c17be8e772c880d5909d7b6eeeeb9c2f20fead98a67826598c56e00c6e3bdcd5

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
17/10/2022, 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68Kp5nmURb71iQp.exe
Size

575KB
MD5

dbcafe45f06421e025fdd3367effe582
SHA1

e671d4cef56da8b9c5813b60bc9ec4bf9d3cea4a
SHA256

c17be8e772c880d5909d7b6eeeeb9c2f20fead98a67826598c56e00c6e3bdcd5
SHA512

a81a95725fbc86517ab42f5fb92f8b0da9d847aa4901c0eabaa9f3432723f8c3791f1b0f2ed839a32975eefd715c4f21c3f9559387caa3f233cfc34037367b2d
SSDEEP

12288:iNVw6FnoCM2qTzHcdfSFUEOA/99TZE8D8ITDBMszcXCJ:kqhvHckFU/WE8oI

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1716	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1944	68Kp5nmURb71iQp.exe
1944	68Kp5nmURb71iQp.exe
1944	68Kp5nmURb71iQp.exe
1944	68Kp5nmURb71iQp.exe
1944	68Kp5nmURb71iQp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	68Kp5nmURb71iQp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1944	68Kp5nmURb71iQp.exe
1944	68Kp5nmURb71iQp.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1716	1944	68Kp5nmURb71iQp.exe	27
PID 1944 wrote to memory of 1716	1944	68Kp5nmURb71iQp.exe	27
PID 1944 wrote to memory of 1716	1944	68Kp5nmURb71iQp.exe	27
PID 1944 wrote to memory of 1716	1944	68Kp5nmURb71iQp.exe	27
PID 1944 wrote to memory of 892	1944	68Kp5nmURb71iQp.exe	29
PID 1944 wrote to memory of 892	1944	68Kp5nmURb71iQp.exe	29
PID 1944 wrote to memory of 892	1944	68Kp5nmURb71iQp.exe	29
PID 1944 wrote to memory of 892	1944	68Kp5nmURb71iQp.exe	29
PID 1944 wrote to memory of 1132	1944	68Kp5nmURb71iQp.exe	30
PID 1944 wrote to memory of 1132	1944	68Kp5nmURb71iQp.exe	30
PID 1944 wrote to memory of 1132	1944	68Kp5nmURb71iQp.exe	30
PID 1944 wrote to memory of 1132	1944	68Kp5nmURb71iQp.exe	30
PID 1944 wrote to memory of 2012	1944	68Kp5nmURb71iQp.exe	31
PID 1944 wrote to memory of 2012	1944	68Kp5nmURb71iQp.exe	31
PID 1944 wrote to memory of 2012	1944	68Kp5nmURb71iQp.exe	31
PID 1944 wrote to memory of 2012	1944	68Kp5nmURb71iQp.exe	31
PID 1944 wrote to memory of 2032	1944	68Kp5nmURb71iQp.exe	32
PID 1944 wrote to memory of 2032	1944	68Kp5nmURb71iQp.exe	32
PID 1944 wrote to memory of 2032	1944	68Kp5nmURb71iQp.exe	32
PID 1944 wrote to memory of 2032	1944	68Kp5nmURb71iQp.exe	32
PID 1944 wrote to memory of 1776	1944	68Kp5nmURb71iQp.exe	33
PID 1944 wrote to memory of 1776	1944	68Kp5nmURb71iQp.exe	33
PID 1944 wrote to memory of 1776	1944	68Kp5nmURb71iQp.exe	33
PID 1944 wrote to memory of 1776	1944	68Kp5nmURb71iQp.exe	33

C:\Users\Admin\AppData\Local\Temp\68Kp5nmURb71iQp.exe
"C:\Users\Admin\AppData\Local\Temp\68Kp5nmURb71iQp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UjYrOnlknajYWA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6B42.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\68Kp5nmURb71iQp.exe
  "{path}"
  2⤵
  PID:892
- C:\Users\Admin\AppData\Local\Temp\68Kp5nmURb71iQp.exe
  "{path}"
  2⤵
  PID:1132
- C:\Users\Admin\AppData\Local\Temp\68Kp5nmURb71iQp.exe
  "{path}"
  2⤵
  PID:2012
- C:\Users\Admin\AppData\Local\Temp\68Kp5nmURb71iQp.exe
  "{path}"
  2⤵
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\68Kp5nmURb71iQp.exe
  "{path}"
  2⤵
  PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6B42.tmp

Filesize
1KB

MD5
4aef7d96f7f3f79ba9db2db108bd449b

SHA1
1df2eea78c260d6a702c22708e94e51c7a5ae7be

SHA256
ba484995d043aa5b1c54b2dfffec9a026ec7e10cf7f8cddb8f6a9bc4775be98a

SHA512
983cc999c5e032821fdbbb36a6fb41395f7dabf0c35a90a79b68f5e913d380981d3b8365b9f4d67c0993b1ff5073f688f3eaf26f8e0250dad3488c30bf8d7ea8

Download Submit
memory/1944-54-0x0000000000380000-0x0000000000416000-memory.dmp

Filesize
600KB

Download
memory/1944-55-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1944-56-0x0000000000680000-0x00000000006A0000-memory.dmp

Filesize
128KB

Download
memory/1944-57-0x00000000049E0000-0x0000000004A64000-memory.dmp

Filesize
528KB

Download
memory/1944-58-0x0000000003FF0000-0x000000000402A000-memory.dmp

Filesize
232KB

Download