fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5

General

Target

fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe
Size

529KB
MD5

f6da8b03a5b5fd635ce117e153475ac8
SHA1

2d5abf679645fa3b724075e7395d6713e371385c
SHA256

fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5
SHA512

f82eaf9f5fc9aae823934aef1d9c4715fed37dc79a735d5e07f1ad95c87eae3cf4d4d221c8e1e990a90f7ac87fd0769283fe820168fb36fc81ddd8f2abb24840

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe
1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe
1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe
1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe
1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe
1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe
1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe
1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe
1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe
1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 940	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	29
PID 1888 wrote to memory of 940	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	29
PID 1888 wrote to memory of 940	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	29
PID 1888 wrote to memory of 940	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	29
PID 1888 wrote to memory of 2032	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	31
PID 1888 wrote to memory of 2032	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	31
PID 1888 wrote to memory of 2032	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	31
PID 1888 wrote to memory of 2032	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	31
PID 1888 wrote to memory of 2012	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	32
PID 1888 wrote to memory of 2012	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	32
PID 1888 wrote to memory of 2012	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	32
PID 1888 wrote to memory of 2012	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	32
PID 1888 wrote to memory of 1072	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	33
PID 1888 wrote to memory of 1072	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	33
PID 1888 wrote to memory of 1072	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	33
PID 1888 wrote to memory of 1072	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	33
PID 1888 wrote to memory of 1160	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	34
PID 1888 wrote to memory of 1160	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	34
PID 1888 wrote to memory of 1160	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	34
PID 1888 wrote to memory of 1160	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	34
PID 1888 wrote to memory of 1112	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	35
PID 1888 wrote to memory of 1112	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	35
PID 1888 wrote to memory of 1112	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	35
PID 1888 wrote to memory of 1112	1888	fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe	35

C:\Users\Admin\AppData\Local\Temp\fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe
"C:\Users\Admin\AppData\Local\Temp\fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZJPCKr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDC2C.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:940
- C:\Users\Admin\AppData\Local\Temp\fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe
  "{path}"
  2⤵
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe
  "{path}"
  2⤵
  PID:2012
- C:\Users\Admin\AppData\Local\Temp\fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe
  "{path}"
  2⤵
  PID:1072
- C:\Users\Admin\AppData\Local\Temp\fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe
  "{path}"
  2⤵
  PID:1160
- C:\Users\Admin\AppData\Local\Temp\fa5c8d819421344cdd842e2cae7eec743c40b1ec9095c604f51cedbf82c42ca5.exe
  "{path}"
  2⤵
  PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDC2C.tmp

Filesize
1KB

MD5
b228fceaa7f41f210bd9f01f75ceb41f

SHA1
3ca83c1b019b0cbf27163c340a40566f222f2f59

SHA256
1cd483967bb331b31faa6210a6e1e88f8ccf1a2b2622e0e555298e1c091c603d

SHA512
36369c2223f572d743402d472f94f0c3b018a7d63f5d2728fdbc06b1c74631a579df86db775a0f2eb70718f7063189f634227308758dceecc5af18f4b6615a33

Download Submit
memory/1888-54-0x0000000000130000-0x00000000001BA000-memory.dmp

Filesize
552KB

Download
memory/1888-55-0x0000000000960000-0x000000000097C000-memory.dmp

Filesize
112KB

Download
memory/1888-56-0x0000000007350000-0x00000000073B4000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads