561020146ff3081f02937ef708fb0b324b687c45b2d24ed5d279b3e7df6efbaa

Analysis

max time kernel
85s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 20:40

Target

561020146ff3081f02937ef708fb0b324b687c45b2d24ed5d279b3e7df6efbaa.exe
Size

651KB
MD5

35a24f5de9c5ba3d2e066e68b72d2f70
SHA1

6b4c6f00c2d42fc0e51755f825386682f4851be0
SHA256

561020146ff3081f02937ef708fb0b324b687c45b2d24ed5d279b3e7df6efbaa
SHA512

82c75ea570d1493d734abc17339710a0e8ab98adae2f0c00ad2adaa182efec4dc8e631a9aa3037efe4782e06e7bf7bbe1d56a1e9d3b2a7509c0e986ec2d30c63
SSDEEP

12288:xQFagDPUcf2iqlguFrm4trc/fqo5F7q7PMgcTWCed5apzbmfYg4tC3GUlUnq:xQFNIK2yuZr2fqQFOr9Wpzbju3GFnq

Score

8^/10

upx

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/384-132-0x0000000002330000-0x0000000002471000-memory.dmp	upx
behavioral2/memory/384-135-0x0000000002330000-0x0000000002471000-memory.dmp	upx
behavioral2/memory/384-136-0x0000000002330000-0x0000000002471000-memory.dmp	upx
behavioral2/memory/384-139-0x0000000002330000-0x0000000002471000-memory.dmp	upx
behavioral2/memory/384-140-0x0000000002330000-0x0000000002471000-memory.dmp	upx
behavioral2/memory/384-141-0x0000000002330000-0x0000000002471000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
384	561020146ff3081f02937ef708fb0b324b687c45b2d24ed5d279b3e7df6efbaa.exe
384	561020146ff3081f02937ef708fb0b324b687c45b2d24ed5d279b3e7df6efbaa.exe
384	561020146ff3081f02937ef708fb0b324b687c45b2d24ed5d279b3e7df6efbaa.exe
384	561020146ff3081f02937ef708fb0b324b687c45b2d24ed5d279b3e7df6efbaa.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	384	561020146ff3081f02937ef708fb0b324b687c45b2d24ed5d279b3e7df6efbaa.exe
Token: SeCreatePagefilePrivilege	384	561020146ff3081f02937ef708fb0b324b687c45b2d24ed5d279b3e7df6efbaa.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
384	561020146ff3081f02937ef708fb0b324b687c45b2d24ed5d279b3e7df6efbaa.exe
384	561020146ff3081f02937ef708fb0b324b687c45b2d24ed5d279b3e7df6efbaa.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/384-132-0x0000000002330000-0x0000000002471000-memory.dmp

Filesize
1.3MB

Download
memory/384-135-0x0000000002330000-0x0000000002471000-memory.dmp

Filesize
1.3MB

Download
memory/384-136-0x0000000002330000-0x0000000002471000-memory.dmp

Filesize
1.3MB

Download
memory/384-137-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/384-138-0x00000000021B0000-0x0000000002253000-memory.dmp

Filesize
652KB

Download
memory/384-139-0x0000000002330000-0x0000000002471000-memory.dmp

Filesize
1.3MB

Download
memory/384-140-0x0000000002330000-0x0000000002471000-memory.dmp

Filesize
1.3MB

Download
memory/384-141-0x0000000002330000-0x0000000002471000-memory.dmp

Filesize
1.3MB

Download