41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5

General

Target

41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5.exe
Size

1.3MB
MD5

46f3cb1f7ebc3a9713e726d9506afa5f
SHA1

e60ebfa3d159df9f6fd1e0bc7842bf6204477d00
SHA256

41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5
SHA512

2cc74852fc1a58a360d7f8dbce7e369fe6924e4738234eec4c1b81b8ca494234c1fb7afa32f9825cddda04d8757da1ac02fc4b32325528bca858e266873495f8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
664	UtilityBeats.exe

Loads dropped DLL 1 IoCs

pid	Process
1768	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\UtilityBeats.exe\:Zone.Identifier:$DATA	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1208	1900	41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5.exe	27
PID 1900 wrote to memory of 1208	1900	41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5.exe	27
PID 1900 wrote to memory of 1208	1900	41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5.exe	27
PID 1900 wrote to memory of 1208	1900	41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5.exe	27
PID 1900 wrote to memory of 1108	1900	41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5.exe	29
PID 1900 wrote to memory of 1108	1900	41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5.exe	29
PID 1900 wrote to memory of 1108	1900	41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5.exe	29
PID 1900 wrote to memory of 1108	1900	41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5.exe	29
PID 1900 wrote to memory of 1768	1900	41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5.exe	31
PID 1900 wrote to memory of 1768	1900	41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5.exe	31
PID 1900 wrote to memory of 1768	1900	41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5.exe	31
PID 1900 wrote to memory of 1768	1900	41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5.exe	31
PID 1768 wrote to memory of 664	1768	cmd.exe	33
PID 1768 wrote to memory of 664	1768	cmd.exe	33
PID 1768 wrote to memory of 664	1768	cmd.exe	33
PID 1768 wrote to memory of 664	1768	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5.exe
"C:\Users\Admin\AppData\Local\Temp\41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:1208
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\UtilityBeats.exe"
  2⤵
  - NTFS ADS
  PID:1108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\UtilityBeats.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\UtilityBeats.exe
    "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\UtilityBeats.exe"
    3⤵
    - Executes dropped EXE
    PID:664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\UtilityBeats.exe

Filesize
1.3MB

MD5
46f3cb1f7ebc3a9713e726d9506afa5f

SHA1
e60ebfa3d159df9f6fd1e0bc7842bf6204477d00

SHA256
41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5

SHA512
2cc74852fc1a58a360d7f8dbce7e369fe6924e4738234eec4c1b81b8ca494234c1fb7afa32f9825cddda04d8757da1ac02fc4b32325528bca858e266873495f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\UtilityBeats.exe

Filesize
1.3MB

MD5
46f3cb1f7ebc3a9713e726d9506afa5f

SHA1
e60ebfa3d159df9f6fd1e0bc7842bf6204477d00

SHA256
41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5

SHA512
2cc74852fc1a58a360d7f8dbce7e369fe6924e4738234eec4c1b81b8ca494234c1fb7afa32f9825cddda04d8757da1ac02fc4b32325528bca858e266873495f8

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\UtilityBeats.exe

Filesize
1.3MB

MD5
46f3cb1f7ebc3a9713e726d9506afa5f

SHA1
e60ebfa3d159df9f6fd1e0bc7842bf6204477d00

SHA256
41da47a170f485b14f61b095ea488d54f33a11de60afaa845c4f146c06704dd5

SHA512
2cc74852fc1a58a360d7f8dbce7e369fe6924e4738234eec4c1b81b8ca494234c1fb7afa32f9825cddda04d8757da1ac02fc4b32325528bca858e266873495f8

Download Submit
memory/664-64-0x00000000011A0000-0x00000000012F6000-memory.dmp

Filesize
1.3MB

Download
memory/1900-54-0x0000000000B00000-0x0000000000C56000-memory.dmp

Filesize
1.3MB

Download
memory/1900-55-0x00000000001F0000-0x0000000000214000-memory.dmp

Filesize
144KB

Download
memory/1900-56-0x0000000076011000-0x0000000076013000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing