58aa4250e8e6c244dedd0889f68a0e48e1bcbec171a403d96134114ce7da50b5

Analysis

max time kernel
45s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 14:54

Target

manual_view_site_moremoney.exe
Size

79KB
MD5

7faa2b9c9f44f6529fcd468ca7766d61
SHA1

920478413f39d292e23cf5d4fbb72e720c524a71
SHA256

8d721678a07fb2387c07c941d648ef73d1ae27198d0c7e23684f4b9f44cdf1f1
SHA512

ff12620abe973cd800377a05a61717d6e6f915e7215dff103a36fe85a079ae3a77165fc4d1abdeaff0a19fe1d26f1bf47d27e90d983d784ac284f4a9506e92d1
SSDEEP

384:j8I4kBqbjESxplQYJuHGi4Pw/adI/K1l:j1gbLi4L1l

Score

7^/10

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskmgr.exe	manual_view_site_moremoney.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1976	manual_view_site_moremoney.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	manual_view_site_moremoney.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1976-54-0x00000000754E1000-0x00000000754E3000-memory.dmp

Filesize
8KB

Download
memory/1976-55-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/1976-56-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/1976-57-0x0000000000B35000-0x0000000000B46000-memory.dmp

Filesize
68KB

Download