f06b116d8af2db4ae345ed7c9596865c3476d401ff7d52b0a45478847f053ff1

General

Target

sample13.exe
Size

37KB
MD5

2c7d4e78f74cc716f23492ad19daf763
SHA1

6ef7bfe52f66fb204b401aa7d280df124f3fa0e2
SHA256

f06b116d8af2db4ae345ed7c9596865c3476d401ff7d52b0a45478847f053ff1
SHA512

2e503be1721f52bffd2d426ed1fa24a7f8f412a78c15db4ec7fbff1df97622c3e1a540a1e1f45d4630faa8a7d5a565ba2cb9c4e713d3bc7a3e11cb50c9a613e8

Score

10^/10

logger

Malware Config

Signatures

Detect A310Logger 1 IoCs

Detect A310Logger SpyEx Variant.

logger

Processes:

resource	yara_rule
behavioral1/memory/980-54-0x0000000000350000-0x0000000000360000-memory.dmp	family_spyex

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1424 powershell.exe
1028 powershell.exe
1428 powershell.exe
1964 powershell.exe

pid	process
1424	powershell.exe
1028	powershell.exe
1428	powershell.exe
1964	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeIncreaseQuotaPrivilege	1428	powershell.exe
Token: SeSecurityPrivilege	1428	powershell.exe
Token: SeTakeOwnershipPrivilege	1428	powershell.exe
Token: SeLoadDriverPrivilege	1428	powershell.exe
Token: SeSystemProfilePrivilege	1428	powershell.exe
Token: SeSystemtimePrivilege	1428	powershell.exe
Token: SeProfSingleProcessPrivilege	1428	powershell.exe
Token: SeIncBasePriorityPrivilege	1428	powershell.exe
Token: SeCreatePagefilePrivilege	1428	powershell.exe
Token: SeBackupPrivilege	1428	powershell.exe
Token: SeRestorePrivilege	1428	powershell.exe
Token: SeShutdownPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeSystemEnvironmentPrivilege	1428	powershell.exe
Token: SeRemoteShutdownPrivilege	1428	powershell.exe
Token: SeUndockPrivilege	1428	powershell.exe
Token: SeManageVolumePrivilege	1428	powershell.exe
Token: 33	1428	powershell.exe
Token: 34	1428	powershell.exe
Token: 35	1428	powershell.exe
Token: SeIncreaseQuotaPrivilege	1028	powershell.exe
Token: SeSecurityPrivilege	1028	powershell.exe
Token: SeTakeOwnershipPrivilege	1028	powershell.exe
Token: SeLoadDriverPrivilege	1028	powershell.exe
Token: SeSystemProfilePrivilege	1028	powershell.exe
Token: SeSystemtimePrivilege	1028	powershell.exe
Token: SeProfSingleProcessPrivilege	1028	powershell.exe
Token: SeIncBasePriorityPrivilege	1028	powershell.exe
Token: SeCreatePagefilePrivilege	1028	powershell.exe
Token: SeBackupPrivilege	1028	powershell.exe
Token: SeRestorePrivilege	1028	powershell.exe
Token: SeShutdownPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeSystemEnvironmentPrivilege	1028	powershell.exe
Token: SeRemoteShutdownPrivilege	1028	powershell.exe
Token: SeUndockPrivilege	1028	powershell.exe
Token: SeManageVolumePrivilege	1028	powershell.exe
Token: 33	1028	powershell.exe
Token: 34	1028	powershell.exe
Token: 35	1028	powershell.exe
Token: SeIncreaseQuotaPrivilege	1424	powershell.exe
Token: SeSecurityPrivilege	1424	powershell.exe
Token: SeTakeOwnershipPrivilege	1424	powershell.exe
Token: SeLoadDriverPrivilege	1424	powershell.exe
Token: SeSystemProfilePrivilege	1424	powershell.exe
Token: SeSystemtimePrivilege	1424	powershell.exe
Token: SeProfSingleProcessPrivilege	1424	powershell.exe
Token: SeIncBasePriorityPrivilege	1424	powershell.exe
Token: SeCreatePagefilePrivilege	1424	powershell.exe
Token: SeBackupPrivilege	1424	powershell.exe
Token: SeRestorePrivilege	1424	powershell.exe
Token: SeShutdownPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeSystemEnvironmentPrivilege	1424	powershell.exe
Token: SeRemoteShutdownPrivilege	1424	powershell.exe
Token: SeUndockPrivilege	1424	powershell.exe
Token: SeManageVolumePrivilege	1424	powershell.exe
Token: 33	1424	powershell.exe
Token: 34	1424	powershell.exe
Token: 35	1424	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

sample13.exe

description	pid	process	target process
PID 980 wrote to memory of 1028	980	sample13.exe	powershell.exe
PID 980 wrote to memory of 1028	980	sample13.exe	powershell.exe
PID 980 wrote to memory of 1028	980	sample13.exe	powershell.exe
PID 980 wrote to memory of 1028	980	sample13.exe	powershell.exe
PID 980 wrote to memory of 1428	980	sample13.exe	powershell.exe
PID 980 wrote to memory of 1428	980	sample13.exe	powershell.exe
PID 980 wrote to memory of 1428	980	sample13.exe	powershell.exe
PID 980 wrote to memory of 1428	980	sample13.exe	powershell.exe
PID 980 wrote to memory of 1424	980	sample13.exe	powershell.exe
PID 980 wrote to memory of 1424	980	sample13.exe	powershell.exe
PID 980 wrote to memory of 1424	980	sample13.exe	powershell.exe
PID 980 wrote to memory of 1424	980	sample13.exe	powershell.exe
PID 980 wrote to memory of 1964	980	sample13.exe	powershell.exe
PID 980 wrote to memory of 1964	980	sample13.exe	powershell.exe
PID 980 wrote to memory of 1964	980	sample13.exe	powershell.exe
PID 980 wrote to memory of 1964	980	sample13.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\sample13.exe
"C:\Users\Admin\AppData\Local\Temp\sample13.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.facebook.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.twitter.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
5eb290af8c2d4b90f98e8e1c608c9130

SHA1
0b0480d8bd4c2ff613588d72e60098e78d8f6309

SHA256
37ce320ca61753b573e20c952223820117c44ae3cec4a8b1c3ba6e3bdaed813a

SHA512
093e95ba358805cedb7705da16db291614913a4890eda7179204d43784f6cbbc247e59979def23a50ac9dd690649c6649580f2f37a9cd4697048d0b773d672f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
5eb290af8c2d4b90f98e8e1c608c9130

SHA1
0b0480d8bd4c2ff613588d72e60098e78d8f6309

SHA256
37ce320ca61753b573e20c952223820117c44ae3cec4a8b1c3ba6e3bdaed813a

SHA512
093e95ba358805cedb7705da16db291614913a4890eda7179204d43784f6cbbc247e59979def23a50ac9dd690649c6649580f2f37a9cd4697048d0b773d672f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
5eb290af8c2d4b90f98e8e1c608c9130

SHA1
0b0480d8bd4c2ff613588d72e60098e78d8f6309

SHA256
37ce320ca61753b573e20c952223820117c44ae3cec4a8b1c3ba6e3bdaed813a

SHA512
093e95ba358805cedb7705da16db291614913a4890eda7179204d43784f6cbbc247e59979def23a50ac9dd690649c6649580f2f37a9cd4697048d0b773d672f8

Download Submit
memory/980-55-0x00000000751B1000-0x00000000751B3000-memory.dmp

Filesize
8KB

Download
memory/980-56-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/980-54-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/980-77-0x0000000004E85000-0x0000000004E96000-memory.dmp

Filesize
68KB

Download
memory/1028-68-0x0000000002410000-0x000000000305A000-memory.dmp

Filesize
12.3MB

Download
memory/1424-66-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1424-69-0x00000000022D1000-0x00000000022D2000-memory.dmp

Filesize
4KB

Download
memory/1424-71-0x00000000022D2000-0x00000000022D4000-memory.dmp

Filesize
8KB

Download
memory/1428-67-0x0000000002440000-0x000000000308A000-memory.dmp

Filesize
12.3MB

Download
memory/1428-70-0x0000000002440000-0x000000000308A000-memory.dmp

Filesize
12.3MB

Download
memory/1964-76-0x00000000024E0000-0x000000000312A000-memory.dmp

Filesize
12.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads