acd7c7d3c967c0087a8b1ccf585c9c08f5d8399bda6c14f3c43c2acfb0121992

General

Target

SecuriteInfo.com.Variant.Strictor.273673.27165.exe
Size

1.0MB
MD5

83fc6e09fa1e7f949345467c3c28fb0f
SHA1

78e5bdb5de645f7425462e017a665eca1154b06f
SHA256

acd7c7d3c967c0087a8b1ccf585c9c08f5d8399bda6c14f3c43c2acfb0121992
SHA512

70b57e2dca4184c793d492c9507758f4c24b4d90a7486406a9d35bc9b6c32522bb1cf81747bc1e882f00e9cfc6a66742cf7a23650f3573ba550583239e098d6f

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1952 schtasks.exe

pid	process
1952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

SecuriteInfo.com.Variant.Strictor.273673.27165.exepowershell.exe

pid	process
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
1892	powershell.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SecuriteInfo.com.Variant.Strictor.273673.27165.exepowershell.exe

description pid process

Token: SeDebugPrivilege 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe
Token: SeDebugPrivilege 1892 powershell.exe

description	pid	process
Token: SeDebugPrivilege	784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
Token: SeDebugPrivilege	1892	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

SecuriteInfo.com.Variant.Strictor.273673.27165.exe

description	pid	process	target process
PID 784 wrote to memory of 1892	784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe	powershell.exe
PID 784 wrote to memory of 1892	784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe	powershell.exe
PID 784 wrote to memory of 1892	784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe	powershell.exe
PID 784 wrote to memory of 1892	784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe	powershell.exe
PID 784 wrote to memory of 1952	784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe	schtasks.exe
PID 784 wrote to memory of 1952	784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe	schtasks.exe
PID 784 wrote to memory of 1952	784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe	schtasks.exe
PID 784 wrote to memory of 1952	784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe	schtasks.exe
PID 784 wrote to memory of 1360	784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
PID 784 wrote to memory of 1360	784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
PID 784 wrote to memory of 1360	784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
PID 784 wrote to memory of 1360	784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
PID 784 wrote to memory of 1360	784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe	SecuriteInfo.com.Variant.Strictor.273673.27165.exe
PID 784 wrote to memory of 1360	784	SecuriteInfo.com.Variant.Strictor.273673.27165.exe	SecuriteInfo.com.Variant.Strictor.273673.27165.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XKfmPt.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XKfmPt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF7F6.tmp"
2⤵
- Creates scheduled task(s)
PID:1952

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"
2⤵
PID:1360

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF7F6.tmp
Filesize
1KB

MD5
d1bc4c20550f9de1be11368b6912fb58

SHA1
742ef53bfa7fc4f8e285c294a5268a8501d0d65e

SHA256
9204f205090df1f18f37701250e6381613e39c553717ef1afb566b606b2e0ab4

SHA512
d9ebb05b6d1c488dc83297fc24fd0431fd4797e0e261e7bde93e372eac0f23bb96937363eb1d2e00301c335ec4cec4b1e03e33dfc39f3f50020702472d01bb04

Download Submit
memory/784-55-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download
memory/784-56-0x0000000000370000-0x0000000000390000-memory.dmp

Filesize
128KB

Download
memory/784-57-0x0000000000430000-0x000000000043E000-memory.dmp

Filesize
56KB

Download
memory/784-58-0x0000000004DF0000-0x0000000004E54000-memory.dmp

Filesize
400KB

Download
memory/784-54-0x0000000000990000-0x0000000000A98000-memory.dmp

Filesize
1.0MB

Download
memory/784-63-0x0000000004D20000-0x0000000004D40000-memory.dmp

Filesize
128KB

Download
memory/1360-64-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1360-65-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1360-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1892-59-0x0000000000000000-mapping.dmp

Download
memory/1892-69-0x000000006EC60000-0x000000006F20B000-memory.dmp

Filesize
5.7MB

Download
memory/1892-70-0x000000006EC60000-0x000000006F20B000-memory.dmp

Filesize
5.7MB

Download
memory/1952-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads