a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759

General

Target

a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exe
Size

935KB
MD5

bba6ba82caeb5b34de59cd5a0e6a7695
SHA1

615d2d6f93d0354ddb853bc143ac6e7fe74a0193
SHA256

a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759
SHA512

c46dd4a1a317db987740610639877af4ee7456e342800d5cd29bf31c848cc58252d5596f408233c234a40ab9bc05a483a6fd1ef1f942d073db45fbf387d16d29

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

service.exe

pid process

1008 service.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

364 schtasks.exe
540 schtasks.exe

pid	process
1008	service.exe

pid	process
364	schtasks.exe
540	schtasks.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.execmd.exetaskeng.exeservice.execmd.exe

description	pid	process	target process
PID 1504 wrote to memory of 1660	1504	a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exe	cmd.exe
PID 1504 wrote to memory of 1660	1504	a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exe	cmd.exe
PID 1504 wrote to memory of 1660	1504	a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exe	cmd.exe
PID 1504 wrote to memory of 1660	1504	a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exe	cmd.exe
PID 1660 wrote to memory of 364	1660	cmd.exe	schtasks.exe
PID 1660 wrote to memory of 364	1660	cmd.exe	schtasks.exe
PID 1660 wrote to memory of 364	1660	cmd.exe	schtasks.exe
PID 1660 wrote to memory of 364	1660	cmd.exe	schtasks.exe
PID 1728 wrote to memory of 1008	1728	taskeng.exe	service.exe
PID 1728 wrote to memory of 1008	1728	taskeng.exe	service.exe
PID 1728 wrote to memory of 1008	1728	taskeng.exe	service.exe
PID 1728 wrote to memory of 1008	1728	taskeng.exe	service.exe
PID 1008 wrote to memory of 1144	1008	service.exe	cmd.exe
PID 1008 wrote to memory of 1144	1008	service.exe	cmd.exe
PID 1008 wrote to memory of 1144	1008	service.exe	cmd.exe
PID 1008 wrote to memory of 1144	1008	service.exe	cmd.exe
PID 1144 wrote to memory of 540	1144	cmd.exe	schtasks.exe
PID 1144 wrote to memory of 540	1144	cmd.exe	schtasks.exe
PID 1144 wrote to memory of 540	1144	cmd.exe	schtasks.exe
PID 1144 wrote to memory of 540	1144	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exe
"C:\Users\Admin\AppData\Local\Temp\a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
3⤵
- Creates scheduled task(s)
PID:364

C:\Windows\system32\taskeng.exe
taskeng.exe {0EE1D346-F158-441F-B3B9-0D75E9AA8711} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Roaming\service.exe
C:\Users\Admin\AppData\Roaming\service.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
1⤵
- Creates scheduled task(s)
PID:540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
1⤵
- Suspicious use of WriteProcessMemory
PID:1144

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\service.exe

Download Submit
C:\Users\Admin\AppData\Roaming\service.exe

Download Submit
memory/364-56-0x0000000000000000-mapping.dmp

Download
memory/540-62-0x0000000000000000-mapping.dmp

Download
memory/1008-58-0x0000000000000000-mapping.dmp

Download
memory/1144-61-0x0000000000000000-mapping.dmp

Download
memory/1504-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1660-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads