45069d4f9edf65ec5f758688dc66d041b7941f3a1fc1a3c4af60dbe228af8992

Analysis

max time kernel
83s
max time network
183s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
13/09/2022, 10:18

Target

45069d4f9edf65ec5f758688dc66d041b7941f3a1fc1a3c4af60dbe228af8992.exe
Size

6.0MB
MD5

4033d6bb9c6092f6509e66b242f270ac
SHA1

032a1b637d5b433d7c1ac87177f6de7acb0950e1
SHA256

45069d4f9edf65ec5f758688dc66d041b7941f3a1fc1a3c4af60dbe228af8992
SHA512

70f75f31a02c36675ed419ded242e682770dfad3e1c744637699247d5347ea2a18e8861fa575c3b7670aa4685f0a2786991de249c95045de6c9a4c0c81310585
SSDEEP

98304:mJZp5tSk7dsG3/CTwxR8Oj/v5C8BCquzpy1JtI1ZNQZop0+I5bsnvjN:mJZpfGu/C6Zj/vk7quzc21j8okuN

Score

5^/10

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1744 set thread context of 1364	1744	45069d4f9edf65ec5f758688dc66d041b7941f3a1fc1a3c4af60dbe228af8992.exe	68

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1580	powershell.exe
1580	powershell.exe
1580	powershell.exe
1744	45069d4f9edf65ec5f758688dc66d041b7941f3a1fc1a3c4af60dbe228af8992.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1744	45069d4f9edf65ec5f758688dc66d041b7941f3a1fc1a3c4af60dbe228af8992.exe
Token: SeDebugPrivilege	1580	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1580	1744	45069d4f9edf65ec5f758688dc66d041b7941f3a1fc1a3c4af60dbe228af8992.exe	67
PID 1744 wrote to memory of 1580	1744	45069d4f9edf65ec5f758688dc66d041b7941f3a1fc1a3c4af60dbe228af8992.exe	67
PID 1744 wrote to memory of 1364	1744	45069d4f9edf65ec5f758688dc66d041b7941f3a1fc1a3c4af60dbe228af8992.exe	68
PID 1744 wrote to memory of 1364	1744	45069d4f9edf65ec5f758688dc66d041b7941f3a1fc1a3c4af60dbe228af8992.exe	68
PID 1744 wrote to memory of 1364	1744	45069d4f9edf65ec5f758688dc66d041b7941f3a1fc1a3c4af60dbe228af8992.exe	68
PID 1744 wrote to memory of 1364	1744	45069d4f9edf65ec5f758688dc66d041b7941f3a1fc1a3c4af60dbe228af8992.exe	68
PID 1744 wrote to memory of 1364	1744	45069d4f9edf65ec5f758688dc66d041b7941f3a1fc1a3c4af60dbe228af8992.exe	68
PID 1744 wrote to memory of 1364	1744	45069d4f9edf65ec5f758688dc66d041b7941f3a1fc1a3c4af60dbe228af8992.exe	68

C:\Users\Admin\AppData\Local\Temp\45069d4f9edf65ec5f758688dc66d041b7941f3a1fc1a3c4af60dbe228af8992.exe
"C:\Users\Admin\AppData\Local\Temp\45069d4f9edf65ec5f758688dc66d041b7941f3a1fc1a3c4af60dbe228af8992.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANAA1AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Users\Admin\AppData\Local\Temp\45069d4f9edf65ec5f758688dc66d041b7941f3a1fc1a3c4af60dbe228af8992.exe
  C:\Users\Admin\AppData\Local\Temp\45069d4f9edf65ec5f758688dc66d041b7941f3a1fc1a3c4af60dbe228af8992.exe
  2⤵
  PID:1364

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\45069d4f9edf65ec5f758688dc66d041b7941f3a1fc1a3c4af60dbe228af8992.exe.log

Filesize
1KB

MD5
1ef25488730872d5ae132bae28deb8e5

SHA1
86a78549f38de76664ad427f75f9cb704cfdec2d

SHA256
958f91057482655064ead41408edb85b78d1cdd0f9449b6be6107911457e2e0a

SHA512
19a998c39c4f0d0154ca9724ba55acb57cd33acae30c03d643cb309134fd81a3029e1e44283493835c37cf04c3373bbe508482b42b7acffaf9255b07039a4e11

Download Submit
memory/1364-135-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1364-138-0x0000019D368F0000-0x0000019D36996000-memory.dmp

Filesize
664KB

Download
memory/1364-139-0x0000019D1DE70000-0x0000019D1DEBE000-memory.dmp

Filesize
312KB

Download
memory/1364-140-0x0000019D36AA0000-0x0000019D36AEC000-memory.dmp

Filesize
304KB

Download
memory/1580-127-0x00000268EDA50000-0x00000268EDAC6000-memory.dmp

Filesize
472KB

Download
memory/1744-116-0x0000018438AA0000-0x00000184390A8000-memory.dmp

Filesize
6.0MB

Download
memory/1744-117-0x00000184535F0000-0x0000018453722000-memory.dmp

Filesize
1.2MB

Download
memory/1744-118-0x0000018453790000-0x0000018453822000-memory.dmp

Filesize
584KB

Download
memory/1744-119-0x0000018453850000-0x0000018453872000-memory.dmp

Filesize
136KB

Download