508cb22224be3ffe5f189767b150490b717fdfbbdea4ea41c3a1add4ecfe7730

General

Target

tmp.exe
Size

520KB
MD5

47811f527386f1024081701f3812deb7
SHA1

16934d7dbc4ad5f583f3721e180c0669a57c5c84
SHA256

508cb22224be3ffe5f189767b150490b717fdfbbdea4ea41c3a1add4ecfe7730
SHA512

df060d3d595f6da2a25f54c8ecf4398bbe83c3bc39f15c258f3a984a77578389019095355f082adb9a4921390bf53c2c06b098cb7a9639ef1c13cc343fcc4f03

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1300 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

tmp.exepowershell.exe

pid process

848 tmp.exe
848 tmp.exe
848 tmp.exe
848 tmp.exe
848 tmp.exe
1384 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tmp.exepowershell.exe

description pid process

Token: SeDebugPrivilege 848 tmp.exe
Token: SeDebugPrivilege 1384 powershell.exe

pid	process
1300	schtasks.exe

pid	process
848	tmp.exe
848	tmp.exe
848	tmp.exe
848	tmp.exe
848	tmp.exe
1384	powershell.exe

description	pid	process
Token: SeDebugPrivilege	848	tmp.exe
Token: SeDebugPrivilege	1384	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 848 wrote to memory of 1384	848	tmp.exe	powershell.exe
PID 848 wrote to memory of 1384	848	tmp.exe	powershell.exe
PID 848 wrote to memory of 1384	848	tmp.exe	powershell.exe
PID 848 wrote to memory of 1384	848	tmp.exe	powershell.exe
PID 848 wrote to memory of 1300	848	tmp.exe	schtasks.exe
PID 848 wrote to memory of 1300	848	tmp.exe	schtasks.exe
PID 848 wrote to memory of 1300	848	tmp.exe	schtasks.exe
PID 848 wrote to memory of 1300	848	tmp.exe	schtasks.exe
PID 848 wrote to memory of 980	848	tmp.exe	tmp.exe
PID 848 wrote to memory of 980	848	tmp.exe	tmp.exe
PID 848 wrote to memory of 980	848	tmp.exe	tmp.exe
PID 848 wrote to memory of 980	848	tmp.exe	tmp.exe
PID 848 wrote to memory of 1520	848	tmp.exe	tmp.exe
PID 848 wrote to memory of 1520	848	tmp.exe	tmp.exe
PID 848 wrote to memory of 1520	848	tmp.exe	tmp.exe
PID 848 wrote to memory of 1520	848	tmp.exe	tmp.exe
PID 848 wrote to memory of 740	848	tmp.exe	tmp.exe
PID 848 wrote to memory of 740	848	tmp.exe	tmp.exe
PID 848 wrote to memory of 740	848	tmp.exe	tmp.exe
PID 848 wrote to memory of 740	848	tmp.exe	tmp.exe
PID 848 wrote to memory of 572	848	tmp.exe	tmp.exe
PID 848 wrote to memory of 572	848	tmp.exe	tmp.exe
PID 848 wrote to memory of 572	848	tmp.exe	tmp.exe
PID 848 wrote to memory of 572	848	tmp.exe	tmp.exe
PID 848 wrote to memory of 2004	848	tmp.exe	tmp.exe
PID 848 wrote to memory of 2004	848	tmp.exe	tmp.exe
PID 848 wrote to memory of 2004	848	tmp.exe	tmp.exe
PID 848 wrote to memory of 2004	848	tmp.exe	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QuPVQiTftBFHdL.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QuPVQiTftBFHdL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFC2B.tmp"
2⤵
- Creates scheduled task(s)
PID:1300

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
PID:980

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
PID:572

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
PID:2004

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFC2B.tmp
Filesize
1KB

MD5
bde4b8075f5dd43d70673cd8a024b2d5

SHA1
4e18220091dc3fe6b542faed5116a4b20b95a904

SHA256
418c017d2e21ce77f0d068e06647c91c74a2ba62495011d2195d9c38d7123480

SHA512
1d57aa2f1da528a3873ff454767eb83cc58e494e2e246542ef660038d54c88c3d4db55f25744c4fa183f123a0b2152d28cac594c1bc3d5f514d0c20f10c2b707

Download Submit
memory/848-54-0x00000000003B0000-0x0000000000432000-memory.dmp

Filesize
520KB

Download
memory/848-55-0x0000000075951000-0x0000000075953000-memory.dmp

Filesize
8KB

Download
memory/848-56-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/848-57-0x00000000052D0000-0x0000000005352000-memory.dmp

Filesize
520KB

Download
memory/848-62-0x0000000004250000-0x0000000004280000-memory.dmp

Filesize
192KB

Download
memory/1300-59-0x0000000000000000-mapping.dmp

Download
memory/1384-58-0x0000000000000000-mapping.dmp

Download
memory/1384-63-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads