46935cf2f929d8e0466eb12af6bc0ecd4251d48c938a1d7fb1041fbefd44cda1

Analysis

Target

46935cf2f929d8e0466eb12af6bc0ecd4251d48c938a1d7fb1041fbefd44cda1.exe
Size

304KB
MD5

d01c6c9d0ee7718220385bb50e674979
SHA1

5f173f9d3898427109863869f412071bb3983add
SHA256

46935cf2f929d8e0466eb12af6bc0ecd4251d48c938a1d7fb1041fbefd44cda1
SHA512

e781569b628b7b4dbd2f2be4a7d1222dfd9861a93e9c78cb7837dc6caa2319f06339b5a199e92d7af16aa85a30bf03d3c073409392086012a358df1d1446614a

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 1 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\46935cf2f929d8e0466eb12af6bc0ecd4251d48c938a1d7fb1041fbefd44cda1.exe:Zone.Identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

46935cf2f929d8e0466eb12af6bc0ecd4251d48c938a1d7fb1041fbefd44cda1.exe

description pid process

Token: SeDebugPrivilege 1448 46935cf2f929d8e0466eb12af6bc0ecd4251d48c938a1d7fb1041fbefd44cda1.exe

description	pid	process
Token: SeDebugPrivilege	1448	46935cf2f929d8e0466eb12af6bc0ecd4251d48c938a1d7fb1041fbefd44cda1.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

46935cf2f929d8e0466eb12af6bc0ecd4251d48c938a1d7fb1041fbefd44cda1.exe

description	pid	process	target process
PID 1448 wrote to memory of 960	1448	46935cf2f929d8e0466eb12af6bc0ecd4251d48c938a1d7fb1041fbefd44cda1.exe	cmd.exe
PID 1448 wrote to memory of 960	1448	46935cf2f929d8e0466eb12af6bc0ecd4251d48c938a1d7fb1041fbefd44cda1.exe	cmd.exe
PID 1448 wrote to memory of 960	1448	46935cf2f929d8e0466eb12af6bc0ecd4251d48c938a1d7fb1041fbefd44cda1.exe	cmd.exe
PID 1448 wrote to memory of 960	1448	46935cf2f929d8e0466eb12af6bc0ecd4251d48c938a1d7fb1041fbefd44cda1.exe	cmd.exe

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\46935cf2f929d8e0466eb12af6bc0ecd4251d48c938a1d7fb1041fbefd44cda1.exe:Zone.Identifier"
2⤵
- NTFS ADS
PID:960

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/960-57-0x0000000000000000-mapping.dmp

Download
memory/1448-54-0x0000000000160000-0x00000000001B2000-memory.dmp

Filesize
328KB

Download
memory/1448-55-0x00000000003A0000-0x00000000003C4000-memory.dmp

Filesize
144KB

Download
memory/1448-56-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download