928f75ac182baea6734e08cdd425bcea33bf7f27a43922b9f693d199d7aee550

General

Target

tmp.exe
Size

2.4MB
MD5

05f6fa39a293a904e53aad577744ee8e
SHA1

99126bc0831b9d49eb46fd6dcdf7a12376db415d
SHA256

928f75ac182baea6734e08cdd425bcea33bf7f27a43922b9f693d199d7aee550
SHA512

3136c7a911b07496d0f85885780edf684592ec265173801a1a472406a8b73bc1bebe0fa48202ded9b83acb8a0f633d6b1ce1657adc6a5775ca8946010d76df9b

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1740 schtasks.exe
Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

tmp.exepowershell.exe

pid process

1876 tmp.exe
1876 tmp.exe
1876 tmp.exe
1876 tmp.exe
1876 tmp.exe
1876 tmp.exe
1876 tmp.exe
1876 tmp.exe
1876 tmp.exe
1876 tmp.exe
1876 tmp.exe
828 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tmp.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1876 tmp.exe
Token: SeDebugPrivilege 828 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

tmp.exe

pid process

1876 tmp.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

tmp.exe

pid process

1876 tmp.exe

pid	process
1740	schtasks.exe

pid	process
1876	tmp.exe
1876	tmp.exe
1876	tmp.exe
1876	tmp.exe
1876	tmp.exe
1876	tmp.exe
1876	tmp.exe
1876	tmp.exe
1876	tmp.exe
1876	tmp.exe
1876	tmp.exe
828	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1876	tmp.exe
Token: SeDebugPrivilege	828	powershell.exe

pid	process
1876	tmp.exe

pid	process
1876	tmp.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 1876 wrote to memory of 828	1876	tmp.exe	powershell.exe
PID 1876 wrote to memory of 828	1876	tmp.exe	powershell.exe
PID 1876 wrote to memory of 828	1876	tmp.exe	powershell.exe
PID 1876 wrote to memory of 828	1876	tmp.exe	powershell.exe
PID 1876 wrote to memory of 1740	1876	tmp.exe	schtasks.exe
PID 1876 wrote to memory of 1740	1876	tmp.exe	schtasks.exe
PID 1876 wrote to memory of 1740	1876	tmp.exe	schtasks.exe
PID 1876 wrote to memory of 1740	1876	tmp.exe	schtasks.exe
PID 1876 wrote to memory of 520	1876	tmp.exe	tmp.exe
PID 1876 wrote to memory of 520	1876	tmp.exe	tmp.exe
PID 1876 wrote to memory of 520	1876	tmp.exe	tmp.exe
PID 1876 wrote to memory of 520	1876	tmp.exe	tmp.exe
PID 1876 wrote to memory of 764	1876	tmp.exe	tmp.exe
PID 1876 wrote to memory of 764	1876	tmp.exe	tmp.exe
PID 1876 wrote to memory of 764	1876	tmp.exe	tmp.exe
PID 1876 wrote to memory of 764	1876	tmp.exe	tmp.exe
PID 1876 wrote to memory of 1392	1876	tmp.exe	tmp.exe
PID 1876 wrote to memory of 1392	1876	tmp.exe	tmp.exe
PID 1876 wrote to memory of 1392	1876	tmp.exe	tmp.exe
PID 1876 wrote to memory of 1392	1876	tmp.exe	tmp.exe
PID 1876 wrote to memory of 1908	1876	tmp.exe	tmp.exe
PID 1876 wrote to memory of 1908	1876	tmp.exe	tmp.exe
PID 1876 wrote to memory of 1908	1876	tmp.exe	tmp.exe
PID 1876 wrote to memory of 1908	1876	tmp.exe	tmp.exe
PID 1876 wrote to memory of 2012	1876	tmp.exe	tmp.exe
PID 1876 wrote to memory of 2012	1876	tmp.exe	tmp.exe
PID 1876 wrote to memory of 2012	1876	tmp.exe	tmp.exe
PID 1876 wrote to memory of 2012	1876	tmp.exe	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HziGohhJaJ.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HziGohhJaJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB51D.tmp"
2⤵
- Creates scheduled task(s)
PID:1740

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
PID:520

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
PID:2012

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB51D.tmp
Filesize
1KB

MD5
48f4c32e58d356ecede893e6a3a4c515

SHA1
0d9879c4ee18cd9455732b0a8e5346b927dd8acb

SHA256
0e28452eda502854a0c81f57ce28d4e91ae17805ade8d9abc638c1723e34b2d3

SHA512
6cf36ba88e9a5bc816d71568881364b805b5f9e3e5c68d047bc75a15cf03cd03fcc42bbe8f24310d890832898e76643c39204ae4712a38db2e6298a13f556a40

Download Submit
memory/828-59-0x0000000000000000-mapping.dmp

Download
memory/828-64-0x000000006E160000-0x000000006E70B000-memory.dmp

Filesize
5.7MB

Download
memory/828-65-0x000000006E160000-0x000000006E70B000-memory.dmp

Filesize
5.7MB

Download
memory/1740-60-0x0000000000000000-mapping.dmp

Download
memory/1876-54-0x00000000001D0000-0x0000000000440000-memory.dmp

Filesize
2.4MB

Download
memory/1876-55-0x0000000075DC1000-0x0000000075DC3000-memory.dmp

Filesize
8KB

Download
memory/1876-56-0x0000000000800000-0x0000000000820000-memory.dmp

Filesize
128KB

Download
memory/1876-57-0x00000000020B0000-0x00000000020BC000-memory.dmp

Filesize
48KB

Download
memory/1876-58-0x000000000A990000-0x000000000AAFE000-memory.dmp

Filesize
1.4MB

Download
memory/1876-63-0x000000000A6B0000-0x000000000A7E8000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads