c2d5c553229d77cfbff0d800f8c0f44.exe
Size

3.1MB
MD5

368b0fb9d3ecf41b8d013c4d1fa7c0e5
SHA1

a38c5270ef62704a0b9653f301b75216bcdf527d
SHA256

0fc52ab540452b524dadb3a7dbcd2a7f1c2d5c553229d77cfbff0d800f8c0f44
SHA512

cabb1fd33f67ec77272cad53651f98f6dc6e335e87f10e88d8a0dc4e85b2e2f8e8c8097c02909b6ea22aa9df5a18b3835d93b3c32ebcf468a3533becbe76087a

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
1192	PerfomanceKit.exe

Loads dropped DLL 1 IoCs

pid	Process
1192	PerfomanceKit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 1192	2500	0fc52ab540452b524dadb3a7dbcd2a7f1c2d5c553229d77cfbff0d800f8c0f44.exe	68
PID 2500 wrote to memory of 1192	2500	0fc52ab540452b524dadb3a7dbcd2a7f1c2d5c553229d77cfbff0d800f8c0f44.exe	68
PID 2500 wrote to memory of 1192	2500	0fc52ab540452b524dadb3a7dbcd2a7f1c2d5c553229d77cfbff0d800f8c0f44.exe	68

C:\Users\Admin\AppData\Local\Temp\0fc52ab540452b524dadb3a7dbcd2a7f1c2d5c553229d77cfbff0d800f8c0f44.exe
"C:\Users\Admin\AppData\Local\Temp\0fc52ab540452b524dadb3a7dbcd2a7f1c2d5c553229d77cfbff0d800f8c0f44.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Local\Programs\MariaDBPerfomanceKit\PerfomanceKit.exe
  C:\Users\Admin\AppData\Local\Programs\MariaDBPerfomanceKit\PerfomanceKit.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1192

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact