97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3

General

Target

97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
Size

555KB
MD5

144864cb064cd008df905e94239641a7
SHA1

7da2c3a83db7624d84ddf78d98e684dcbae12172
SHA256

97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3
SHA512

18085befbedd34d9db3473b34895ebfbca94e34a76d66365eea9e1341c1441d1f2e474f9ef6e6425b5bbf193327b1e2b9235ef435d285d429f2406c7ee623c55

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

944 schtasks.exe

pid	process
944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe

pid	process
2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe

description pid process

Token: SeDebugPrivilege 2020 97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe

description	pid	process
Token: SeDebugPrivilege	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe

C:\Users\Admin\AppData\Local\Temp\97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
"C:\Users\Admin\AppData\Local\Temp\97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HtsxZECQaAEQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp759E.tmp"
2⤵
- Creates scheduled task(s)
PID:944

C:\Users\Admin\AppData\Local\Temp\97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
"{path}"
2⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
"{path}"
2⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
"{path}"
2⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
"{path}"
2⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
"{path}"
2⤵
PID:1332

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp759E.tmp
Filesize
1KB

MD5
707b2bfe1e8476290064981677b40707

SHA1
ffa5cde21a4fa99eb6994cd72b5f8d7811b78935

SHA256
b26b48c7382ad1371b068c2cdcd8a5ed280be3197a1cc02ebb6f60cafd9c96c9

SHA512
0cca1f100bd8974112d62063bfe29484484e9e40226969019475811ce5af3b1752e22ab853d247fdfc5ef62a01b7b4eb10a43bd582b30bb8dcc649a1d47113ad

Download Submit
memory/944-59-0x0000000000000000-mapping.dmp

Download
memory/2020-54-0x0000000000390000-0x0000000000420000-memory.dmp

Filesize
576KB

Download
memory/2020-55-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download
memory/2020-56-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/2020-57-0x0000000005190000-0x000000000520C000-memory.dmp

Filesize
496KB

Download
memory/2020-58-0x0000000004CD0000-0x0000000004CFE000-memory.dmp

Filesize
184KB

Download

description	pid	process	target process
PID 2020 wrote to memory of 944	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	schtasks.exe
PID 2020 wrote to memory of 944	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	schtasks.exe
PID 2020 wrote to memory of 944	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	schtasks.exe
PID 2020 wrote to memory of 944	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	schtasks.exe
PID 2020 wrote to memory of 1196	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
PID 2020 wrote to memory of 1196	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
PID 2020 wrote to memory of 1196	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
PID 2020 wrote to memory of 1196	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
PID 2020 wrote to memory of 1536	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
PID 2020 wrote to memory of 1536	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
PID 2020 wrote to memory of 1536	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
PID 2020 wrote to memory of 1536	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
PID 2020 wrote to memory of 1532	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
PID 2020 wrote to memory of 1532	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
PID 2020 wrote to memory of 1532	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
PID 2020 wrote to memory of 1532	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
PID 2020 wrote to memory of 1740	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
PID 2020 wrote to memory of 1740	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
PID 2020 wrote to memory of 1740	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
PID 2020 wrote to memory of 1740	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
PID 2020 wrote to memory of 1332	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
PID 2020 wrote to memory of 1332	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
PID 2020 wrote to memory of 1332	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe
PID 2020 wrote to memory of 1332	2020	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe	97aade816a21c7063ea9872443acf770fc2d06a02badb1537a4a071dde9feda3.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads