a0255bd8a15446c39c4c32dceab9116c541583938022f13d3846012b9ee4c65f

General

Target

SKM-210221.exe
Size

17KB
MD5

5da85385325f5290a7fae0141809a615
SHA1

0e8d69936b68f66f5cf795b3318b0c13d62c54ac
SHA256

a0255bd8a15446c39c4c32dceab9116c541583938022f13d3846012b9ee4c65f
SHA512

e76b802796a29de2600aa4e8f1fad73945a624d0d8289af9c20e3c1cd2f6b475b4fc99989e29c4b7f8da0652e36b61b3de4811fa9491fa4d89e633bab36d6cce

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 14 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
3380	timeout.exe
1092	timeout.exe
3512	timeout.exe
2084	timeout.exe
3928	timeout.exe
3616	timeout.exe
2128	timeout.exe
2348	timeout.exe
2988	timeout.exe
688	timeout.exe
2880	timeout.exe
4056	timeout.exe
516	timeout.exe
960	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SKM-210221.exe

description pid process

Token: SeDebugPrivilege 668 SKM-210221.exe

description	pid	process
Token: SeDebugPrivilege	668	SKM-210221.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SKM-210221.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 668 wrote to memory of 2288	668	SKM-210221.exe	cmd.exe
PID 668 wrote to memory of 2288	668	SKM-210221.exe	cmd.exe
PID 668 wrote to memory of 2288	668	SKM-210221.exe	cmd.exe
PID 2288 wrote to memory of 1092	2288	cmd.exe	timeout.exe
PID 2288 wrote to memory of 1092	2288	cmd.exe	timeout.exe
PID 2288 wrote to memory of 1092	2288	cmd.exe	timeout.exe
PID 668 wrote to memory of 1212	668	SKM-210221.exe	cmd.exe
PID 668 wrote to memory of 1212	668	SKM-210221.exe	cmd.exe
PID 668 wrote to memory of 1212	668	SKM-210221.exe	cmd.exe
PID 1212 wrote to memory of 3512	1212	cmd.exe	timeout.exe
PID 1212 wrote to memory of 3512	1212	cmd.exe	timeout.exe
PID 1212 wrote to memory of 3512	1212	cmd.exe	timeout.exe
PID 668 wrote to memory of 828	668	SKM-210221.exe	cmd.exe
PID 668 wrote to memory of 828	668	SKM-210221.exe	cmd.exe
PID 668 wrote to memory of 828	668	SKM-210221.exe	cmd.exe
PID 828 wrote to memory of 516	828	cmd.exe	timeout.exe
PID 828 wrote to memory of 516	828	cmd.exe	timeout.exe
PID 828 wrote to memory of 516	828	cmd.exe	timeout.exe
PID 668 wrote to memory of 3980	668	SKM-210221.exe	cmd.exe
PID 668 wrote to memory of 3980	668	SKM-210221.exe	cmd.exe
PID 668 wrote to memory of 3980	668	SKM-210221.exe	cmd.exe
PID 3980 wrote to memory of 3616	3980	cmd.exe	timeout.exe
PID 3980 wrote to memory of 3616	3980	cmd.exe	timeout.exe
PID 3980 wrote to memory of 3616	3980	cmd.exe	timeout.exe
PID 668 wrote to memory of 1828	668	SKM-210221.exe	cmd.exe
PID 668 wrote to memory of 1828	668	SKM-210221.exe	cmd.exe
PID 668 wrote to memory of 1828	668	SKM-210221.exe	cmd.exe
PID 1828 wrote to memory of 960	1828	cmd.exe	timeout.exe
PID 1828 wrote to memory of 960	1828	cmd.exe	timeout.exe
PID 1828 wrote to memory of 960	1828	cmd.exe	timeout.exe
PID 668 wrote to memory of 2088	668	SKM-210221.exe	cmd.exe
PID 668 wrote to memory of 2088	668	SKM-210221.exe	cmd.exe
PID 668 wrote to memory of 2088	668	SKM-210221.exe	cmd.exe
PID 2088 wrote to memory of 2348	2088	cmd.exe	timeout.exe
PID 2088 wrote to memory of 2348	2088	cmd.exe	timeout.exe
PID 2088 wrote to memory of 2348	2088	cmd.exe	timeout.exe
PID 668 wrote to memory of 3460	668	SKM-210221.exe	cmd.exe
PID 668 wrote to memory of 3460	668	SKM-210221.exe	cmd.exe
PID 668 wrote to memory of 3460	668	SKM-210221.exe	cmd.exe
PID 3460 wrote to memory of 2128	3460	cmd.exe	timeout.exe
PID 3460 wrote to memory of 2128	3460	cmd.exe	timeout.exe
PID 3460 wrote to memory of 2128	3460	cmd.exe	timeout.exe
PID 668 wrote to memory of 2028	668	SKM-210221.exe	cmd.exe
PID 668 wrote to memory of 2028	668	SKM-210221.exe	cmd.exe
PID 668 wrote to memory of 2028	668	SKM-210221.exe	cmd.exe
PID 2028 wrote to memory of 2084	2028	cmd.exe	timeout.exe
PID 2028 wrote to memory of 2084	2028	cmd.exe	timeout.exe
PID 2028 wrote to memory of 2084	2028	cmd.exe	timeout.exe
PID 668 wrote to memory of 2740	668	SKM-210221.exe	cmd.exe
PID 668 wrote to memory of 2740	668	SKM-210221.exe	cmd.exe
PID 668 wrote to memory of 2740	668	SKM-210221.exe	cmd.exe
PID 2740 wrote to memory of 2988	2740	cmd.exe	timeout.exe
PID 2740 wrote to memory of 2988	2740	cmd.exe	timeout.exe
PID 2740 wrote to memory of 2988	2740	cmd.exe	timeout.exe
PID 668 wrote to memory of 3488	668	SKM-210221.exe	cmd.exe
PID 668 wrote to memory of 3488	668	SKM-210221.exe	cmd.exe
PID 668 wrote to memory of 3488	668	SKM-210221.exe	cmd.exe
PID 3488 wrote to memory of 3928	3488	cmd.exe	timeout.exe
PID 3488 wrote to memory of 3928	3488	cmd.exe	timeout.exe
PID 3488 wrote to memory of 3928	3488	cmd.exe	timeout.exe
PID 668 wrote to memory of 904	668	SKM-210221.exe	cmd.exe
PID 668 wrote to memory of 904	668	SKM-210221.exe	cmd.exe
PID 668 wrote to memory of 904	668	SKM-210221.exe	cmd.exe
PID 904 wrote to memory of 688	904	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\SKM-210221.exe
"C:\Users\Admin\AppData\Local\Temp\SKM-210221.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout 10
2⤵
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\SysWOW64\timeout.exe
timeout 10
3⤵
- Delays execution with timeout.exe
PID:1092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout 10
2⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\timeout.exe
timeout 10
3⤵
- Delays execution with timeout.exe
PID:3512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout 10
2⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\timeout.exe
timeout 10
3⤵
- Delays execution with timeout.exe
PID:516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout 10
2⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\timeout.exe
timeout 10
3⤵
- Delays execution with timeout.exe
PID:3616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout 10
2⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\timeout.exe
timeout 10
3⤵
- Delays execution with timeout.exe
PID:960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout 10
2⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\timeout.exe
timeout 10
3⤵
- Delays execution with timeout.exe
PID:2348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout 10
2⤵
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\SysWOW64\timeout.exe
timeout 10
3⤵
- Delays execution with timeout.exe
PID:2128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout 10
2⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\timeout.exe
timeout 10
3⤵
- Delays execution with timeout.exe
PID:2084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout 10
2⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\timeout.exe
timeout 10
3⤵
- Delays execution with timeout.exe
PID:2988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout 10
2⤵
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SysWOW64\timeout.exe
timeout 10
3⤵
- Delays execution with timeout.exe
PID:3928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout 10
2⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\timeout.exe
timeout 10
3⤵
- Delays execution with timeout.exe
PID:688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout 10
2⤵
PID:1908

C:\Windows\SysWOW64\timeout.exe
timeout 10
3⤵
- Delays execution with timeout.exe
PID:2880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout 10
2⤵
PID:3152

C:\Windows\SysWOW64\timeout.exe
timeout 10
3⤵
- Delays execution with timeout.exe
PID:3380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout 10
2⤵
PID:3808

C:\Windows\SysWOW64\timeout.exe
timeout 10
3⤵
- Delays execution with timeout.exe
PID:4056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/668-115-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/668-116-0x0000000005030000-0x000000000552E000-memory.dmp

Filesize
5.0MB

Download
memory/668-117-0x0000000004B30000-0x000000000502E000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing