45bb406cb0f12d7da6ff9d15798976a874cad8c52165857b310d78edb49ccb01

General

Target

45bb406cb0f12d7da6ff9d15798976a874cad8c52165857b310d78edb49ccb01.exe
Size

178KB
MD5

e420951d76624d6afbaf606eb8c9accf
SHA1

9ee68a5cf9ec7bb79b68eb7fd40abdf334c8696e
SHA256

45bb406cb0f12d7da6ff9d15798976a874cad8c52165857b310d78edb49ccb01
SHA512

a7c5eba0b214ddff0ee2861720b2f7d33ff147df5925b3721b3bcdce72cfdd4cd69512d23c65b4f8f26db6547a2fb8be2a8be179ad1f19477eed181b15fa9927

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://chocolatey.org/7za.exe

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
4	880	powershell.exe
5	880	powershell.exe
8	880	powershell.exe
13	880	powershell.exe
14	880	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
1784	bitsadmin.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
880	powershell.exe
880	powershell.exe
880	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	880	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 936	1436	45bb406cb0f12d7da6ff9d15798976a874cad8c52165857b310d78edb49ccb01.exe	30
PID 1436 wrote to memory of 936	1436	45bb406cb0f12d7da6ff9d15798976a874cad8c52165857b310d78edb49ccb01.exe	30
PID 1436 wrote to memory of 936	1436	45bb406cb0f12d7da6ff9d15798976a874cad8c52165857b310d78edb49ccb01.exe	30
PID 1436 wrote to memory of 936	1436	45bb406cb0f12d7da6ff9d15798976a874cad8c52165857b310d78edb49ccb01.exe	30
PID 936 wrote to memory of 880	936	cmd.exe	32
PID 936 wrote to memory of 880	936	cmd.exe	32
PID 936 wrote to memory of 880	936	cmd.exe	32
PID 936 wrote to memory of 880	936	cmd.exe	32
PID 936 wrote to memory of 1496	936	cmd.exe	33
PID 936 wrote to memory of 1496	936	cmd.exe	33
PID 936 wrote to memory of 1496	936	cmd.exe	33
PID 936 wrote to memory of 1496	936	cmd.exe	33
PID 880 wrote to memory of 968	880	powershell.exe	34
PID 880 wrote to memory of 968	880	powershell.exe	34
PID 880 wrote to memory of 968	880	powershell.exe	34
PID 880 wrote to memory of 968	880	powershell.exe	34
PID 968 wrote to memory of 1784	968	cmd.exe	36
PID 968 wrote to memory of 1784	968	cmd.exe	36
PID 968 wrote to memory of 1784	968	cmd.exe	36
PID 968 wrote to memory of 1784	968	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\45bb406cb0f12d7da6ff9d15798976a874cad8c52165857b310d78edb49ccb01.exe
"C:\Users\Admin\AppData\Local\Temp\45bb406cb0f12d7da6ff9d15798976a874cad8c52165857b310d78edb49ccb01.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -ep Unrestricted -f "C:\ProgramData\0ckQFzvoM.ps1" | find /v "" >> "C:\Users\Admin\AppData\Local\Temp\WYZSGDWS.log"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep Unrestricted -f "C:\ProgramData\0ckQFzvoM.ps1"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:880
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /b /c bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\5fqSChV82yno.zip"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:968
    - - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer /download /priority HIGH "https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg" "C:\Users\Admin\AppData\Local\Temp\5fqSChV82yno.zip"
        5⤵
        Download via BitsAdmin
        
        PID:1784
- - C:\Windows\SysWOW64\find.exe
    find /v ""
    3⤵
    PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

BITS Jobs

1

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

1

T1197

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\0ckQFzvoM.ps1

Filesize
7KB

MD5
716d8a3a26d33f2ea7eb38c9e697f12b

SHA1
29dddb24127c5ca6188a6416b9217d663a3de3df

SHA256
c66b1f184e0c10e4d0e63c88fec76f6dd5852795c1b359eb87e894f959361b3d

SHA512
5c10895504e61deb1299ff4d05046cc2caca6a4f296c38aed5a74f5c9e7c11c739bf1023c49adcd4f44d55527d965bace345053da19e09faf5c8418cf41f2350

Download Submit
memory/880-57-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/880-58-0x0000000073180000-0x000000007372B000-memory.dmp

Filesize
5.7MB

Download
memory/880-60-0x0000000073180000-0x000000007372B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads