34456bb86ea9a40efbf24baadaf0955b1766992a9e23d1dfb3e5f585cd3c9601

Analysis

max time kernel
149s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2022, 00:56

Target

34456bb86ea9a40efbf24baadaf0955b1766992a9e23d1dfb3e5f585cd3c9601.exe
Size

581KB
MD5

a2151ab291cdab103fff73c16e48e100
SHA1

aedecdd5acc9f3206edf5786de4425c27006fb42
SHA256

34456bb86ea9a40efbf24baadaf0955b1766992a9e23d1dfb3e5f585cd3c9601
SHA512

ad082a1e3dbc66a4fc4758c6a6c8e038beae3186e3a30a44d6dd6388ed41dfb04f3929f579d9cd35ff1397f76b2c0bb17996f48358cc7d999f9a488eae6204ab
SSDEEP

12288:AQFagl4ZjL++kpFDI+4hPBH1S4+gHRMEM9LCB9Gl/DN:AQFNC+fI+g1S4+gHOt9LCc/D

Score

8^/10

upx

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/4284-132-0x0000000002300000-0x0000000002432000-memory.dmp	upx
behavioral2/memory/4284-135-0x0000000002300000-0x0000000002432000-memory.dmp	upx
behavioral2/memory/4284-136-0x0000000002300000-0x0000000002432000-memory.dmp	upx
behavioral2/memory/4284-139-0x0000000002300000-0x0000000002432000-memory.dmp	upx
behavioral2/memory/3444-141-0x00000000021A0000-0x00000000022D2000-memory.dmp	upx
behavioral2/memory/3444-145-0x00000000021A0000-0x00000000022D2000-memory.dmp	upx
behavioral2/memory/3444-144-0x00000000021A0000-0x00000000022D2000-memory.dmp	upx
behavioral2/memory/3444-146-0x00000000021A0000-0x00000000022D2000-memory.dmp	upx
behavioral2/memory/4284-147-0x0000000002300000-0x0000000002432000-memory.dmp	upx
behavioral2/memory/3444-148-0x00000000021A0000-0x00000000022D2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4284	34456bb86ea9a40efbf24baadaf0955b1766992a9e23d1dfb3e5f585cd3c9601.exe
4284	34456bb86ea9a40efbf24baadaf0955b1766992a9e23d1dfb3e5f585cd3c9601.exe
4284	34456bb86ea9a40efbf24baadaf0955b1766992a9e23d1dfb3e5f585cd3c9601.exe
4284	34456bb86ea9a40efbf24baadaf0955b1766992a9e23d1dfb3e5f585cd3c9601.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4284	34456bb86ea9a40efbf24baadaf0955b1766992a9e23d1dfb3e5f585cd3c9601.exe
Token: SeCreatePagefilePrivilege	4284	34456bb86ea9a40efbf24baadaf0955b1766992a9e23d1dfb3e5f585cd3c9601.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4284	34456bb86ea9a40efbf24baadaf0955b1766992a9e23d1dfb3e5f585cd3c9601.exe
4284	34456bb86ea9a40efbf24baadaf0955b1766992a9e23d1dfb3e5f585cd3c9601.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 3444	4284	34456bb86ea9a40efbf24baadaf0955b1766992a9e23d1dfb3e5f585cd3c9601.exe	81
PID 4284 wrote to memory of 3444	4284	34456bb86ea9a40efbf24baadaf0955b1766992a9e23d1dfb3e5f585cd3c9601.exe	81
PID 4284 wrote to memory of 3444	4284	34456bb86ea9a40efbf24baadaf0955b1766992a9e23d1dfb3e5f585cd3c9601.exe	81

C:\Users\Admin\AppData\Local\Temp\34456bb86ea9a40efbf24baadaf0955b1766992a9e23d1dfb3e5f585cd3c9601.exe
"C:\Users\Admin\AppData\Local\Temp\34456bb86ea9a40efbf24baadaf0955b1766992a9e23d1dfb3e5f585cd3c9601.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Local\Temp\34456bb86ea9a40efbf24baadaf0955b1766992a9e23d1dfb3e5f585cd3c9601.exe
  "C:\Users\Admin\AppData\Local\Temp\34456bb86ea9a40efbf24baadaf0955b1766992a9e23d1dfb3e5f585cd3c9601.exe" /_ShowProgress
  2⤵
  PID:3444

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/3444-144-0x00000000021A0000-0x00000000022D2000-memory.dmp

Filesize
1.2MB

Download
memory/3444-141-0x00000000021A0000-0x00000000022D2000-memory.dmp

Filesize
1.2MB

Download
memory/3444-145-0x00000000021A0000-0x00000000022D2000-memory.dmp

Filesize
1.2MB

Download
memory/3444-146-0x00000000021A0000-0x00000000022D2000-memory.dmp

Filesize
1.2MB

Download
memory/3444-148-0x00000000021A0000-0x00000000022D2000-memory.dmp

Filesize
1.2MB

Download
memory/4284-135-0x0000000002300000-0x0000000002432000-memory.dmp

Filesize
1.2MB

Download
memory/4284-136-0x0000000002300000-0x0000000002432000-memory.dmp

Filesize
1.2MB

Download
memory/4284-137-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4284-138-0x0000000002180000-0x0000000002212000-memory.dmp

Filesize
584KB

Download
memory/4284-139-0x0000000002300000-0x0000000002432000-memory.dmp

Filesize
1.2MB

Download
memory/4284-132-0x0000000002300000-0x0000000002432000-memory.dmp

Filesize
1.2MB

Download
memory/4284-147-0x0000000002300000-0x0000000002432000-memory.dmp

Filesize
1.2MB

Download