5dc9e81a0593c1200437d11068aa277baf5028a03f45715adc69dcc05639b5eb

Analysis

max time kernel
91s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2022 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

233KB
MD5

872686c3c7d641cefa2b132eea43fea4
SHA1

b1c84ae422cdbf7759066354c928b62d27355794
SHA256

5dc9e81a0593c1200437d11068aa277baf5028a03f45715adc69dcc05639b5eb
SHA512

87f5de6459413147efab52f975c358c494caef7ea947cd2419f9b56c2e504b91394b1e4737752798bb8aa4a6fb61699eabdbcb9d9d46df018f2992f127211f95
SSDEEP

3072:MQHNmk8c/c8LYxWk3T/PBfRBJjWs71MafldMW/3epLqkHLY3jWfq:GBrWkj/PBRBJjHDs0j

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PrWYCgAd.lnk	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4324	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:4324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4324-132-0x0000000000FE0000-0x0000000001020000-memory.dmp

Filesize
256KB

Download
memory/4324-133-0x0000000005AA0000-0x0000000005B3C000-memory.dmp

Filesize
624KB

Download
memory/4324-134-0x00000000060F0000-0x0000000006694000-memory.dmp

Filesize
5.6MB

Download