0a70a884c4386a12cd5dcb5b8a6db76f4deff1a39ccaa178f71cfa600619db88

Analysis

Target

0A70A884C4386A12CD5DCB5B8A6DB76F4DEFF1A39CCAA.exe
Size

718KB
MD5

e418beb7300b3d82e35d020fca955340
SHA1

42dfb1ed5e837dab445fa9cdb24caa641a17b94c
SHA256

0a70a884c4386a12cd5dcb5b8a6db76f4deff1a39ccaa178f71cfa600619db88
SHA512

b83e638525845c6f55c0e82a0f245fa8ee4ac8dff2d871696f7762686d9458dabc2c9b33b5be1b557765181c6385010c67c1f6dfc9d0f0c872e78eb04db1f2fb

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1204 schtasks.exe

pid	process
1204	schtasks.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

0A70A884C4386A12CD5DCB5B8A6DB76F4DEFF1A39CCAA.exe

description	pid	process	target process
PID 1740 wrote to memory of 1204	1740	0A70A884C4386A12CD5DCB5B8A6DB76F4DEFF1A39CCAA.exe	schtasks.exe
PID 1740 wrote to memory of 1204	1740	0A70A884C4386A12CD5DCB5B8A6DB76F4DEFF1A39CCAA.exe	schtasks.exe
PID 1740 wrote to memory of 1204	1740	0A70A884C4386A12CD5DCB5B8A6DB76F4DEFF1A39CCAA.exe	schtasks.exe
PID 1740 wrote to memory of 1204	1740	0A70A884C4386A12CD5DCB5B8A6DB76F4DEFF1A39CCAA.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\0A70A884C4386A12CD5DCB5B8A6DB76F4DEFF1A39CCAA.exe
"C:\Users\Admin\AppData\Local\Temp\0A70A884C4386A12CD5DCB5B8A6DB76F4DEFF1A39CCAA.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HGYxBLK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6114.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1204

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\tmp6114.tmp

MD5
69da22d707b566afcc4ee9a41bcf6d6d

SHA1
8570ebfc7877b1e27f64f185881907705b6ce168

SHA256
25cbda4ada9deb0c1d201143137157c75fdfbdd2feb46f2787b9df661cb2b7bb

SHA512
4aea85c966cce1d2d2b2e8222bb349be47b081a3a67985f0131fc327adc4c87c8459f2a6615071dcf035e0b82033d1e8be26f136b45502d6c3f6203b00a5350a

Download Submit
memory/1740-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1740-56-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/1740-59-0x0000000000CF1000-0x0000000000CF2000-memory.dmp

Filesize
4KB

Download