b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc

Analysis

max time kernel
189s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe
Size

277KB
MD5

6f502fb960ffd89b9c5356a3becb02ef
SHA1

abc25aa7f8fd3d68d770f5677fdff69c451885dd
SHA256

b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc
SHA512

189b36b8f9051cec4c1a15afc83d3a66affe3f2c94746efa082c7e64a9202e0ea724d5dfe8e10a2640ee14887758871730ff4867fd4f0d629a8c24d6b76f6b51
SSDEEP

6144:XyuMwiLdfR2m7mrUsqWBn837FNldObO3k1jQ:iuMwE2m77sZB07FxObO320

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1152-58-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/1952-63-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/1952-65-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/1952-66-0x0000000010410000-0x0000000010480000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe
Token: SeDebugPrivilege	1952	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27
PID 1152 wrote to memory of 1952	1152	b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe	27

C:\Users\Admin\AppData\Local\Temp\b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe
"C:\Users\Admin\AppData\Local\Temp\b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe
  "C:\Users\Admin\AppData\Local\Temp\b68d66010c22bfc4da3f6241857981e0f4bf5de50e7c0649400f3e3811b5febc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
234KB

MD5
4203e8f97df3a465cf209d43db44ff1b

SHA1
9b67982aeeaef608119debea12c3a79b6e39f8d1

SHA256
186f8b8f0c2f45296e245ee8c0ad7062cbd81535cf129494a5310ba752e7bb50

SHA512
7d383c18c16ad6fe59cd7ada1ba15d60eef16f69e4a6c0af76a83ec66673f4f9950450a0219f3dfcb2ff4a6dce59f283eb884b1412728fe6a807623c03009680

Download Submit
memory/1152-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1152-58-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1952-61-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1952-63-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1952-65-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1952-66-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download