0377503f9ea4c7434be2f46af869900b9839be33121edcbdeeae9b8d8e0cdcce

General

Target

26663089f8c68e799360aedc5b1a0b30.exe
Size

480KB
MD5

26663089f8c68e799360aedc5b1a0b30
SHA1

ba7a6cbc65e8112e06bac1bd9f82eeeaa60df7bf
SHA256

0377503f9ea4c7434be2f46af869900b9839be33121edcbdeeae9b8d8e0cdcce
SHA512

3ba6184a8e92bc235066f7bb6f6234feb83109393961d0db76a303f3ed7d2517e2dc57f0b8e0969297aa1e7d4b83bf4a0f7c6d13cd95e74c857a56254a5e1e82

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

824 schtasks.exe

pid	process
824	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

26663089f8c68e799360aedc5b1a0b30.exepowershell.exe

pid	process
1488	26663089f8c68e799360aedc5b1a0b30.exe
1488	26663089f8c68e799360aedc5b1a0b30.exe
1488	26663089f8c68e799360aedc5b1a0b30.exe
1488	26663089f8c68e799360aedc5b1a0b30.exe
1488	26663089f8c68e799360aedc5b1a0b30.exe
1556	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

26663089f8c68e799360aedc5b1a0b30.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1488 26663089f8c68e799360aedc5b1a0b30.exe
Token: SeDebugPrivilege 1556 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1488	26663089f8c68e799360aedc5b1a0b30.exe
Token: SeDebugPrivilege	1556	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

26663089f8c68e799360aedc5b1a0b30.exe

C:\Users\Admin\AppData\Local\Temp\26663089f8c68e799360aedc5b1a0b30.exe
"C:\Users\Admin\AppData\Local\Temp\26663089f8c68e799360aedc5b1a0b30.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wuASGd.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wuASGd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3987.tmp"
2⤵
- Creates scheduled task(s)
PID:824

C:\Users\Admin\AppData\Local\Temp\26663089f8c68e799360aedc5b1a0b30.exe
"C:\Users\Admin\AppData\Local\Temp\26663089f8c68e799360aedc5b1a0b30.exe"
2⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\26663089f8c68e799360aedc5b1a0b30.exe
"C:\Users\Admin\AppData\Local\Temp\26663089f8c68e799360aedc5b1a0b30.exe"
2⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\26663089f8c68e799360aedc5b1a0b30.exe
"C:\Users\Admin\AppData\Local\Temp\26663089f8c68e799360aedc5b1a0b30.exe"
2⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\26663089f8c68e799360aedc5b1a0b30.exe
"C:\Users\Admin\AppData\Local\Temp\26663089f8c68e799360aedc5b1a0b30.exe"
2⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\26663089f8c68e799360aedc5b1a0b30.exe
"C:\Users\Admin\AppData\Local\Temp\26663089f8c68e799360aedc5b1a0b30.exe"
2⤵
PID:1560

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3987.tmp
MD5
c068986dd94ebc3796d4fa109424c055

SHA1
66c72a5d1b90b4c2f9a4a389fbec3ac62882d7d0

SHA256
fe939d6782eabf570af34e0e87f74b8c2873ff9c359a101805b8b4f2a82a492e

SHA512
ecc1ba5d6ee4d2ff6a50dea23ea19acda5172a18766da52169f80062b072bbb749a2faedd57ab83e78b30db62e88da7c3351b4002ab4c915a3e2b1bdb20804ab

Download Submit
memory/1488-55-0x00000000003A0000-0x000000000041E000-memory.dmp

Filesize
504KB

Download
memory/1488-56-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/1488-57-0x0000000076851000-0x0000000076853000-memory.dmp

Filesize
8KB

Download
memory/1488-58-0x0000000000250000-0x0000000000264000-memory.dmp

Filesize
80KB

Download
memory/1488-59-0x0000000004CC0000-0x0000000004D1E000-memory.dmp

Filesize
376KB

Download
memory/1556-62-0x00000000025D0000-0x000000000321A000-memory.dmp

Filesize
12.3MB

Download
memory/1556-63-0x00000000025D0000-0x000000000321A000-memory.dmp

Filesize
12.3MB

Download
memory/1556-64-0x00000000025D0000-0x000000000321A000-memory.dmp

Filesize
12.3MB

Download

description	pid	process	target process
PID 1488 wrote to memory of 1556	1488	26663089f8c68e799360aedc5b1a0b30.exe	powershell.exe
PID 1488 wrote to memory of 1556	1488	26663089f8c68e799360aedc5b1a0b30.exe	powershell.exe
PID 1488 wrote to memory of 1556	1488	26663089f8c68e799360aedc5b1a0b30.exe	powershell.exe
PID 1488 wrote to memory of 1556	1488	26663089f8c68e799360aedc5b1a0b30.exe	powershell.exe
PID 1488 wrote to memory of 824	1488	26663089f8c68e799360aedc5b1a0b30.exe	schtasks.exe
PID 1488 wrote to memory of 824	1488	26663089f8c68e799360aedc5b1a0b30.exe	schtasks.exe
PID 1488 wrote to memory of 824	1488	26663089f8c68e799360aedc5b1a0b30.exe	schtasks.exe
PID 1488 wrote to memory of 824	1488	26663089f8c68e799360aedc5b1a0b30.exe	schtasks.exe
PID 1488 wrote to memory of 1216	1488	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1488 wrote to memory of 1216	1488	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1488 wrote to memory of 1216	1488	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1488 wrote to memory of 1216	1488	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1488 wrote to memory of 848	1488	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1488 wrote to memory of 848	1488	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1488 wrote to memory of 848	1488	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1488 wrote to memory of 848	1488	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1488 wrote to memory of 1144	1488	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1488 wrote to memory of 1144	1488	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1488 wrote to memory of 1144	1488	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1488 wrote to memory of 1144	1488	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1488 wrote to memory of 1824	1488	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1488 wrote to memory of 1824	1488	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1488 wrote to memory of 1824	1488	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1488 wrote to memory of 1824	1488	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1488 wrote to memory of 1560	1488	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1488 wrote to memory of 1560	1488	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1488 wrote to memory of 1560	1488	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe
PID 1488 wrote to memory of 1560	1488	26663089f8c68e799360aedc5b1a0b30.exe	26663089f8c68e799360aedc5b1a0b30.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads