32c7304278be2831eb34d6d28f81badb6f743eb656d2b86eda764291d5eb91cb

General

Target

odT0zoYLJiNUQXd.exe
Size

1.0MB
MD5

d3e395135ceb5da670e0bbfd0b1a142b
SHA1

a108f551b8493de56146e9ce78fbbbf1ca1469af
SHA256

e906ee6485c777452c364eb7950b0553061565e9fa01dd56aed9097493c9af2b
SHA512

0219d16b85619ce4a3006029e6c227c245386f009e5a5546f1cd3f1a1ae7a04780086a258c3c7e8a72a20532e9efd1de0c63a0f762fd095c9f51308ce46aff26

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1832 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

odT0zoYLJiNUQXd.exe

pid process

1184 odT0zoYLJiNUQXd.exe
1184 odT0zoYLJiNUQXd.exe
1184 odT0zoYLJiNUQXd.exe
1184 odT0zoYLJiNUQXd.exe
1184 odT0zoYLJiNUQXd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

odT0zoYLJiNUQXd.exe

description pid process

Token: SeDebugPrivilege 1184 odT0zoYLJiNUQXd.exe

pid	process
1832	schtasks.exe

pid	process
1184	odT0zoYLJiNUQXd.exe
1184	odT0zoYLJiNUQXd.exe
1184	odT0zoYLJiNUQXd.exe
1184	odT0zoYLJiNUQXd.exe
1184	odT0zoYLJiNUQXd.exe

description	pid	process
Token: SeDebugPrivilege	1184	odT0zoYLJiNUQXd.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

odT0zoYLJiNUQXd.exe

description	pid	process	target process
PID 1184 wrote to memory of 1832	1184	odT0zoYLJiNUQXd.exe	schtasks.exe
PID 1184 wrote to memory of 1832	1184	odT0zoYLJiNUQXd.exe	schtasks.exe
PID 1184 wrote to memory of 1832	1184	odT0zoYLJiNUQXd.exe	schtasks.exe
PID 1184 wrote to memory of 1832	1184	odT0zoYLJiNUQXd.exe	schtasks.exe
PID 1184 wrote to memory of 1012	1184	odT0zoYLJiNUQXd.exe	odT0zoYLJiNUQXd.exe
PID 1184 wrote to memory of 1012	1184	odT0zoYLJiNUQXd.exe	odT0zoYLJiNUQXd.exe
PID 1184 wrote to memory of 1012	1184	odT0zoYLJiNUQXd.exe	odT0zoYLJiNUQXd.exe
PID 1184 wrote to memory of 1012	1184	odT0zoYLJiNUQXd.exe	odT0zoYLJiNUQXd.exe
PID 1184 wrote to memory of 752	1184	odT0zoYLJiNUQXd.exe	odT0zoYLJiNUQXd.exe
PID 1184 wrote to memory of 752	1184	odT0zoYLJiNUQXd.exe	odT0zoYLJiNUQXd.exe
PID 1184 wrote to memory of 752	1184	odT0zoYLJiNUQXd.exe	odT0zoYLJiNUQXd.exe
PID 1184 wrote to memory of 752	1184	odT0zoYLJiNUQXd.exe	odT0zoYLJiNUQXd.exe
PID 1184 wrote to memory of 1108	1184	odT0zoYLJiNUQXd.exe	odT0zoYLJiNUQXd.exe
PID 1184 wrote to memory of 1108	1184	odT0zoYLJiNUQXd.exe	odT0zoYLJiNUQXd.exe
PID 1184 wrote to memory of 1108	1184	odT0zoYLJiNUQXd.exe	odT0zoYLJiNUQXd.exe
PID 1184 wrote to memory of 1108	1184	odT0zoYLJiNUQXd.exe	odT0zoYLJiNUQXd.exe
PID 1184 wrote to memory of 2044	1184	odT0zoYLJiNUQXd.exe	odT0zoYLJiNUQXd.exe
PID 1184 wrote to memory of 2044	1184	odT0zoYLJiNUQXd.exe	odT0zoYLJiNUQXd.exe
PID 1184 wrote to memory of 2044	1184	odT0zoYLJiNUQXd.exe	odT0zoYLJiNUQXd.exe
PID 1184 wrote to memory of 2044	1184	odT0zoYLJiNUQXd.exe	odT0zoYLJiNUQXd.exe
PID 1184 wrote to memory of 1104	1184	odT0zoYLJiNUQXd.exe	odT0zoYLJiNUQXd.exe
PID 1184 wrote to memory of 1104	1184	odT0zoYLJiNUQXd.exe	odT0zoYLJiNUQXd.exe
PID 1184 wrote to memory of 1104	1184	odT0zoYLJiNUQXd.exe	odT0zoYLJiNUQXd.exe
PID 1184 wrote to memory of 1104	1184	odT0zoYLJiNUQXd.exe	odT0zoYLJiNUQXd.exe

C:\Users\Admin\AppData\Local\Temp\odT0zoYLJiNUQXd.exe
"C:\Users\Admin\AppData\Local\Temp\odT0zoYLJiNUQXd.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Eajxplc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9EDE.tmp"
2⤵
- Creates scheduled task(s)
PID:1832

C:\Users\Admin\AppData\Local\Temp\odT0zoYLJiNUQXd.exe
"C:\Users\Admin\AppData\Local\Temp\odT0zoYLJiNUQXd.exe"
2⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\odT0zoYLJiNUQXd.exe
"C:\Users\Admin\AppData\Local\Temp\odT0zoYLJiNUQXd.exe"
2⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\odT0zoYLJiNUQXd.exe
"C:\Users\Admin\AppData\Local\Temp\odT0zoYLJiNUQXd.exe"
2⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\odT0zoYLJiNUQXd.exe
"C:\Users\Admin\AppData\Local\Temp\odT0zoYLJiNUQXd.exe"
2⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\odT0zoYLJiNUQXd.exe
"C:\Users\Admin\AppData\Local\Temp\odT0zoYLJiNUQXd.exe"
2⤵
PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9EDE.tmp

MD5
4b3412796704cb2722d2acb1d341d39c

SHA1
6048c40600ec17dba6f1ea14bd3270fa72abdcbf

SHA256
0ccb95fbc2985a73cd22727e8ab084f08699f8ab0b1d282582457c5ea474e11a

SHA512
43a80f7d6e9be0896be7df26f275ce7370cfbbd3b923c747ec850a1a548191db75082fec409839e0fba613c060042e1c78eea24ac85f2748233eb23bc7ed0b65

Download Submit
memory/1184-54-0x000000007445E000-0x000000007445F000-memory.dmp

Filesize
4KB

Download
memory/1184-55-0x0000000000B70000-0x0000000000C82000-memory.dmp

Filesize
1.1MB

Download
memory/1184-56-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/1184-57-0x00000000003A0000-0x00000000003C8000-memory.dmp

Filesize
160KB

Download
memory/1184-58-0x00000000055B0000-0x0000000005660000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads