Overview

overview

10

Static

static

MMMMMUTYYY...3X.exe

windows7_x64

3

MMMMMUTYYY...3X.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    56s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    03-02-2022 07:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MMMMMUTYYYtrhOmoE27QSJu3X.exe

  • Size

    796KB

  • MD5

    acaf6ded35d9b26f5ad943f1cb9f7cae

  • SHA1

    989f2c4d4cca185d62a20e6db00a8451691118d1

  • SHA256

    b070101a217e99f96198bed4917fe82d36f39bb227674e04ddded3faaa3eb289

  • SHA512

    99ce6c746e3a0f7175a7c5c77bb3c50a68ceca15a80f69162c759d40872653767a3f37b5f09eb4f7fea557d8a2847e1fd825cb6a31042afbec0fce30c340027a

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MMMMMUTYYYtrhOmoE27QSJu3X.exe
    "C:\Users\Admin\AppData\Local\Temp\MMMMMUTYYYtrhOmoE27QSJu3X.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pjhLgTuGCcPXYL.exe"
      2⤵
        PID:1348
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pjhLgTuGCcPXYL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE09E.tmp"
        2⤵
        • Creates scheduled task(s)
        PID:1040
      • C:\Users\Admin\AppData\Local\Temp\MMMMMUTYYYtrhOmoE27QSJu3X.exe
        "C:\Users\Admin\AppData\Local\Temp\MMMMMUTYYYtrhOmoE27QSJu3X.exe"
        2⤵
          PID:1624
        • C:\Users\Admin\AppData\Local\Temp\MMMMMUTYYYtrhOmoE27QSJu3X.exe
          "C:\Users\Admin\AppData\Local\Temp\MMMMMUTYYYtrhOmoE27QSJu3X.exe"
          2⤵
            PID:1828
          • C:\Users\Admin\AppData\Local\Temp\MMMMMUTYYYtrhOmoE27QSJu3X.exe
            "C:\Users\Admin\AppData\Local\Temp\MMMMMUTYYYtrhOmoE27QSJu3X.exe"
            2⤵
              PID:1644
            • C:\Users\Admin\AppData\Local\Temp\MMMMMUTYYYtrhOmoE27QSJu3X.exe
              "C:\Users\Admin\AppData\Local\Temp\MMMMMUTYYYtrhOmoE27QSJu3X.exe"
              2⤵
                PID:1652
              • C:\Users\Admin\AppData\Local\Temp\MMMMMUTYYYtrhOmoE27QSJu3X.exe
                "C:\Users\Admin\AppData\Local\Temp\MMMMMUTYYYtrhOmoE27QSJu3X.exe"
                2⤵
                  PID:1036

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Scheduled Task

              1
              T1053

              Persistence

              Scheduled Task

              1
              T1053

              Privilege Escalation

              Scheduled Task

              1
              T1053

              Defense Evasion

              Credential Access

              Discovery

              System Information Discovery

              1
              T1082

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\tmpE09E.tmp
                MD5

                a00848bb47f144ef6a607a8b9658f455

                SHA1

                0cc04a08b38c57cf19b1ec98fc7638ec164d14a9

                SHA256

                981e0f90b362f25a40de36b72f272a4aa023ca3626632153afebc99ba98b99c6

                SHA512

                9e79df5c7fae3ad52aa283cfcba3b8e5dc03b270828980b23f864b514014c2c5194e41823327f84dbd7ad5c309fb903a682988b8f0dfdf069b69556ea442ef61

                Download Submit
              • memory/1272-55-0x00000000003E0000-0x00000000004AE000-memory.dmp
                Filesize

                824KB

                Download
              • memory/1272-56-0x0000000076921000-0x0000000076923000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1272-57-0x0000000002220000-0x0000000002221000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1272-58-0x0000000000510000-0x0000000000524000-memory.dmp
                Filesize

                80KB

                Download
              • memory/1272-59-0x0000000005240000-0x00000000052FC000-memory.dmp
                Filesize

                752KB

                Download
              • memory/1348-64-0x0000000002260000-0x00000000024F0000-memory.dmp
                Filesize

                2.6MB

                Download