02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5

General

Target

3056792cfe11d96217fa3626f3ab6a5f.exe
Size

4.6MB
MD5

3056792cfe11d96217fa3626f3ab6a5f
SHA1

d2b732a35d22e32dbc265957e624c667012a6a18
SHA256

02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5
SHA512

c7e217193294760af3bfb12ff4e7ed327faf9ba09e05d3927eaba26385ce9853ff42685cdabff00fbe6c1461ce5c772afc7a158d72da9e33039da0ee828789c8
SSDEEP

24576:2RlFlAOYfBKbQzW3I+ps4NCmntjDesG5InScdbJaP1tVpVzKGeGCvCr2F1xgLAZ4:

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3056792cfe11d96217fa3626f3ab6a5f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\PUTTY = "\"C:\\Users\\Admin\\AppData\\Roaming\\PUTTY.EXE\""	3056792cfe11d96217fa3626f3ab6a5f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exe3056792cfe11d96217fa3626f3ab6a5f.exe

pid	process
612	powershell.exe
1048	3056792cfe11d96217fa3626f3ab6a5f.exe
1048	3056792cfe11d96217fa3626f3ab6a5f.exe
1048	3056792cfe11d96217fa3626f3ab6a5f.exe
1048	3056792cfe11d96217fa3626f3ab6a5f.exe
1048	3056792cfe11d96217fa3626f3ab6a5f.exe
1048	3056792cfe11d96217fa3626f3ab6a5f.exe
1048	3056792cfe11d96217fa3626f3ab6a5f.exe
1048	3056792cfe11d96217fa3626f3ab6a5f.exe
1048	3056792cfe11d96217fa3626f3ab6a5f.exe
1048	3056792cfe11d96217fa3626f3ab6a5f.exe
1048	3056792cfe11d96217fa3626f3ab6a5f.exe
1048	3056792cfe11d96217fa3626f3ab6a5f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exe3056792cfe11d96217fa3626f3ab6a5f.exe

description pid process

Token: SeDebugPrivilege 612 powershell.exe
Token: SeDebugPrivilege 1048 3056792cfe11d96217fa3626f3ab6a5f.exe

description	pid	process
Token: SeDebugPrivilege	612	powershell.exe
Token: SeDebugPrivilege	1048	3056792cfe11d96217fa3626f3ab6a5f.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

3056792cfe11d96217fa3626f3ab6a5f.exe

C:\Users\Admin\AppData\Local\Temp\3056792cfe11d96217fa3626f3ab6a5f.exe
"C:\Users\Admin\AppData\Local\Temp\3056792cfe11d96217fa3626f3ab6a5f.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:612

C:\Users\Admin\AppData\Local\Temp\3056792cfe11d96217fa3626f3ab6a5f.exe
C:\Users\Admin\AppData\Local\Temp\3056792cfe11d96217fa3626f3ab6a5f.exe
2⤵
PID:784

C:\Users\Admin\AppData\Local\Temp\3056792cfe11d96217fa3626f3ab6a5f.exe
C:\Users\Admin\AppData\Local\Temp\3056792cfe11d96217fa3626f3ab6a5f.exe
2⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\3056792cfe11d96217fa3626f3ab6a5f.exe
C:\Users\Admin\AppData\Local\Temp\3056792cfe11d96217fa3626f3ab6a5f.exe
2⤵
PID:660

C:\Users\Admin\AppData\Local\Temp\3056792cfe11d96217fa3626f3ab6a5f.exe
C:\Users\Admin\AppData\Local\Temp\3056792cfe11d96217fa3626f3ab6a5f.exe
2⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\3056792cfe11d96217fa3626f3ab6a5f.exe
C:\Users\Admin\AppData\Local\Temp\3056792cfe11d96217fa3626f3ab6a5f.exe
2⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\3056792cfe11d96217fa3626f3ab6a5f.exe
C:\Users\Admin\AppData\Local\Temp\3056792cfe11d96217fa3626f3ab6a5f.exe
2⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\3056792cfe11d96217fa3626f3ab6a5f.exe
C:\Users\Admin\AppData\Local\Temp\3056792cfe11d96217fa3626f3ab6a5f.exe
2⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\3056792cfe11d96217fa3626f3ab6a5f.exe
C:\Users\Admin\AppData\Local\Temp\3056792cfe11d96217fa3626f3ab6a5f.exe
2⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\3056792cfe11d96217fa3626f3ab6a5f.exe
C:\Users\Admin\AppData\Local\Temp\3056792cfe11d96217fa3626f3ab6a5f.exe
2⤵
PID:600

C:\Users\Admin\AppData\Local\Temp\3056792cfe11d96217fa3626f3ab6a5f.exe
C:\Users\Admin\AppData\Local\Temp\3056792cfe11d96217fa3626f3ab6a5f.exe
2⤵
PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/612-58-0x0000000000000000-mapping.dmp

Download
memory/612-59-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/612-60-0x000000006FE10000-0x00000000703BB000-memory.dmp

Filesize
5.7MB

Download
memory/612-61-0x000000006FE10000-0x00000000703BB000-memory.dmp

Filesize
5.7MB

Download
memory/612-62-0x000000006FE10000-0x00000000703BB000-memory.dmp

Filesize
5.7MB

Download
memory/1048-54-0x0000000000130000-0x00000000005CE000-memory.dmp

Filesize
4.6MB

Download
memory/1048-55-0x0000000005DD0000-0x0000000006020000-memory.dmp

Filesize
2.3MB

Download
memory/1048-56-0x0000000006300000-0x0000000006506000-memory.dmp

Filesize
2.0MB

Download
memory/1048-57-0x0000000000A70000-0x0000000000B02000-memory.dmp

Filesize
584KB

Download

description	pid	process	target process
PID 1048 wrote to memory of 612	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	powershell.exe
PID 1048 wrote to memory of 612	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	powershell.exe
PID 1048 wrote to memory of 612	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	powershell.exe
PID 1048 wrote to memory of 612	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	powershell.exe
PID 1048 wrote to memory of 784	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 784	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 784	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 784	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 772	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 772	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 772	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 772	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 660	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 660	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 660	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 660	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 688	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 688	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 688	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 688	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 1324	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 1324	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 1324	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 1324	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 1944	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 1944	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 1944	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 1944	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 916	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 916	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 916	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 916	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 1844	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 1844	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 1844	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 1844	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 600	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 600	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 600	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 600	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 1708	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 1708	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 1708	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe
PID 1048 wrote to memory of 1708	1048	3056792cfe11d96217fa3626f3ab6a5f.exe	3056792cfe11d96217fa3626f3ab6a5f.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads