21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f

General

Target

21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f.exe
Size

322KB
MD5

5498e9b6ae461a11b23f493f0a2747ae
SHA1

1bb0a26dc7151649441e17f7806ad5106e39bbab
SHA256

21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f
SHA512

fbc218fbaf3074130bd8afeb19ee1f988ca494c181c4f3fea93220d96a6b64d3c0b0de04fd461c5d71b02ad53f13c59a4608df00e061b42f5e026d483eef62b9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1224	21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f.exe

Deletes itself 1 IoCs

pid	Process
1676	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
240	21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f.exe
240	21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1288	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	240	21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 240 wrote to memory of 1224	240	21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f.exe	28
PID 240 wrote to memory of 1224	240	21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f.exe	28
PID 240 wrote to memory of 1224	240	21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f.exe	28
PID 240 wrote to memory of 1224	240	21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f.exe	28
PID 240 wrote to memory of 1676	240	21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f.exe	29
PID 240 wrote to memory of 1676	240	21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f.exe	29
PID 240 wrote to memory of 1676	240	21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f.exe	29
PID 240 wrote to memory of 1676	240	21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f.exe	29
PID 1676 wrote to memory of 1288	1676	cmd.exe	31
PID 1676 wrote to memory of 1288	1676	cmd.exe	31
PID 1676 wrote to memory of 1288	1676	cmd.exe	31
PID 1676 wrote to memory of 1288	1676	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f.exe
"C:\Users\Admin\AppData\Local\Temp\21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:240
- C:\Users\Admin\AppData\Local\Temp\21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f\21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f.exe
  "C:\Users\Admin\AppData\Local\Temp\21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f\21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f.exe"
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f\21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f.exe

Filesize
322KB

MD5
5498e9b6ae461a11b23f493f0a2747ae

SHA1
1bb0a26dc7151649441e17f7806ad5106e39bbab

SHA256
21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f

SHA512
fbc218fbaf3074130bd8afeb19ee1f988ca494c181c4f3fea93220d96a6b64d3c0b0de04fd461c5d71b02ad53f13c59a4608df00e061b42f5e026d483eef62b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f\21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f.exe

Filesize
322KB

MD5
5498e9b6ae461a11b23f493f0a2747ae

SHA1
1bb0a26dc7151649441e17f7806ad5106e39bbab

SHA256
21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f

SHA512
fbc218fbaf3074130bd8afeb19ee1f988ca494c181c4f3fea93220d96a6b64d3c0b0de04fd461c5d71b02ad53f13c59a4608df00e061b42f5e026d483eef62b9

Download Submit
\Users\Admin\AppData\Local\Temp\21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f\21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f.exe

Filesize
322KB

MD5
5498e9b6ae461a11b23f493f0a2747ae

SHA1
1bb0a26dc7151649441e17f7806ad5106e39bbab

SHA256
21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f

SHA512
fbc218fbaf3074130bd8afeb19ee1f988ca494c181c4f3fea93220d96a6b64d3c0b0de04fd461c5d71b02ad53f13c59a4608df00e061b42f5e026d483eef62b9

Download Submit
\Users\Admin\AppData\Local\Temp\21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f\21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f.exe

Filesize
322KB

MD5
5498e9b6ae461a11b23f493f0a2747ae

SHA1
1bb0a26dc7151649441e17f7806ad5106e39bbab

SHA256
21a90dce975177310886381dd5f8560371a66349f0d47dcad689351c9587a76f

SHA512
fbc218fbaf3074130bd8afeb19ee1f988ca494c181c4f3fea93220d96a6b64d3c0b0de04fd461c5d71b02ad53f13c59a4608df00e061b42f5e026d483eef62b9

Download Submit
memory/240-54-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/240-55-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/240-63-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/240-65-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/1224-62-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing