d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3

General

Target

d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe
Size

246KB
MD5

f2df64e2c65f44aa533a8daccd081976
SHA1

6958d74875566da3ae865ae765b31ca3633fce90
SHA256

d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3
SHA512

ab82f1be2bbb3533455f3badbaa53c0fac192a2d86e3455117011511ddcb542acfa1e385d10bf0dca16fc2bafc55019d1f471508d4bb725ff5e4da046cb6029f
SSDEEP

384:zl9gFlW7zkFXP4WGzvsuj8Sf5dCuEMa/qunCmtJdh5R555Dg:59Ogs6bdCjquRr5R555U

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4028	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe
4548	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2252 set thread context of 2736	2252	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe	69
PID 4028 set thread context of 4548	4028	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe	74

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2168	powershell.exe
2168	powershell.exe
2168	powershell.exe
2252	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe
2252	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe
3732	powershell.exe
3732	powershell.exe
3732	powershell.exe
4028	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe
4028	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	2736	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe
Token: SeDebugPrivilege	4028	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	4548	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2168	2252	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe	67
PID 2252 wrote to memory of 2168	2252	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe	67
PID 2252 wrote to memory of 2736	2252	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe	69
PID 2252 wrote to memory of 2736	2252	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe	69
PID 2252 wrote to memory of 2736	2252	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe	69
PID 2252 wrote to memory of 2736	2252	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe	69
PID 2252 wrote to memory of 2736	2252	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe	69
PID 2252 wrote to memory of 2736	2252	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe	69
PID 4028 wrote to memory of 3732	4028	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe	72
PID 4028 wrote to memory of 3732	4028	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe	72
PID 4028 wrote to memory of 4548	4028	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe	74
PID 4028 wrote to memory of 4548	4028	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe	74
PID 4028 wrote to memory of 4548	4028	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe	74
PID 4028 wrote to memory of 4548	4028	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe	74
PID 4028 wrote to memory of 4548	4028	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe	74
PID 4028 wrote to memory of 4548	4028	d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe	74

C:\Users\Admin\AppData\Local\Temp\d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe
"C:\Users\Admin\AppData\Local\Temp\d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Users\Admin\AppData\Local\Temp\d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe
  C:\Users\Admin\AppData\Local\Temp\d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2736

C:\Users\Admin\AppData\Roaming\d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe
C:\Users\Admin\AppData\Roaming\d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3732
- C:\Users\Admin\AppData\Roaming\d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe
  C:\Users\Admin\AppData\Roaming\d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe.log

Filesize
1KB

MD5
74304ff67773fb7e15bd50ce28fe1d89

SHA1
8a1a685e904e13784bab782ff1bbc3e939e97caf

SHA256
09e5dc625f001492b9221f40984b09cd0a4bae18a038e72248bab6abeb914ba3

SHA512
d7850f3456febd78504ac3d3ae434d44c4e7f9c094233bd2f61856b281ae26ce2448adf61bb53179aeffeaeec7bc74f09a96a84b5a001e6b180fef1487715f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d16cb6309efe502fadbfa0834e0a8ec1

SHA1
5310f3cce34e960e7f22cdf5b9d54adc78c8e878

SHA256
25f1d322d004c41fd8edbd056eb89a967074c273a43b54f1a647307940dd4b2a

SHA512
88a8fd777c1c1351614527fb6a58d66aae36e41a0edc71cb9e85c38652ed0b1702f01cd30f899aded720920b1d66c8fc4b4219131f84ff4eea7bf5a409d29e0f

Download Submit
C:\Users\Admin\AppData\Roaming\d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe

Filesize
246KB

MD5
f2df64e2c65f44aa533a8daccd081976

SHA1
6958d74875566da3ae865ae765b31ca3633fce90

SHA256
d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3

SHA512
ab82f1be2bbb3533455f3badbaa53c0fac192a2d86e3455117011511ddcb542acfa1e385d10bf0dca16fc2bafc55019d1f471508d4bb725ff5e4da046cb6029f

Download Submit
C:\Users\Admin\AppData\Roaming\d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe

Filesize
246KB

MD5
f2df64e2c65f44aa533a8daccd081976

SHA1
6958d74875566da3ae865ae765b31ca3633fce90

SHA256
d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3

SHA512
ab82f1be2bbb3533455f3badbaa53c0fac192a2d86e3455117011511ddcb542acfa1e385d10bf0dca16fc2bafc55019d1f471508d4bb725ff5e4da046cb6029f

Download Submit
C:\Users\Admin\AppData\Roaming\d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3.exe

Filesize
246KB

MD5
f2df64e2c65f44aa533a8daccd081976

SHA1
6958d74875566da3ae865ae765b31ca3633fce90

SHA256
d8b8f7d0334857a3749963c08491c155c6743af96f8ad779101060ff71a9eca3

SHA512
ab82f1be2bbb3533455f3badbaa53c0fac192a2d86e3455117011511ddcb542acfa1e385d10bf0dca16fc2bafc55019d1f471508d4bb725ff5e4da046cb6029f

Download Submit
memory/2168-127-0x00000227B5030000-0x00000227B50A6000-memory.dmp

Filesize
472KB

Download
memory/2252-117-0x000001977EDC0000-0x000001977EED2000-memory.dmp

Filesize
1.1MB

Download
memory/2252-118-0x000001977EED0000-0x000001977EF62000-memory.dmp

Filesize
584KB

Download
memory/2252-119-0x000001977EF60000-0x000001977EF82000-memory.dmp

Filesize
136KB

Download
memory/2252-116-0x000001977C750000-0x000001977C792000-memory.dmp

Filesize
264KB

Download
memory/2736-139-0x00000199917A0000-0x00000199917EE000-memory.dmp

Filesize
312KB

Download
memory/2736-141-0x0000019993230000-0x0000019993284000-memory.dmp

Filesize
336KB

Download
memory/2736-140-0x0000019993100000-0x000001999314C000-memory.dmp

Filesize
304KB

Download
memory/2736-138-0x0000019993180000-0x0000019993226000-memory.dmp

Filesize
664KB

Download
memory/2736-135-0x0000000140000000-0x0000000140078000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing