2f56ad0baef451e56d5afd057b6e58abbac9ff214be8d7e830b14bb9b94e60ae

Analysis

Target

2f56ad0baef451e56d5afd057b6e58abbac9ff214be8d7e830b14bb9b94e60ae.exe
Size

268KB
MD5

396442a39fd80f67888b420f6ac22c5c
SHA1

1304ca4f88fb46340c897c56876d84d88ec02225
SHA256

2f56ad0baef451e56d5afd057b6e58abbac9ff214be8d7e830b14bb9b94e60ae
SHA512

9c1f8d295c163bac2dd8fbd9c37c89a62ccf9d44fcead5158df920154579bba443b3e2e6974ce776ceb4719bd23b28d3c33905b7fd6b2c9d9143889f7453dabe

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1336	2f56ad0baef451e56d5afd057b6e58abbac9ff214be8d7e830b14bb9b94e60ae.exe
1336	2f56ad0baef451e56d5afd057b6e58abbac9ff214be8d7e830b14bb9b94e60ae.exe
1336	2f56ad0baef451e56d5afd057b6e58abbac9ff214be8d7e830b14bb9b94e60ae.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 680	1336	2f56ad0baef451e56d5afd057b6e58abbac9ff214be8d7e830b14bb9b94e60ae.exe	81
PID 1336 wrote to memory of 680	1336	2f56ad0baef451e56d5afd057b6e58abbac9ff214be8d7e830b14bb9b94e60ae.exe	81
PID 1336 wrote to memory of 680	1336	2f56ad0baef451e56d5afd057b6e58abbac9ff214be8d7e830b14bb9b94e60ae.exe	81

C:\Users\Admin\AppData\Local\Temp\2f56ad0baef451e56d5afd057b6e58abbac9ff214be8d7e830b14bb9b94e60ae.exe
"C:\Users\Admin\AppData\Local\Temp\2f56ad0baef451e56d5afd057b6e58abbac9ff214be8d7e830b14bb9b94e60ae.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:680

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact