94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70

General

Target

94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe
Size

1008KB
MD5

7b99d6a7a31553cba5b2d41e2e66a180
SHA1

8b88927eb171be40e078b71d8b3ec0ce8c0fedf9
SHA256

94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70
SHA512

5a7b1f7d1d26b982ae54a9d4113a0e813fe94d254ad9fcf686745c00864b732c4e36fa044c6eb6505f150b7dc500e20750f4cfd5dd630f24ddd744e2fd3bce1b
SSDEEP

24576:gjmqIdiK3JoSNdM1OMDl9smjyWJw525RGdfzzh1N6j4H5C:gmqPMM17h9F9q25RwPNQy5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1564	mscorsvw.exe
460	Process not Found
520	mscorsvw.exe
1240	mscorsvw.exe

Loads dropped DLL 1 IoCs

pid	Process
460	Process not Found

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\alg.exe	94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe
File created	\??\c:\windows\system32\jebjgmag.tmp	94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe
File created	\??\c:\windows\SysWOW64\pjheinjn.tmp	94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\oobhpaeh.tmp	94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\aolbgjnf.tmp	94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\bcepgjhm.tmp	94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\hcemoodg.tmp	94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2044	94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe

C:\Users\Admin\AppData\Local\Temp\94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe
"C:\Users\Admin\AppData\Local\Temp\94eed317c3e652c0f234e83a124cceae436c66534452c719a84d3e470980cf70.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1564

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
640KB

MD5
f1e0de8cd47647293d45f8258a606ce7

SHA1
0dbba7bb2fc2e632dde4e72c4424163269ef7eca

SHA256
a1457d64fa04b1b611b519cfe456af9a6b3e5dc023eaa534b3abf70d653bc410

SHA512
1d63ae95a3a394a7efe7f254e95d7362d1376f1036ad9dd420475dda9ca701685a5eceed102d3b252acadeb385c18974e29d0d21e57c0500c941755070ae2f18

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
640KB

MD5
f1e0de8cd47647293d45f8258a606ce7

SHA1
0dbba7bb2fc2e632dde4e72c4424163269ef7eca

SHA256
a1457d64fa04b1b611b519cfe456af9a6b3e5dc023eaa534b3abf70d653bc410

SHA512
1d63ae95a3a394a7efe7f254e95d7362d1376f1036ad9dd420475dda9ca701685a5eceed102d3b252acadeb385c18974e29d0d21e57c0500c941755070ae2f18

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
613KB

MD5
0010594daac948c35fb023ac672d4afa

SHA1
ee048a9dc3dc01a43f16cbc9c05ec21ef967bfe4

SHA256
711d96cd2bf58e38f02818e474af47ffb8d7e95ecd6e7dd3be688c3c5c18bfa0

SHA512
51817161ba3732df6144ea60ca2a73a6cb304134fc68c88eda69e1a4b4eab9578e576065979468fbeef3836ef858b9c4f6a9039515d1411b45af07d1f5c5e7f8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
613KB

MD5
0010594daac948c35fb023ac672d4afa

SHA1
ee048a9dc3dc01a43f16cbc9c05ec21ef967bfe4

SHA256
711d96cd2bf58e38f02818e474af47ffb8d7e95ecd6e7dd3be688c3c5c18bfa0

SHA512
51817161ba3732df6144ea60ca2a73a6cb304134fc68c88eda69e1a4b4eab9578e576065979468fbeef3836ef858b9c4f6a9039515d1411b45af07d1f5c5e7f8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
644KB

MD5
24e352086e549b1bc084be3926b6c70f

SHA1
c11f1373ef6375ce688fa1703eff0424b75c2465

SHA256
40836ae1d517aea2b63327c1f42702a59d7b35b124c7a5911b4fe49f9b1b2c6d

SHA512
64f5b8e8c3c8bdf31eaf406fc6ea8f35dabc28191e991f01afa4f5641ea3e64d0d6ff613e7fdaed8a112623460cf8af3615b83f5bb7ba8c3293e46dcf033e786

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
640KB

MD5
f1e0de8cd47647293d45f8258a606ce7

SHA1
0dbba7bb2fc2e632dde4e72c4424163269ef7eca

SHA256
a1457d64fa04b1b611b519cfe456af9a6b3e5dc023eaa534b3abf70d653bc410

SHA512
1d63ae95a3a394a7efe7f254e95d7362d1376f1036ad9dd420475dda9ca701685a5eceed102d3b252acadeb385c18974e29d0d21e57c0500c941755070ae2f18

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
640KB

MD5
f1e0de8cd47647293d45f8258a606ce7

SHA1
0dbba7bb2fc2e632dde4e72c4424163269ef7eca

SHA256
a1457d64fa04b1b611b519cfe456af9a6b3e5dc023eaa534b3abf70d653bc410

SHA512
1d63ae95a3a394a7efe7f254e95d7362d1376f1036ad9dd420475dda9ca701685a5eceed102d3b252acadeb385c18974e29d0d21e57c0500c941755070ae2f18

Download Submit
memory/520-65-0x0000000010000000-0x000000001028B000-memory.dmp

Filesize
2.5MB

Download
memory/1240-68-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1564-58-0x0000000010000000-0x0000000010258000-memory.dmp

Filesize
2.3MB

Download
memory/1564-63-0x0000000010000000-0x0000000010258000-memory.dmp

Filesize
2.3MB

Download
memory/2044-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/2044-56-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/2044-66-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/2044-55-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing