0eb58b723318b8746280abd3d278a6325deba933c67d41cf638aa89244d6c3c7

Analysis

max time kernel
150s
max time network
158s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
22/10/2022, 14:38

Target

0eb58b723318b8746280abd3d278a6325deba933c67d41cf638aa89244d6c3c7.exe
Size

2.1MB
MD5

f0c0bd9f2464a22b26cd1e59f061c301
SHA1

9f4af038778fd91eb409c774c88325d23cf48c26
SHA256

0eb58b723318b8746280abd3d278a6325deba933c67d41cf638aa89244d6c3c7
SHA512

090872ec9db441be82172fe4b093ec0f6b55183341fea747e8ea66591aa81422e69d2b5d227369b22f7088a7d9d8eeb0fdd0d4818072372032425d2c321e0748
SSDEEP

24576:lJ/Q7WLg9oER9uXtIkOrGoJHcuA2yZdwMrl9Je:d

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	576	0eb58b723318b8746280abd3d278a6325deba933c67d41cf638aa89244d6c3c7.exe

C:\Users\Admin\AppData\Local\Temp\0eb58b723318b8746280abd3d278a6325deba933c67d41cf638aa89244d6c3c7.exe
"C:\Users\Admin\AppData\Local\Temp\0eb58b723318b8746280abd3d278a6325deba933c67d41cf638aa89244d6c3c7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:576

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/576-54-0x0000000000920000-0x0000000000B4A000-memory.dmp

Filesize
2.2MB

Download
memory/576-55-0x0000000000550000-0x00000000005C8000-memory.dmp

Filesize
480KB

Download
memory/576-56-0x000000001B1E0000-0x000000001B286000-memory.dmp

Filesize
664KB

Download
memory/576-57-0x00000000003F0000-0x000000000043E000-memory.dmp

Filesize
312KB

Download
memory/576-58-0x00000000020F0000-0x000000000213C000-memory.dmp

Filesize
304KB

Download