48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e

General

Target

48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe
Size

648KB
MD5

6f1efdc80f87d1b895004a26c2948210
SHA1

cae36f996570f5e520dca5e764bf7815dd490675
SHA256

48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e
SHA512

eec4c05ba75b988fc461a777ee97d38c49093919de2a633dd68a9baf6892e9dfb54efd0675f9cb5df1da6429b02294a6cee921c51ee35871c86144b2f0d1322e
SSDEEP

12288:j9ogAOvlpTyhX9oRZ17/gDXsa0mFzPOncImbp3hTRkWaQemLZN:j+gAwvTyhX9AgDXsa0mZPfIgp3hTCWa

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\j2t6bIXtKRzH.lnk	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe

Loads dropped DLL 1 IoCs

Processes:

48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe

pid process

1608 48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe

pid	process
1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe

description	pid	process	target process
PID 1608 set thread context of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe

pid process

1608 48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe

description pid process

Token: SeDebugPrivilege 1608 48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe

pid	process
1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe

description	pid	process
Token: SeDebugPrivilege	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe

description	pid	process	target process
PID 1608 wrote to memory of 1516	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1608 wrote to memory of 1516	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1608 wrote to memory of 1516	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1608 wrote to memory of 1516	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1608 wrote to memory of 1516	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1608 wrote to memory of 1516	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1608 wrote to memory of 1516	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe
"C:\Users\Admin\AppData\Local\Temp\48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:1516

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:816

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\ySILlzCwX\LBSrQ1Vb7.exe
Filesize
648KB

MD5
6f1efdc80f87d1b895004a26c2948210

SHA1
cae36f996570f5e520dca5e764bf7815dd490675

SHA256
48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e

SHA512
eec4c05ba75b988fc461a777ee97d38c49093919de2a633dd68a9baf6892e9dfb54efd0675f9cb5df1da6429b02294a6cee921c51ee35871c86144b2f0d1322e

Download Submit
memory/816-62-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/816-56-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/816-57-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/816-59-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/816-61-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/816-63-0x0000000000494F0E-mapping.dmp

Download
memory/816-65-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/816-67-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/816-69-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/1608-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1608-55-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/1608-71-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads