180f44119a00e7a4db6d98b0329cf47703723ba4e73f2474c6274cd57e4ce47e

General

Target

Setup.exe
Size

700.0MB
MD5

9dae9dd61d07c02000a5ea2500bfb5b2
SHA1

61cb4fa8376d97a8f93effc906a95941e3375a2b
SHA256

baa358f10014adf2569d7e697bbd59fe98e884a6f65d9063e6c04f8dccbe2302
SHA512

a8c70b97a52a12b1b9251c70635220a765cce0f9553d75a9271fd9eba1fbaa329be2dbf2db1f601ce2f4cc20a4590e772fd9b15c9c5560723eef6cb7ea2ae975
SSDEEP

98304:n1EqlRyB+/T6Mzg2NA6S6m2ytriL3Yj+ijoIq:niwRyB+xUwQtrijuW

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exeSetup.exe

pid process

1252 powershell.exe
780 Setup.exe
780 Setup.exe
780 Setup.exe
780 Setup.exe
780 Setup.exe
780 Setup.exe
780 Setup.exe
780 Setup.exe
780 Setup.exe
780 Setup.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Setup.exepowershell.exe

description pid process

Token: SeDebugPrivilege 780 Setup.exe
Token: SeDebugPrivilege 1252 powershell.exe

pid	process
1252	powershell.exe
780	Setup.exe
780	Setup.exe
780	Setup.exe
780	Setup.exe
780	Setup.exe
780	Setup.exe
780	Setup.exe
780	Setup.exe
780	Setup.exe
780	Setup.exe

description	pid	process
Token: SeDebugPrivilege	780	Setup.exe
Token: SeDebugPrivilege	1252	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup.exe

description	pid	process	target process
PID 780 wrote to memory of 1252	780	Setup.exe	powershell.exe
PID 780 wrote to memory of 1252	780	Setup.exe	powershell.exe
PID 780 wrote to memory of 1252	780	Setup.exe	powershell.exe
PID 780 wrote to memory of 1252	780	Setup.exe	powershell.exe
PID 780 wrote to memory of 1988	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 1988	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 1988	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 1988	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 1988	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 1988	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 1988	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 1724	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 1724	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 1724	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 1724	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 1724	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 1724	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 1724	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 948	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 948	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 948	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 948	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 948	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 948	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 948	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 340	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 340	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 340	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 340	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 340	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 340	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 340	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 868	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 868	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 868	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 868	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 868	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 868	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 868	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 908	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 908	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 908	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 908	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 908	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 908	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 908	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 684	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 684	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 684	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 684	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 684	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 684	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 684	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 692	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 692	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 692	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 692	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 692	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 692	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 692	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 1716	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 1716	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 1716	780	Setup.exe	Setup.exe
PID 780 wrote to memory of 1716	780	Setup.exe	Setup.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
PID:340

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
PID:336

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/780-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/780-55-0x0000000000070000-0x0000000000518000-memory.dmp

Filesize
4.7MB

Download
memory/780-56-0x0000000004EA0000-0x0000000004F6C000-memory.dmp

Filesize
816KB

Download
memory/780-57-0x0000000000FD0000-0x0000000001062000-memory.dmp

Filesize
584KB

Download
memory/1252-58-0x0000000000000000-mapping.dmp

Download
memory/1252-60-0x000000006F980000-0x000000006FF2B000-memory.dmp

Filesize
5.7MB

Download
memory/1252-61-0x000000006F980000-0x000000006FF2B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing