9a8f9a28040bf69a7179de263382b29d1b6da12efc330ada1f983e9fe9b56c7f

Analysis

max time kernel
175s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
20-02-2022 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a8f9a28040bf69a7179de263382b29d1b6da12efc330ada1f983e9fe9b56c7f.exe
Size

112KB
MD5

990b689516914e33319296bf038b8d45
SHA1

c0de363450821deb850bed1a2b6880d84bd9ec3b
SHA256

9a8f9a28040bf69a7179de263382b29d1b6da12efc330ada1f983e9fe9b56c7f
SHA512

e0d42a48a286aa21415e3d5b1e6a4ce0f2947eb0b1de6b73fd13fbd450e141975d05e00a4c332349039f41fb2d71807d9242118b6c0c69392ff9bd0aa062085d

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	3828	svchost.exe
Token: SeCreatePagefilePrivilege	3828	svchost.exe
Token: SeShutdownPrivilege	3828	svchost.exe
Token: SeCreatePagefilePrivilege	3828	svchost.exe
Token: SeShutdownPrivilege	3828	svchost.exe
Token: SeCreatePagefilePrivilege	3828	svchost.exe

C:\Users\Admin\AppData\Local\Temp\9a8f9a28040bf69a7179de263382b29d1b6da12efc330ada1f983e9fe9b56c7f.exe
"C:\Users\Admin\AppData\Local\Temp\9a8f9a28040bf69a7179de263382b29d1b6da12efc330ada1f983e9fe9b56c7f.exe"
1⤵
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3828

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3828-134-0x00000288DF380000-0x00000288DF390000-memory.dmp

Filesize
64KB

Download
memory/3828-133-0x00000288DF320000-0x00000288DF330000-memory.dmp

Filesize
64KB

Download
memory/3828-135-0x00000288E1A30000-0x00000288E1A34000-memory.dmp

Filesize
16KB

Download