07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b

General

Target

07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
Size

863KB
MD5

dcb18af45a4c4560d123f6c6a9edfb38
SHA1

3e5f7f8cae69bcd00e2215c96bc87c279d10bcef
SHA256

07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b
SHA512

b36b6520e68d3e7176af8e0dca31d3dc9d8b63587336a6d36e46b53da39fe48e12d0a47055702991814ab95645523f6bb8921106e07ebf0db587ff5f160f7589

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

964 schtasks.exe

pid	process
964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe

pid	process
1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe

description pid process

Token: SeDebugPrivilege 1904 07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe

description	pid	process
Token: SeDebugPrivilege	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe

C:\Users\Admin\AppData\Local\Temp\07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
"C:\Users\Admin\AppData\Local\Temp\07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JJIXEUlTDlE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB194.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:964
- C:\Users\Admin\AppData\Local\Temp\07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
  "{path}"
  2⤵
  PID:1216
- C:\Users\Admin\AppData\Local\Temp\07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
  "{path}"
  2⤵
  PID:1080
- C:\Users\Admin\AppData\Local\Temp\07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
  "{path}"
  2⤵
  PID:1728
- C:\Users\Admin\AppData\Local\Temp\07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
  "{path}"
  2⤵
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
  "{path}"
  2⤵
  PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB194.tmp

Filesize
1KB

MD5
d4d0f266f590d82c7ffaa683d18db09b

SHA1
a259560cb6313504b3282b605694c13972742eb6

SHA256
12344aceed5ec325bf0f67d43cc6b7a4cad6c5d934592a4c4c81647d0e355f15

SHA512
e4887d8841638ab2a46e5ab6d58fed90eb0417e9b66a107ce23d494e897202586b517df70e388b1ae49c9c9faa8692a3775819cfa8b6f68316fae6f852578deb

Download Submit
memory/964-57-0x0000000000000000-mapping.dmp

Download
memory/1904-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/1904-55-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1904-56-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1904-59-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download

description	pid	process	target process
PID 1904 wrote to memory of 964	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	schtasks.exe
PID 1904 wrote to memory of 964	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	schtasks.exe
PID 1904 wrote to memory of 964	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	schtasks.exe
PID 1904 wrote to memory of 964	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	schtasks.exe
PID 1904 wrote to memory of 1216	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
PID 1904 wrote to memory of 1216	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
PID 1904 wrote to memory of 1216	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
PID 1904 wrote to memory of 1216	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
PID 1904 wrote to memory of 1080	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
PID 1904 wrote to memory of 1080	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
PID 1904 wrote to memory of 1080	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
PID 1904 wrote to memory of 1080	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
PID 1904 wrote to memory of 1728	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
PID 1904 wrote to memory of 1728	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
PID 1904 wrote to memory of 1728	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
PID 1904 wrote to memory of 1728	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
PID 1904 wrote to memory of 2044	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
PID 1904 wrote to memory of 2044	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
PID 1904 wrote to memory of 2044	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
PID 1904 wrote to memory of 2044	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
PID 1904 wrote to memory of 2032	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
PID 1904 wrote to memory of 2032	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
PID 1904 wrote to memory of 2032	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe
PID 1904 wrote to memory of 2032	1904	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe	07426d1fa6cc07107277cedeb0ed843fba44a79bf71fd228b3e74b5aaa5b9e4b.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads