fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1

General

Target

fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe
Size

1.1MB
MD5

6701c13cd64374c5d03ac12edfe9d8a1
SHA1

5c638dd9b9e17b80a282311c377b89c83f66f5ca
SHA256

fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1
SHA512

1ba86ae9b67e9d9af51e5e6b38d40b49f1d0ae89cc79f90c959407dce3407357304deb7c291a16c318b5520303fc1c43d05aa767fddb64f7a06d94e14cc0032d

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe
1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe
1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe
1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe
1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe
1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe
1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1992	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	27
PID 1944 wrote to memory of 1992	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	27
PID 1944 wrote to memory of 1992	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	27
PID 1944 wrote to memory of 1992	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	27
PID 1944 wrote to memory of 300	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	29
PID 1944 wrote to memory of 300	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	29
PID 1944 wrote to memory of 300	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	29
PID 1944 wrote to memory of 300	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	29
PID 1944 wrote to memory of 804	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	30
PID 1944 wrote to memory of 804	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	30
PID 1944 wrote to memory of 804	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	30
PID 1944 wrote to memory of 804	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	30
PID 1944 wrote to memory of 2032	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	31
PID 1944 wrote to memory of 2032	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	31
PID 1944 wrote to memory of 2032	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	31
PID 1944 wrote to memory of 2032	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	31
PID 1944 wrote to memory of 1080	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	32
PID 1944 wrote to memory of 1080	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	32
PID 1944 wrote to memory of 1080	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	32
PID 1944 wrote to memory of 1080	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	32
PID 1944 wrote to memory of 1180	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	33
PID 1944 wrote to memory of 1180	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	33
PID 1944 wrote to memory of 1180	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	33
PID 1944 wrote to memory of 1180	1944	fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe	33

C:\Users\Admin\AppData\Local\Temp\fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe
"C:\Users\Admin\AppData\Local\Temp\fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lqJTwTGlUt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7ACC.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1992
- C:\Users\Admin\AppData\Local\Temp\fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe
  "C:\Users\Admin\AppData\Local\Temp\fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe"
  2⤵
  PID:300
- C:\Users\Admin\AppData\Local\Temp\fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe
  "C:\Users\Admin\AppData\Local\Temp\fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe"
  2⤵
  PID:804
- C:\Users\Admin\AppData\Local\Temp\fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe
  "C:\Users\Admin\AppData\Local\Temp\fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe"
  2⤵
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe
  "C:\Users\Admin\AppData\Local\Temp\fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe"
  2⤵
  PID:1080
- C:\Users\Admin\AppData\Local\Temp\fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe
  "C:\Users\Admin\AppData\Local\Temp\fe88ac5959a12216e625ed2f8be59df5d2f7babc27387fd0a81409c2f25a8fd1.exe"
  2⤵
  PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7ACC.tmp

Filesize
1KB

MD5
b61f7b91f1d3a1db432be4c8724fd281

SHA1
b04ea5703f7915077abe5058401edafadbed3f98

SHA256
47ee49c5e67fd87cb99051e8e800bce6a02011b33bf31696a1d48726d1b5f46d

SHA512
5bed08bf64f2149ca8d672dc15905e34135d6b4a24775475336c794df20c0adf2119888767461e465267f20aeaac05b4a42321d2c01f5e06dcbd2a2ab041f956

Download Submit
memory/1944-54-0x00000000003D0000-0x00000000004E8000-memory.dmp

Filesize
1.1MB

Download
memory/1944-55-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1944-56-0x0000000007D00000-0x0000000007DC0000-memory.dmp

Filesize
768KB

Download
memory/1944-57-0x0000000007A90000-0x0000000007B18000-memory.dmp

Filesize
544KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads