e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd

Analysis

max time kernel
74s
max time network
95s
platform
windows10_x64
resource
win10-20220414-en
submitted
18-05-2022 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
Size

809KB
MD5

ff72b295ded9889cee24320db368bcf1
SHA1

5d7991f8495d56088710dd558faba639ffd05292
SHA256

e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd
SHA512

37ab209741e90c78565d170ab48d7ee83c8633e93e646a4c8f639c305c8b6528841668b6aa7797870612d24e11e1ff1aaae0f5622e9a2195957f9142e93a7b1b

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata

Executes dropped EXE 1 IoCs

pid	Process
4212	IFMb39aGmCsqJcthXwNQEToq7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TxMT8hHkO8fBB5FlBurdwljpn = "C:\\ProgramData\\4vFAHkNczECIXuLdvBZKuXofw\\IFMb39aGmCsqJcthXwNQEToq7.exe"	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3812	4212	WerFault.exe	71

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3032	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4860	timeout.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4212	IFMb39aGmCsqJcthXwNQEToq7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
Token: SeDebugPrivilege	3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
Token: SeDebugPrivilege	4212	IFMb39aGmCsqJcthXwNQEToq7.exe
Token: SeDebugPrivilege	4212	IFMb39aGmCsqJcthXwNQEToq7.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 3032	3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe	69
PID 3892 wrote to memory of 3032	3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe	69
PID 3892 wrote to memory of 4212	3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe	71
PID 3892 wrote to memory of 4212	3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe	71
PID 3892 wrote to memory of 4208	3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe	72
PID 3892 wrote to memory of 4208	3892	e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe	72
PID 4208 wrote to memory of 4860	4208	cmd.exe	74
PID 4208 wrote to memory of 4860	4208	cmd.exe	74

C:\Users\Admin\AppData\Local\Temp\e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe
"C:\Users\Admin\AppData\Local\Temp\e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks.exe" /create /tn TxMT8hHkO8fBB5FlBurdwljpn /tr "C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe" /st 00:23 /du 23:59 /sc daily /ri 1 /f
  2⤵
  - Creates scheduled task(s)
  PID:3032
- C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe
  "C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  PID:4212
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 4212 -s 3720
    3⤵
    - Program crash
    PID:3812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7D05.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Windows\system32\timeout.exe
    timeout 6
    3⤵
    - Delays execution with timeout.exe
    PID:4860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe

Filesize
645.3MB

MD5
cefe4318bdfb9eda69a4e1139e248b2c

SHA1
7be660c98730ed5275383a58cc02b9fb0ef4b6d9

SHA256
1d8cd299086282708a0ec2f7cfffe064ddcd26da33b661e8e8227adbe2b3f8e6

SHA512
aeb01ab0a19e8f6f0423a70736bea94f53219fd2a7a3b7764b00da06898099ca65b6ade289b378fb62496fe8a000ff32933d23c1324ad74f14e8767e941ecebc

Download Submit
C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe

Filesize
645.3MB

MD5
cefe4318bdfb9eda69a4e1139e248b2c

SHA1
7be660c98730ed5275383a58cc02b9fb0ef4b6d9

SHA256
1d8cd299086282708a0ec2f7cfffe064ddcd26da33b661e8e8227adbe2b3f8e6

SHA512
aeb01ab0a19e8f6f0423a70736bea94f53219fd2a7a3b7764b00da06898099ca65b6ade289b378fb62496fe8a000ff32933d23c1324ad74f14e8767e941ecebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7D05.tmp.bat

Filesize
216B

MD5
ee18249c2f31c935c6b2becc019954a7

SHA1
901d12c4a69daae9042c702e0aae52bd37c4b41a

SHA256
82f24a18fd0b6e1eadd78471b5ec2ca67fcfc829b413307c5770a3defbe3f832

SHA512
b711e83a0abc3898903382a375c7aa65847c07f6f7561bb8631fd09278767ab4977abefd96db3f079e5d9a5df3c98ed1b47414b3e62546ad325391135b82f89a

Download Submit
memory/3892-115-0x000000001C520000-0x000000001C5F6000-memory.dmp

Filesize
856KB

Download
memory/3892-116-0x00000000014A0000-0x00000000014A6000-memory.dmp

Filesize
24KB

Download
memory/3892-114-0x0000000000A80000-0x0000000000B4E000-memory.dmp

Filesize
824KB

Download
memory/4212-139-0x0000000024A34000-0x0000000024A39000-memory.dmp

Filesize
20KB

Download
memory/4212-135-0x0000000024A42000-0x0000000024A46000-memory.dmp

Filesize
16KB

Download
memory/4212-124-0x000000001F990000-0x000000001FA5A000-memory.dmp

Filesize
808KB

Download
memory/4212-126-0x0000000024A20000-0x0000000024A24000-memory.dmp

Filesize
16KB

Download
memory/4212-125-0x000000001C5EA000-0x000000001C5EF000-memory.dmp

Filesize
20KB

Download
memory/4212-127-0x0000000024A24000-0x0000000024A27000-memory.dmp

Filesize
12KB

Download
memory/4212-128-0x0000000024A23000-0x0000000024A26000-memory.dmp

Filesize
12KB

Download
memory/4212-129-0x000000001C5E4000-0x000000001C5EE000-memory.dmp

Filesize
40KB

Download
memory/4212-130-0x0000000024A27000-0x0000000024A2A000-memory.dmp

Filesize
12KB

Download
memory/4212-131-0x000000001C5E8000-0x000000001C5ED000-memory.dmp

Filesize
20KB

Download
memory/4212-133-0x0000000024A21000-0x0000000024A26000-memory.dmp

Filesize
20KB

Download
memory/4212-132-0x0000000024A42000-0x0000000024A46000-memory.dmp

Filesize
16KB

Download
memory/4212-134-0x0000000024A21000-0x0000000024A26000-memory.dmp

Filesize
20KB

Download
memory/4212-149-0x0000000024A29000-0x0000000024A39000-memory.dmp

Filesize
64KB

Download
memory/4212-136-0x0000000024A21000-0x0000000024A26000-memory.dmp

Filesize
20KB

Download
memory/4212-138-0x0000000024A2F000-0x0000000024A34000-memory.dmp

Filesize
20KB

Download
memory/4212-137-0x0000000024A2A000-0x0000000024A2F000-memory.dmp

Filesize
20KB

Download
memory/4212-140-0x0000000024A39000-0x0000000024A3E000-memory.dmp

Filesize
20KB

Download
memory/4212-141-0x0000000024A3E000-0x0000000024A47000-memory.dmp

Filesize
36KB

Download
memory/4212-142-0x000000001C5E8000-0x000000001C5ED000-memory.dmp

Filesize
20KB

Download
memory/4212-143-0x0000000024A43000-0x0000000024A46000-memory.dmp

Filesize
12KB

Download
memory/4212-144-0x0000000024A21000-0x0000000024A26000-memory.dmp

Filesize
20KB

Download
memory/4212-145-0x000000001C5E7000-0x000000001C5ED000-memory.dmp

Filesize
24KB

Download
memory/4212-146-0x0000000024A27000-0x0000000024A39000-memory.dmp

Filesize
72KB

Download
memory/4212-147-0x0000000024A22000-0x0000000024A26000-memory.dmp

Filesize
16KB

Download
memory/4212-148-0x000000001C5E7000-0x000000001C5ED000-memory.dmp

Filesize
24KB

Download