9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c

Analysis

max time kernel
32s
max time network
48s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exe
Size

397KB
MD5

7fc4300a6f6dea00b341018b3366e8be
SHA1

05b8a1966cb6b423f9e0da49add7d7cd913a9c73
SHA256

9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c
SHA512

dcc16e705fd42d295e64580585068aed496611506ae26783321e00f63d50bbd8efadff7573f0c6c8bcc59eb9009b1b0d88fa3d5cd778135e1c049bcc203bd26c

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

944 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 944 powershell.exe

pid	process
944	powershell.exe

description	pid	process
Token: SeDebugPrivilege	944	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exe

description	pid	process	target process
PID 1952 wrote to memory of 944	1952	9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exe	powershell.exe
PID 1952 wrote to memory of 944	1952	9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exe	powershell.exe
PID 1952 wrote to memory of 944	1952	9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exe	powershell.exe
PID 1952 wrote to memory of 944	1952	9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exe
"C:\Users\Admin\AppData\Local\Temp\9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\LUoUY.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\LUoUY.ps1
Filesize
24KB

MD5
da9dc2ad19105e8daebc4b438c74aa12

SHA1
81c1f48dda44ad25de5693734613ae2c92282ade

SHA256
9d6c7d381757d0571869bcbca844d7a8742f5276269d7fb086e04ab11d9ba540

SHA512
aa19b27f6ddbfd07cea33fdb248564224cfc585d80d41196ff0f2eb66a69644adac472a2a3526eba093d4439ba11c92b08a7e41bdf392d650a7f43e26973a1f7

Download Submit
memory/944-56-0x0000000000000000-mapping.dmp

Download
memory/944-58-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/944-60-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/1952-54-0x0000000001120000-0x000000000118A000-memory.dmp

Filesize
424KB

Download
memory/1952-55-0x00000000765C1000-0x00000000765C3000-memory.dmp

Filesize
8KB

Download