ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a

Analysis

max time kernel
149s
max time network
48s
platform
windows7_x64
resource
win7-20220414-en
submitted
02-05-2022 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
Size

3.8MB
MD5

57f9d1882f4bf9a35c66a3c7e541a174
SHA1

6c26537c0b251371c9e888f157f24017a00057eb
SHA256

ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a
SHA512

e76e92e95629581bc2ee0bafb4057446402c5ba72b2e2013a85c2109166412d07a2657815aeff13ee4e6f932016b6e32a7bdd5444bf560814b1c49a08877661f

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

AsKdc3A6XoEPwuP4.exeAQPEUixd8s4yRFnv.exeS5muuxxMbxBZNHIz.exe0sdw811vQInHgiCL.exe

pid process

1756 AsKdc3A6XoEPwuP4.exe
1688 AQPEUixd8s4yRFnv.exe
1288 S5muuxxMbxBZNHIz.exe
612 0sdw811vQInHgiCL.exe

pid	process
1756	AsKdc3A6XoEPwuP4.exe
1688	AQPEUixd8s4yRFnv.exe
1288	S5muuxxMbxBZNHIz.exe
612	0sdw811vQInHgiCL.exe

Loads dropped DLL 4 IoCs

Processes:

ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe

pid	process
1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exeAsKdc3A6XoEPwuP4.exe

description	pid	process
Token: SeDebugPrivilege	1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
Token: 33	1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
Token: SeIncBasePriorityPrivilege	1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
Token: SeDebugPrivilege	1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
Token: SeDebugPrivilege	1756	AsKdc3A6XoEPwuP4.exe
Token: 33	1756	AsKdc3A6XoEPwuP4.exe
Token: SeIncBasePriorityPrivilege	1756	AsKdc3A6XoEPwuP4.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe

description	pid	process	target process
PID 1808 wrote to memory of 1756	1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	AsKdc3A6XoEPwuP4.exe
PID 1808 wrote to memory of 1756	1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	AsKdc3A6XoEPwuP4.exe
PID 1808 wrote to memory of 1756	1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	AsKdc3A6XoEPwuP4.exe
PID 1808 wrote to memory of 1756	1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	AsKdc3A6XoEPwuP4.exe
PID 1808 wrote to memory of 1688	1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	AQPEUixd8s4yRFnv.exe
PID 1808 wrote to memory of 1688	1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	AQPEUixd8s4yRFnv.exe
PID 1808 wrote to memory of 1688	1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	AQPEUixd8s4yRFnv.exe
PID 1808 wrote to memory of 1688	1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	AQPEUixd8s4yRFnv.exe
PID 1808 wrote to memory of 1288	1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	S5muuxxMbxBZNHIz.exe
PID 1808 wrote to memory of 1288	1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	S5muuxxMbxBZNHIz.exe
PID 1808 wrote to memory of 1288	1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	S5muuxxMbxBZNHIz.exe
PID 1808 wrote to memory of 1288	1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	S5muuxxMbxBZNHIz.exe
PID 1808 wrote to memory of 612	1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	0sdw811vQInHgiCL.exe
PID 1808 wrote to memory of 612	1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	0sdw811vQInHgiCL.exe
PID 1808 wrote to memory of 612	1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	0sdw811vQInHgiCL.exe
PID 1808 wrote to memory of 612	1808	ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe	0sdw811vQInHgiCL.exe

C:\Users\Admin\AppData\Local\Temp\ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe
"C:\Users\Admin\AppData\Local\Temp\ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\AppData\Local\Temp\AsKdc3A6XoEPwuP4.exe
"C:\Users\Admin\AppData\Local\Temp\AsKdc3A6XoEPwuP4.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Users\Admin\AppData\Local\Temp\AQPEUixd8s4yRFnv.exe
"C:\Users\Admin\AppData\Local\Temp\AQPEUixd8s4yRFnv.exe"
2⤵
- Executes dropped EXE
PID:1688

C:\Users\Admin\AppData\Local\Temp\S5muuxxMbxBZNHIz.exe
"C:\Users\Admin\AppData\Local\Temp\S5muuxxMbxBZNHIz.exe"
2⤵
- Executes dropped EXE
PID:1288

C:\Users\Admin\AppData\Local\Temp\0sdw811vQInHgiCL.exe
"C:\Users\Admin\AppData\Local\Temp\0sdw811vQInHgiCL.exe"
2⤵
- Executes dropped EXE
PID:612

C:\Users\Admin\AppData\Local\Temp\bBdn7JgavaJsc6IQ.exe
"C:\Users\Admin\AppData\Local\Temp\bBdn7JgavaJsc6IQ.exe"
2⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\5wg5YdaqE6FfqGUq.exe
"C:\Users\Admin\AppData\Local\Temp\5wg5YdaqE6FfqGUq.exe"
2⤵
PID:1788

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\hJRSQ6bHAJQqiKUy.pdf"
2⤵
PID:1932

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0sdw811vQInHgiCL.exe
Filesize
851KB

MD5
90ef2f0f0041ce121d288cb646bd6f7c

SHA1
98320df200c18c6dc23d9841d280e955cd08e6e3

SHA256
904f446d7ecbd31c11aec24e22143ebd4036a2b6c5bcf37a7ccc16b963cc2fee

SHA512
03234bacbe8445de1cea0fbb7c64e10f9d2249f9494e22d30a44f096fa4a8b8f2be2782619bac53c51b60800b372277edb5b7ac360de4bda54c43a480e89325a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0sdw811vQInHgiCL.exe
Filesize
851KB

MD5
90ef2f0f0041ce121d288cb646bd6f7c

SHA1
98320df200c18c6dc23d9841d280e955cd08e6e3

SHA256
904f446d7ecbd31c11aec24e22143ebd4036a2b6c5bcf37a7ccc16b963cc2fee

SHA512
03234bacbe8445de1cea0fbb7c64e10f9d2249f9494e22d30a44f096fa4a8b8f2be2782619bac53c51b60800b372277edb5b7ac360de4bda54c43a480e89325a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5wg5YdaqE6FfqGUq.exe
Filesize
783KB

MD5
9c0c605748b629d0c5f13c956421721a

SHA1
ceba118554d3b1049397083862c8b9ba6faec576

SHA256
77f16f0ab6100d3beda1a33163b2810a8225a74016b3006a0ec3654436912cdb

SHA512
a5ebd54464da6b8f1a6d36d980afe89fe220021c3849e02aeacca9cb64f45b669d520f80f4199f4863d61fe35a992e832c292b6f6cd51a5e9bc74d03c8e2b1e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5wg5YdaqE6FfqGUq.exe
Filesize
783KB

MD5
9c0c605748b629d0c5f13c956421721a

SHA1
ceba118554d3b1049397083862c8b9ba6faec576

SHA256
77f16f0ab6100d3beda1a33163b2810a8225a74016b3006a0ec3654436912cdb

SHA512
a5ebd54464da6b8f1a6d36d980afe89fe220021c3849e02aeacca9cb64f45b669d520f80f4199f4863d61fe35a992e832c292b6f6cd51a5e9bc74d03c8e2b1e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQPEUixd8s4yRFnv.exe
Filesize
438KB

MD5
0a4b74345c65b419fa2e54003d8f35b2

SHA1
13695e65d21b1208fa871215344989cf4a45cada

SHA256
d056a28cca361012ee9d94d5c0119af33f1fddcfa0b39a45852eb115f2480cde

SHA512
56e00065754e10b630b4aa6fd2593086b260f1d29ef9e82d16a29c10c3462dd30e4072b33158790610305d02ab1b1eef8451ee0056bac78b266f17fdfcef65e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQPEUixd8s4yRFnv.exe
Filesize
438KB

MD5
0a4b74345c65b419fa2e54003d8f35b2

SHA1
13695e65d21b1208fa871215344989cf4a45cada

SHA256
d056a28cca361012ee9d94d5c0119af33f1fddcfa0b39a45852eb115f2480cde

SHA512
56e00065754e10b630b4aa6fd2593086b260f1d29ef9e82d16a29c10c3462dd30e4072b33158790610305d02ab1b1eef8451ee0056bac78b266f17fdfcef65e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsKdc3A6XoEPwuP4.exe
Filesize
396KB

MD5
bb536d9993e4b42bdf05418e6b74c774

SHA1
60fbce674150d6ddb45fc73c5286832088f6d36b

SHA256
99548c2c787d86ab5ed42350a9faa3d76303f119252e152979d0d2de29bb73da

SHA512
eddc68b2d6bdf901f931dfd0bb950f7cf86dca189fd78cd646030e08a6a73fe26b9ac74554a23256b8be26bbc67a47fe5c56ffcb00b38edc8af376b07ae85d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsKdc3A6XoEPwuP4.exe
Filesize
396KB

MD5
bb536d9993e4b42bdf05418e6b74c774

SHA1
60fbce674150d6ddb45fc73c5286832088f6d36b

SHA256
99548c2c787d86ab5ed42350a9faa3d76303f119252e152979d0d2de29bb73da

SHA512
eddc68b2d6bdf901f931dfd0bb950f7cf86dca189fd78cd646030e08a6a73fe26b9ac74554a23256b8be26bbc67a47fe5c56ffcb00b38edc8af376b07ae85d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\S5muuxxMbxBZNHIz.exe
Filesize
379KB

MD5
ad5a883143a4cbc7f3480124f34150e8

SHA1
b301b43208d6a25ba53779b427628bf08b87e3d9

SHA256
837efc78139a51fdf70aa5e4df668705a6bb4636613435dd455a89d65dc55882

SHA512
d548c7942d47c2d2435d84bc4ff5487a2366ab5ac1be072c021d198882e1ebdc336e5e165830589b8fed081fa26f5cbf6f53b1470f31c2206144055e620c6e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\S5muuxxMbxBZNHIz.exe
Filesize
379KB

MD5
ad5a883143a4cbc7f3480124f34150e8

SHA1
b301b43208d6a25ba53779b427628bf08b87e3d9

SHA256
837efc78139a51fdf70aa5e4df668705a6bb4636613435dd455a89d65dc55882

SHA512
d548c7942d47c2d2435d84bc4ff5487a2366ab5ac1be072c021d198882e1ebdc336e5e165830589b8fed081fa26f5cbf6f53b1470f31c2206144055e620c6e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bBdn7JgavaJsc6IQ.exe
Filesize
670KB

MD5
e7ec959ead85778d800d840a465a2385

SHA1
7c559289c5ad1a3e4e99e286d96669fafd678b3e

SHA256
64905564efe28230be24641094d397bbd643c4d66005bab3f566c64d3ba051a1

SHA512
c0ae932aa4f5f528777fc0c3a5ddd28ae34810216240cef95015521115417a7b2ad79c690d5ec523a77d329ac23efc694ecd64a37a7641f39b4c8d406890efd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bBdn7JgavaJsc6IQ.exe
Filesize
670KB

MD5
e7ec959ead85778d800d840a465a2385

SHA1
7c559289c5ad1a3e4e99e286d96669fafd678b3e

SHA256
64905564efe28230be24641094d397bbd643c4d66005bab3f566c64d3ba051a1

SHA512
c0ae932aa4f5f528777fc0c3a5ddd28ae34810216240cef95015521115417a7b2ad79c690d5ec523a77d329ac23efc694ecd64a37a7641f39b4c8d406890efd5

Download Submit
\Users\Admin\AppData\Local\Temp\0sdw811vQInHgiCL.exe
Filesize
851KB

MD5
90ef2f0f0041ce121d288cb646bd6f7c

SHA1
98320df200c18c6dc23d9841d280e955cd08e6e3

SHA256
904f446d7ecbd31c11aec24e22143ebd4036a2b6c5bcf37a7ccc16b963cc2fee

SHA512
03234bacbe8445de1cea0fbb7c64e10f9d2249f9494e22d30a44f096fa4a8b8f2be2782619bac53c51b60800b372277edb5b7ac360de4bda54c43a480e89325a

Download Submit
\Users\Admin\AppData\Local\Temp\5wg5YdaqE6FfqGUq.exe
Filesize
783KB

MD5
9c0c605748b629d0c5f13c956421721a

SHA1
ceba118554d3b1049397083862c8b9ba6faec576

SHA256
77f16f0ab6100d3beda1a33163b2810a8225a74016b3006a0ec3654436912cdb

SHA512
a5ebd54464da6b8f1a6d36d980afe89fe220021c3849e02aeacca9cb64f45b669d520f80f4199f4863d61fe35a992e832c292b6f6cd51a5e9bc74d03c8e2b1e0

Download Submit
\Users\Admin\AppData\Local\Temp\AQPEUixd8s4yRFnv.exe
Filesize
438KB

MD5
0a4b74345c65b419fa2e54003d8f35b2

SHA1
13695e65d21b1208fa871215344989cf4a45cada

SHA256
d056a28cca361012ee9d94d5c0119af33f1fddcfa0b39a45852eb115f2480cde

SHA512
56e00065754e10b630b4aa6fd2593086b260f1d29ef9e82d16a29c10c3462dd30e4072b33158790610305d02ab1b1eef8451ee0056bac78b266f17fdfcef65e9

Download Submit
\Users\Admin\AppData\Local\Temp\AsKdc3A6XoEPwuP4.exe
Filesize
396KB

MD5
bb536d9993e4b42bdf05418e6b74c774

SHA1
60fbce674150d6ddb45fc73c5286832088f6d36b

SHA256
99548c2c787d86ab5ed42350a9faa3d76303f119252e152979d0d2de29bb73da

SHA512
eddc68b2d6bdf901f931dfd0bb950f7cf86dca189fd78cd646030e08a6a73fe26b9ac74554a23256b8be26bbc67a47fe5c56ffcb00b38edc8af376b07ae85d89

Download Submit
\Users\Admin\AppData\Local\Temp\S5muuxxMbxBZNHIz.exe
Filesize
379KB

MD5
ad5a883143a4cbc7f3480124f34150e8

SHA1
b301b43208d6a25ba53779b427628bf08b87e3d9

SHA256
837efc78139a51fdf70aa5e4df668705a6bb4636613435dd455a89d65dc55882

SHA512
d548c7942d47c2d2435d84bc4ff5487a2366ab5ac1be072c021d198882e1ebdc336e5e165830589b8fed081fa26f5cbf6f53b1470f31c2206144055e620c6e1b

Download Submit
\Users\Admin\AppData\Local\Temp\bBdn7JgavaJsc6IQ.exe
Filesize
670KB

MD5
e7ec959ead85778d800d840a465a2385

SHA1
7c559289c5ad1a3e4e99e286d96669fafd678b3e

SHA256
64905564efe28230be24641094d397bbd643c4d66005bab3f566c64d3ba051a1

SHA512
c0ae932aa4f5f528777fc0c3a5ddd28ae34810216240cef95015521115417a7b2ad79c690d5ec523a77d329ac23efc694ecd64a37a7641f39b4c8d406890efd5

Download Submit
memory/612-94-0x00000000005F5000-0x0000000000606000-memory.dmp

Filesize
68KB

Download
memory/612-70-0x0000000000000000-mapping.dmp

Download
memory/612-85-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/668-77-0x0000000000000000-mapping.dmp

Download
memory/668-95-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/668-97-0x00000000004D5000-0x00000000004E6000-memory.dmp

Filesize
68KB

Download
memory/1288-67-0x0000000000000000-mapping.dmp

Download
memory/1288-93-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1288-92-0x00000000005C5000-0x00000000005D6000-memory.dmp

Filesize
68KB

Download
memory/1688-62-0x0000000000000000-mapping.dmp

Download
memory/1688-98-0x0000000000810000-0x0000000000882000-memory.dmp

Filesize
456KB

Download
memory/1756-84-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-96-0x00000000020F5000-0x0000000002106000-memory.dmp

Filesize
68KB

Download
memory/1756-58-0x0000000000000000-mapping.dmp

Download
memory/1788-89-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1788-91-0x0000000000C75000-0x0000000000C86000-memory.dmp

Filesize
68KB

Download
memory/1788-82-0x0000000000000000-mapping.dmp

Download
memory/1808-55-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1808-56-0x0000000000B75000-0x0000000000B86000-memory.dmp

Filesize
68KB

Download
memory/1808-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1932-88-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads