9eaa4c2634fe9f79f4de3e0d06596f03ba92a0dbb9dd25b99ee310cf88519ad6

Reason

Machine shutdown

General

Target

9eaa4c2634fe9f79f4de3e0d06596f03ba92a0dbb9dd25b99ee310cf88519ad6.exe
Size

49KB
MD5

4ce19bd58eb702387179f41fa04b0f13
SHA1

9fb42f5e22583de15fa4dbb4263a71c30d6115df
SHA256

9eaa4c2634fe9f79f4de3e0d06596f03ba92a0dbb9dd25b99ee310cf88519ad6
SHA512

1ff078a712b31699e3bf793bb750826ea5b8f2f10bc88b95a22a85d8752cf78e32b8b4b922b50a379e4176a83da7ed202f416817cc18317c5d9a5ec960888e5b
SSDEEP

768:yq6ujco0Z4ayRqQpHMOGti1BBOvMP/tXEpzMCqkcr:k4rqh8wkPl0pK

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1212	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\48116460 = "C:\\Users\\Admin\\48116460.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1648	9eaa4c2634fe9f79f4de3e0d06596f03ba92a0dbb9dd25b99ee310cf88519ad6.exe
Token: SeShutdownPrivilege	1124	shutdown.exe
Token: SeRemoteShutdownPrivilege	1124	shutdown.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1648	9eaa4c2634fe9f79f4de3e0d06596f03ba92a0dbb9dd25b99ee310cf88519ad6.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2028	1648	9eaa4c2634fe9f79f4de3e0d06596f03ba92a0dbb9dd25b99ee310cf88519ad6.exe	28
PID 1648 wrote to memory of 2028	1648	9eaa4c2634fe9f79f4de3e0d06596f03ba92a0dbb9dd25b99ee310cf88519ad6.exe	28
PID 1648 wrote to memory of 2028	1648	9eaa4c2634fe9f79f4de3e0d06596f03ba92a0dbb9dd25b99ee310cf88519ad6.exe	28
PID 1648 wrote to memory of 2028	1648	9eaa4c2634fe9f79f4de3e0d06596f03ba92a0dbb9dd25b99ee310cf88519ad6.exe	28
PID 2028 wrote to memory of 1744	2028	cmd.exe	30
PID 2028 wrote to memory of 1744	2028	cmd.exe	30
PID 2028 wrote to memory of 1744	2028	cmd.exe	30
PID 2028 wrote to memory of 1744	2028	cmd.exe	30
PID 1648 wrote to memory of 1124	1648	9eaa4c2634fe9f79f4de3e0d06596f03ba92a0dbb9dd25b99ee310cf88519ad6.exe	31
PID 1648 wrote to memory of 1124	1648	9eaa4c2634fe9f79f4de3e0d06596f03ba92a0dbb9dd25b99ee310cf88519ad6.exe	31
PID 1648 wrote to memory of 1124	1648	9eaa4c2634fe9f79f4de3e0d06596f03ba92a0dbb9dd25b99ee310cf88519ad6.exe	31
PID 1648 wrote to memory of 1124	1648	9eaa4c2634fe9f79f4de3e0d06596f03ba92a0dbb9dd25b99ee310cf88519ad6.exe	31
PID 1648 wrote to memory of 1212	1648	9eaa4c2634fe9f79f4de3e0d06596f03ba92a0dbb9dd25b99ee310cf88519ad6.exe	33
PID 1648 wrote to memory of 1212	1648	9eaa4c2634fe9f79f4de3e0d06596f03ba92a0dbb9dd25b99ee310cf88519ad6.exe	33
PID 1648 wrote to memory of 1212	1648	9eaa4c2634fe9f79f4de3e0d06596f03ba92a0dbb9dd25b99ee310cf88519ad6.exe	33
PID 1648 wrote to memory of 1212	1648	9eaa4c2634fe9f79f4de3e0d06596f03ba92a0dbb9dd25b99ee310cf88519ad6.exe	33

C:\Users\Admin\AppData\Local\Temp\9eaa4c2634fe9f79f4de3e0d06596f03ba92a0dbb9dd25b99ee310cf88519ad6.exe
"C:\Users\Admin\AppData\Local\Temp\9eaa4c2634fe9f79f4de3e0d06596f03ba92a0dbb9dd25b99ee310cf88519ad6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 48116460 /t REG_SZ /d "%userprofile%\48116460.exe" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 48116460 /t REG_SZ /d "C:\Users\Admin\48116460.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1744
- C:\Windows\SysWOW64\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /r /f /t 3
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9EAA4C~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1212

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:588

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/588-61-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/1124-59-0x0000000000000000-mapping.dmp

Download
memory/1212-60-0x0000000000000000-mapping.dmp

Download
memory/1648-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1648-57-0x0000000000020000-0x0000000000030000-memory.dmp

Filesize
64KB

Download
memory/1648-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1744-56-0x0000000000000000-mapping.dmp

Download
memory/2028-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors