48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e

General

Target

48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe
Size

648KB
MD5

6f1efdc80f87d1b895004a26c2948210
SHA1

cae36f996570f5e520dca5e764bf7815dd490675
SHA256

48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e
SHA512

eec4c05ba75b988fc461a777ee97d38c49093919de2a633dd68a9baf6892e9dfb54efd0675f9cb5df1da6429b02294a6cee921c51ee35871c86144b2f0d1322e
SSDEEP

12288:j9ogAOvlpTyhX9oRZ17/gDXsa0mFzPOncImbp3hTRkWaQemLZN:j+gAwvTyhX9AgDXsa0mZPfIgp3hTCWa

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\j2t6bIXtKRzH.lnk	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe

Loads dropped DLL 1 IoCs

pid	Process
1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1608 set thread context of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1516	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	27
PID 1608 wrote to memory of 1516	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	27
PID 1608 wrote to memory of 1516	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	27
PID 1608 wrote to memory of 1516	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	27
PID 1608 wrote to memory of 1516	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	27
PID 1608 wrote to memory of 1516	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	27
PID 1608 wrote to memory of 1516	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	27
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	28
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	28
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	28
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	28
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	28
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	28
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	28
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	28
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	28
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	28
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	28
PID 1608 wrote to memory of 816	1608	48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe	28

C:\Users\Admin\AppData\Local\Temp\48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe
"C:\Users\Admin\AppData\Local\Temp\48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:1516
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\ySILlzCwX\LBSrQ1Vb7.exe

Filesize
648KB

MD5
6f1efdc80f87d1b895004a26c2948210

SHA1
cae36f996570f5e520dca5e764bf7815dd490675

SHA256
48d03fa14ce46213813b8f982d48c168c7522be272d6b38a2b34743890e6120e

SHA512
eec4c05ba75b988fc461a777ee97d38c49093919de2a633dd68a9baf6892e9dfb54efd0675f9cb5df1da6429b02294a6cee921c51ee35871c86144b2f0d1322e

Download Submit
memory/816-62-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/816-56-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/816-57-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/816-59-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/816-61-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/816-65-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/816-67-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/816-69-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/1608-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1608-55-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/1608-71-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing