712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d

Analysis

max time kernel
90s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2022 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Size

239KB
MD5

51e679bffeff4bc99421f9d399287c2d
SHA1

45fee9d68ca2bc6e85b53e494fb48ebf0b3b64f0
SHA256

712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d
SHA512

f90caff3175d6c8f803abad1abc8d88f606a33f16fb9dff05505de0532481fb63196b1de2af90247db6f5d0bce3edd4fb0c015761a43a4b124a0172ef48011aa
SSDEEP

6144:qtURCGMvaYofyhXeNWkW/DT8mIKI1jZo1fCsj:qtUJMvaYofyhON9uDrIYZj

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeIncreaseQuotaPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeSecurityPrivilege	1028	msiexec.exe
Token: SeCreateTokenPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeAssignPrimaryTokenPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeLockMemoryPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeIncreaseQuotaPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeMachineAccountPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeTcbPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeSecurityPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeTakeOwnershipPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeLoadDriverPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeSystemProfilePrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeSystemtimePrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeProfSingleProcessPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeIncBasePriorityPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeCreatePagefilePrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeCreatePermanentPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeBackupPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeRestorePrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeShutdownPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeDebugPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeAuditPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeSystemEnvironmentPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeChangeNotifyPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeRemoteShutdownPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeUndockPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeSyncAgentPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeEnableDelegationPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeManageVolumePrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeImpersonatePrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
Token: SeCreateGlobalPrivilege	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 1664	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe	82
PID 4868 wrote to memory of 1664	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe	82
PID 4868 wrote to memory of 1664	4868	712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe	82
PID 1664 wrote to memory of 2264	1664	mstsc.exe	83
PID 1664 wrote to memory of 2264	1664	mstsc.exe	83

C:\Users\Admin\AppData\Local\Temp\712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe
"C:\Users\Admin\AppData\Local\Temp\712857d3c0eac36b64a2e5ab96c58a4d1f2a065365ad4a2966f15c6418ff428d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\SysWOW64\mstsc.exe
  mstsc.exe /migrate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\system32\mstsc.exe
    mstsc.exe /migrate
    3⤵
    PID:2264

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1664-132-0x0000000000000000-mapping.dmp

Download
memory/2264-134-0x0000000000000000-mapping.dmp

Download
memory/4868-133-0x0000000001000000-0x000000000105D000-memory.dmp

Filesize
372KB

Download
memory/4868-135-0x0000000001000000-0x000000000105D000-memory.dmp

Filesize
372KB

Download