f06b116d8af2db4ae345ed7c9596865c3476d401ff7d52b0a45478847f053ff1

General

Target

sample13.exe
Size

37KB
MD5

2c7d4e78f74cc716f23492ad19daf763
SHA1

6ef7bfe52f66fb204b401aa7d280df124f3fa0e2
SHA256

f06b116d8af2db4ae345ed7c9596865c3476d401ff7d52b0a45478847f053ff1
SHA512

2e503be1721f52bffd2d426ed1fa24a7f8f412a78c15db4ec7fbff1df97622c3e1a540a1e1f45d4630faa8a7d5a565ba2cb9c4e713d3bc7a3e11cb50c9a613e8

Score

10^/10

logger

Malware Config

Signatures

Detect A310Logger 1 IoCs

Detect A310Logger SpyEx Variant.

logger

Processes:

resource	yara_rule
behavioral2/memory/2836-117-0x0000000000340000-0x0000000000350000-memory.dmp	family_spyex

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
384	powershell.exe
3200	powershell.exe
908	powershell.exe
384	powershell.exe
908	powershell.exe
3200	powershell.exe
908	powershell.exe
384	powershell.exe
3200	powershell.exe
1912	powershell.exe
1912	powershell.exe
1912	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	384	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeIncreaseQuotaPrivilege	384	powershell.exe
Token: SeSecurityPrivilege	384	powershell.exe
Token: SeTakeOwnershipPrivilege	384	powershell.exe
Token: SeLoadDriverPrivilege	384	powershell.exe
Token: SeSystemProfilePrivilege	384	powershell.exe
Token: SeSystemtimePrivilege	384	powershell.exe
Token: SeProfSingleProcessPrivilege	384	powershell.exe
Token: SeIncBasePriorityPrivilege	384	powershell.exe
Token: SeCreatePagefilePrivilege	384	powershell.exe
Token: SeBackupPrivilege	384	powershell.exe
Token: SeRestorePrivilege	384	powershell.exe
Token: SeShutdownPrivilege	384	powershell.exe
Token: SeDebugPrivilege	384	powershell.exe
Token: SeSystemEnvironmentPrivilege	384	powershell.exe
Token: SeRemoteShutdownPrivilege	384	powershell.exe
Token: SeUndockPrivilege	384	powershell.exe
Token: SeManageVolumePrivilege	384	powershell.exe
Token: 33	384	powershell.exe
Token: 34	384	powershell.exe
Token: 35	384	powershell.exe
Token: 36	384	powershell.exe
Token: SeIncreaseQuotaPrivilege	3200	powershell.exe
Token: SeSecurityPrivilege	3200	powershell.exe
Token: SeTakeOwnershipPrivilege	3200	powershell.exe
Token: SeLoadDriverPrivilege	3200	powershell.exe
Token: SeSystemProfilePrivilege	3200	powershell.exe
Token: SeSystemtimePrivilege	3200	powershell.exe
Token: SeProfSingleProcessPrivilege	3200	powershell.exe
Token: SeIncBasePriorityPrivilege	3200	powershell.exe
Token: SeCreatePagefilePrivilege	3200	powershell.exe
Token: SeBackupPrivilege	3200	powershell.exe
Token: SeRestorePrivilege	3200	powershell.exe
Token: SeShutdownPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeSystemEnvironmentPrivilege	3200	powershell.exe
Token: SeRemoteShutdownPrivilege	3200	powershell.exe
Token: SeUndockPrivilege	3200	powershell.exe
Token: SeManageVolumePrivilege	3200	powershell.exe
Token: 33	3200	powershell.exe
Token: 34	3200	powershell.exe
Token: 35	3200	powershell.exe
Token: 36	3200	powershell.exe
Token: SeIncreaseQuotaPrivilege	908	powershell.exe
Token: SeSecurityPrivilege	908	powershell.exe
Token: SeTakeOwnershipPrivilege	908	powershell.exe
Token: SeLoadDriverPrivilege	908	powershell.exe
Token: SeSystemProfilePrivilege	908	powershell.exe
Token: SeSystemtimePrivilege	908	powershell.exe
Token: SeProfSingleProcessPrivilege	908	powershell.exe
Token: SeIncBasePriorityPrivilege	908	powershell.exe
Token: SeCreatePagefilePrivilege	908	powershell.exe
Token: SeBackupPrivilege	908	powershell.exe
Token: SeRestorePrivilege	908	powershell.exe
Token: SeShutdownPrivilege	908	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeSystemEnvironmentPrivilege	908	powershell.exe
Token: SeRemoteShutdownPrivilege	908	powershell.exe
Token: SeUndockPrivilege	908	powershell.exe
Token: SeManageVolumePrivilege	908	powershell.exe
Token: 33	908	powershell.exe
Token: 34	908	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

sample13.exe

description	pid	process	target process
PID 2836 wrote to memory of 908	2836	sample13.exe	powershell.exe
PID 2836 wrote to memory of 908	2836	sample13.exe	powershell.exe
PID 2836 wrote to memory of 908	2836	sample13.exe	powershell.exe
PID 2836 wrote to memory of 3200	2836	sample13.exe	powershell.exe
PID 2836 wrote to memory of 3200	2836	sample13.exe	powershell.exe
PID 2836 wrote to memory of 3200	2836	sample13.exe	powershell.exe
PID 2836 wrote to memory of 384	2836	sample13.exe	powershell.exe
PID 2836 wrote to memory of 384	2836	sample13.exe	powershell.exe
PID 2836 wrote to memory of 384	2836	sample13.exe	powershell.exe
PID 2836 wrote to memory of 1912	2836	sample13.exe	powershell.exe
PID 2836 wrote to memory of 1912	2836	sample13.exe	powershell.exe
PID 2836 wrote to memory of 1912	2836	sample13.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\sample13.exe
"C:\Users\Admin\AppData\Local\Temp\sample13.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3200
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.facebook.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:384
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.twitter.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
e71a0a7e48b10bde0a9c54387762f33e

SHA1
fed75947f1163b00096e24a46e67d9c21e7eeebd

SHA256
83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de

SHA512
394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
293e8e2fe37c070ace055d60c9830b13

SHA1
7ed2950ee901557b207b1a0920c5aaf1c59aa048

SHA256
3dfe2be9803a4f1e43eaff3c75b8a9131e9f462e1d3b376bf84bb282aeceaa0f

SHA512
116e6355659529387c984f46b7c9189d596d563ed1d0f12dc05f9c70fd59926cfc04aa8a1ce76f141fd3890ec245a4eac67f11d7e0a40df42b3343ef9a398127

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
1996225baaec5579b9636ea31c0e0794

SHA1
959d90cdb09e385c2a9233c52a6d89cc15c468f2

SHA256
4aa98df170a7a27b93771b97bdb0be4954c1439c8db3006b8e09bbd600669f09

SHA512
294be1d1da1154b34350d31b5a36df17ee7d15e98b27625de9c222647679b419d3cfad717d1c39be941841eb1f589ec297293f78c7830933a50a8772aba81604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
74dd88e9a044ba8187bcbc8b7c4f263f

SHA1
ec02f771ee9e773be897bfbced7641f7289691a3

SHA256
4d59a7d75a0cc49a6819cb7b871b9341ddc93ece922ba2d9c8704a8ef6370160

SHA512
83ca0f2336358d9fd8ad92feb6953b90eabe8fa39d4092f7ccac6dbf83bd217b8cd25fcae718071d46ae60dcd74665a77abbcb8719041fe6cbb08224a1817523

Download Submit
memory/384-136-0x00000000075F0000-0x0000000007612000-memory.dmp

Filesize
136KB

Download
memory/384-132-0x00000000071C0000-0x00000000071C1000-memory.dmp

Filesize
4KB

Download
memory/384-163-0x00000000071C3000-0x00000000071C4000-memory.dmp

Filesize
4KB

Download
memory/384-133-0x00000000071C2000-0x00000000071C3000-memory.dmp

Filesize
4KB

Download
memory/384-157-0x0000000009520000-0x0000000009542000-memory.dmp

Filesize
136KB

Download
memory/384-155-0x00000000097F0000-0x0000000009884000-memory.dmp

Filesize
592KB

Download
memory/908-130-0x0000000003510000-0x0000000003536000-memory.dmp

Filesize
152KB

Download
memory/908-162-0x0000000003510000-0x0000000003536000-memory.dmp

Filesize
152KB

Download
memory/908-138-0x0000000007980000-0x00000000079E6000-memory.dmp

Filesize
408KB

Download
memory/908-139-0x0000000008350000-0x00000000086A0000-memory.dmp

Filesize
3.3MB

Download
memory/908-140-0x0000000008150000-0x000000000816C000-memory.dmp

Filesize
112KB

Download
memory/908-128-0x0000000004F40000-0x0000000004F76000-memory.dmp

Filesize
216KB

Download
memory/908-129-0x0000000007A80000-0x00000000080A8000-memory.dmp

Filesize
6.2MB

Download
memory/908-135-0x0000000003510000-0x0000000003536000-memory.dmp

Filesize
152KB

Download
memory/908-156-0x00000000098E0000-0x00000000098FA000-memory.dmp

Filesize
104KB

Download
memory/1912-311-0x0000000007890000-0x0000000007BE0000-memory.dmp

Filesize
3.3MB

Download
memory/1912-313-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/1912-344-0x0000000001173000-0x0000000001174000-memory.dmp

Filesize
4KB

Download
memory/1912-314-0x0000000001172000-0x0000000001173000-memory.dmp

Filesize
4KB

Download
memory/2836-120-0x0000000004B30000-0x000000000502E000-memory.dmp

Filesize
5.0MB

Download
memory/2836-121-0x0000000004B80000-0x0000000004B8A000-memory.dmp

Filesize
40KB

Download
memory/2836-117-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/2836-119-0x0000000004BD0000-0x0000000004C62000-memory.dmp

Filesize
584KB

Download
memory/2836-118-0x0000000005030000-0x000000000552E000-memory.dmp

Filesize
5.0MB

Download
memory/2836-394-0x0000000004B30000-0x000000000502E000-memory.dmp

Filesize
5.0MB

Download
memory/3200-131-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/3200-142-0x0000000008240000-0x00000000082B6000-memory.dmp

Filesize
472KB

Download
memory/3200-141-0x00000000079B0000-0x00000000079FB000-memory.dmp

Filesize
300KB

Download
memory/3200-137-0x0000000007760000-0x00000000077C6000-memory.dmp

Filesize
408KB

Download
memory/3200-173-0x000000000A2B0000-0x000000000A928000-memory.dmp

Filesize
6.5MB

Download
memory/3200-164-0x00000000012E3000-0x00000000012E4000-memory.dmp

Filesize
4KB

Download
memory/3200-134-0x00000000012E2000-0x00000000012E3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads