4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e

General

Target

4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe
Size

2.6MB
MD5

5d9b726cdc7455d58b5e6771d1316f55
SHA1

f803ca6b3986813dbbb700794fc2aba02d93a5c7
SHA256

4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e
SHA512

4a7ebdded0ad97031011a5bbb2c98440eab4cc66309f518b128e6a6773c9add54767c36f4d915faf0e52e10b69f9441af9d3edf46a9d4a9cb1620565d7bd34c1

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wscript.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 1700 wscript.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	1700	wscript.exe

Loads dropped DLL 5 IoCs

Processes:

4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe

pid	process
1364	4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe
1364	4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe
1364	4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe
1364	4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe
1364	4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

WMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1060	WMIC.exe
Token: SeSecurityPrivilege	1060	WMIC.exe
Token: SeTakeOwnershipPrivilege	1060	WMIC.exe
Token: SeLoadDriverPrivilege	1060	WMIC.exe
Token: SeSystemProfilePrivilege	1060	WMIC.exe
Token: SeSystemtimePrivilege	1060	WMIC.exe
Token: SeProfSingleProcessPrivilege	1060	WMIC.exe
Token: SeIncBasePriorityPrivilege	1060	WMIC.exe
Token: SeCreatePagefilePrivilege	1060	WMIC.exe
Token: SeBackupPrivilege	1060	WMIC.exe
Token: SeRestorePrivilege	1060	WMIC.exe
Token: SeShutdownPrivilege	1060	WMIC.exe
Token: SeDebugPrivilege	1060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1060	WMIC.exe
Token: SeRemoteShutdownPrivilege	1060	WMIC.exe
Token: SeUndockPrivilege	1060	WMIC.exe
Token: SeManageVolumePrivilege	1060	WMIC.exe
Token: 33	1060	WMIC.exe
Token: 34	1060	WMIC.exe
Token: 35	1060	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1060	WMIC.exe
Token: SeSecurityPrivilege	1060	WMIC.exe
Token: SeTakeOwnershipPrivilege	1060	WMIC.exe
Token: SeLoadDriverPrivilege	1060	WMIC.exe
Token: SeSystemProfilePrivilege	1060	WMIC.exe
Token: SeSystemtimePrivilege	1060	WMIC.exe
Token: SeProfSingleProcessPrivilege	1060	WMIC.exe
Token: SeIncBasePriorityPrivilege	1060	WMIC.exe
Token: SeCreatePagefilePrivilege	1060	WMIC.exe
Token: SeBackupPrivilege	1060	WMIC.exe
Token: SeRestorePrivilege	1060	WMIC.exe
Token: SeShutdownPrivilege	1060	WMIC.exe
Token: SeDebugPrivilege	1060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1060	WMIC.exe
Token: SeRemoteShutdownPrivilege	1060	WMIC.exe
Token: SeUndockPrivilege	1060	WMIC.exe
Token: SeManageVolumePrivilege	1060	WMIC.exe
Token: 33	1060	WMIC.exe
Token: 34	1060	WMIC.exe
Token: 35	1060	WMIC.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.execmd.exe

description	pid	process	target process
PID 1364 wrote to memory of 1304	1364	4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe	cmd.exe
PID 1364 wrote to memory of 1304	1364	4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe	cmd.exe
PID 1364 wrote to memory of 1304	1364	4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe	cmd.exe
PID 1364 wrote to memory of 1304	1364	4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe	cmd.exe
PID 1304 wrote to memory of 1060	1304	cmd.exe	WMIC.exe
PID 1304 wrote to memory of 1060	1304	cmd.exe	WMIC.exe
PID 1304 wrote to memory of 1060	1304	cmd.exe	WMIC.exe
PID 1304 wrote to memory of 1060	1304	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe
"C:\Users\Admin\AppData\Local\Temp\4b765f642a3ce92002bb7915117ff41b93af157f88e85f17d567f20450cad78e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364

C:\windows\SysWOW64\cmd.exe
"C:\windows\system32\cmd.exe" /c wmic process call create "wscript %temp%\start.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process call create "wscript C:\Users\Admin\AppData\Local\Temp\start.vbs"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\system32\wscript.exe
wscript C:\Users\Admin\AppData\Local\Temp\start.vbs
1⤵
- Process spawned unexpected child process
PID:1160

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\start.vbs
Filesize
321B

MD5
51546c284d2ee505bc551247ab0c105e

SHA1
66fd2bbbaffbd68051e189fa44d97ae9ae2749b1

SHA256
31c473f41ac9d4515870b8c5b128cd5f3c901fcfe45116435cd1c3266f3f9ed5

SHA512
0ea834a7d869cbb94d7bcddce1b63cd3126ac1fd771fe00fcc075d06f285352004a2ff3702270488f3753d245328a779320f1b2abfd325ef45537c0cbe83e76e

Download Submit
\Users\Admin\AppData\Local\Temp\nso3F63.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
\Users\Admin\AppData\Local\Temp\nso3F63.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
\Users\Admin\AppData\Local\Temp\nso3F63.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
\Users\Admin\AppData\Local\Temp\nso3F63.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
\Users\Admin\AppData\Local\Temp\nso3F63.tmp\nsUnzip.dll
Filesize
146KB

MD5
77a26c23948070dc012bba65e7f390aa

SHA1
7e112775770f9b3b24e2a238b5f7c66f8802e5d8

SHA256
4e4e429ecf1c49119a21c817899f64152b03b41b036fc1d92aee335043364c43

SHA512
2e7ffa4ed5c97f555e1b0d6f55ffcfd53cd28302fc77d95fdaea89e0b6b42e67e366331e52358e78e8266d079cc2ca3ea4c909197fb38a5b4c8151c7678d0065

Download Submit
memory/1060-61-0x0000000000000000-mapping.dmp

Download
memory/1304-60-0x0000000000000000-mapping.dmp

Download
memory/1364-54-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads