a640ac3bd53da809a38865aff3bed27afbd9b7f76183b1c7e4bc1ef3e781863c

Analysis

max time kernel
43s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/10/2022, 03:57

Target

a640ac3bd53da809a38865aff3bed27afbd9b7f76183b1c7e4bc1ef3e781863c.exe
Size

373KB
MD5

732f6373ed217a21e37a01dce2c4ab30
SHA1

d58375b8791ba138bc7c7a17dc120d6ce682783d
SHA256

a640ac3bd53da809a38865aff3bed27afbd9b7f76183b1c7e4bc1ef3e781863c
SHA512

08f6df30a22653d1b61f5e0088087490addd691b4387d5cc19ecf3cc64199475a181eea3c096f9f861d3cba88b64c113da21f4eca65ec6568b19817516c2bcdb
SSDEEP

6144:OME1nmg1tDbJ5621YNdrJI7eLnv6FBsCWlXh2BsLTsL1l08uuIz8Sk/fa1JEH/eb:HgnJr7eLnKavXhcMTLlz8Sk/i1qGKzID

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1356	a640ac3bd53da809a38865aff3bed27afbd9b7f76183b1c7e4bc1ef3e781863c.exe
Token: SeBackupPrivilege	1356	a640ac3bd53da809a38865aff3bed27afbd9b7f76183b1c7e4bc1ef3e781863c.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 1756	1356	a640ac3bd53da809a38865aff3bed27afbd9b7f76183b1c7e4bc1ef3e781863c.exe	28
PID 1356 wrote to memory of 1756	1356	a640ac3bd53da809a38865aff3bed27afbd9b7f76183b1c7e4bc1ef3e781863c.exe	28
PID 1356 wrote to memory of 1756	1356	a640ac3bd53da809a38865aff3bed27afbd9b7f76183b1c7e4bc1ef3e781863c.exe	28
PID 1356 wrote to memory of 1756	1356	a640ac3bd53da809a38865aff3bed27afbd9b7f76183b1c7e4bc1ef3e781863c.exe	28
PID 1356 wrote to memory of 1756	1356	a640ac3bd53da809a38865aff3bed27afbd9b7f76183b1c7e4bc1ef3e781863c.exe	28
PID 1356 wrote to memory of 1756	1356	a640ac3bd53da809a38865aff3bed27afbd9b7f76183b1c7e4bc1ef3e781863c.exe	28
PID 1356 wrote to memory of 1756	1356	a640ac3bd53da809a38865aff3bed27afbd9b7f76183b1c7e4bc1ef3e781863c.exe	28
PID 1756 wrote to memory of 1996	1756	WScript.exe	30
PID 1756 wrote to memory of 1996	1756	WScript.exe	30
PID 1756 wrote to memory of 1996	1756	WScript.exe	30
PID 1756 wrote to memory of 1996	1756	WScript.exe	30
PID 1756 wrote to memory of 1996	1756	WScript.exe	30
PID 1756 wrote to memory of 1996	1756	WScript.exe	30
PID 1756 wrote to memory of 1996	1756	WScript.exe	30

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\temp\Upgz.bat

Filesize
315B

MD5
ad45152c461e62cc660ca997e7792716

SHA1
34ae482f371cec8443dc1b1e59e13432a24d6e32

SHA256
447a6130e58462cd7d96c6ac6ac8d1f8dcfbe9c4efe1197956bd09382dcf276d

SHA512
4261a6cde49da26f75dd80b81eec3de6350f74a04e49b66f3b94fe81cc50b0df1f81142262b576226647c30f5482c7fd0cfbfbcbfcd876bf72d98c4f767a770a

Download Submit
C:\Windows\temp\upgz.vbs

Filesize
167B

MD5
3edeaa251779cce51fcec18b9a3b08ac

SHA1
76f122481636790cd204e0aec79d86cf4bc97bbc

SHA256
2c9d527fbab0b0de5ce658aa9a7229cbc3eb6a4fc7705f671e67847b212426ec

SHA512
0acc8f1d24f3f8ac55ab971ab96a70510117a11943ba9dfd8edd717508efe56dbf081263d6177d4d0f67c584a626cdd94359ef0d0900dd5e896a7779be539f2a

Download Submit
memory/1356-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download