338ca25a081f933afb19d8230c9a6dd1b7ebcf9a2bb48fb664d77bdc8eb3388d

Reason

Machine shutdown

General

Target

338ca25a081f933afb19d8230c9a6dd1b7ebcf9a2bb48fb664d77bdc8eb3388d.exe
Size

85KB
MD5

0483e9db75d3a1f8219d2bc8445b9fb3
SHA1

b81e81683d0d48798e3c3bdaaf8d961695ea3cdc
SHA256

338ca25a081f933afb19d8230c9a6dd1b7ebcf9a2bb48fb664d77bdc8eb3388d
SHA512

ebaf399215ab0065cc6669dc45e3e19c796726d8a46305879520578045e1366d9d191924c6878e7f6a15d75ad5eea93a2290e48a8168e5f7052b2312e26bbd42
SSDEEP

1536:vXLSNZSOyFBWewor4ZXkl3CkSRpliHyPm:/utyCfVxIyLiS

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1740	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\271301500 = "C:\\Users\\Admin\\271301500.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1920	338ca25a081f933afb19d8230c9a6dd1b7ebcf9a2bb48fb664d77bdc8eb3388d.exe
Token: SeShutdownPrivilege	1348	shutdown.exe
Token: SeRemoteShutdownPrivilege	1348	shutdown.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1920	338ca25a081f933afb19d8230c9a6dd1b7ebcf9a2bb48fb664d77bdc8eb3388d.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 1972	1920	338ca25a081f933afb19d8230c9a6dd1b7ebcf9a2bb48fb664d77bdc8eb3388d.exe	28
PID 1920 wrote to memory of 1972	1920	338ca25a081f933afb19d8230c9a6dd1b7ebcf9a2bb48fb664d77bdc8eb3388d.exe	28
PID 1920 wrote to memory of 1972	1920	338ca25a081f933afb19d8230c9a6dd1b7ebcf9a2bb48fb664d77bdc8eb3388d.exe	28
PID 1920 wrote to memory of 1972	1920	338ca25a081f933afb19d8230c9a6dd1b7ebcf9a2bb48fb664d77bdc8eb3388d.exe	28
PID 1972 wrote to memory of 1764	1972	cmd.exe	30
PID 1972 wrote to memory of 1764	1972	cmd.exe	30
PID 1972 wrote to memory of 1764	1972	cmd.exe	30
PID 1972 wrote to memory of 1764	1972	cmd.exe	30
PID 1920 wrote to memory of 1348	1920	338ca25a081f933afb19d8230c9a6dd1b7ebcf9a2bb48fb664d77bdc8eb3388d.exe	31
PID 1920 wrote to memory of 1348	1920	338ca25a081f933afb19d8230c9a6dd1b7ebcf9a2bb48fb664d77bdc8eb3388d.exe	31
PID 1920 wrote to memory of 1348	1920	338ca25a081f933afb19d8230c9a6dd1b7ebcf9a2bb48fb664d77bdc8eb3388d.exe	31
PID 1920 wrote to memory of 1348	1920	338ca25a081f933afb19d8230c9a6dd1b7ebcf9a2bb48fb664d77bdc8eb3388d.exe	31
PID 1920 wrote to memory of 1740	1920	338ca25a081f933afb19d8230c9a6dd1b7ebcf9a2bb48fb664d77bdc8eb3388d.exe	33
PID 1920 wrote to memory of 1740	1920	338ca25a081f933afb19d8230c9a6dd1b7ebcf9a2bb48fb664d77bdc8eb3388d.exe	33
PID 1920 wrote to memory of 1740	1920	338ca25a081f933afb19d8230c9a6dd1b7ebcf9a2bb48fb664d77bdc8eb3388d.exe	33
PID 1920 wrote to memory of 1740	1920	338ca25a081f933afb19d8230c9a6dd1b7ebcf9a2bb48fb664d77bdc8eb3388d.exe	33

C:\Users\Admin\AppData\Local\Temp\338ca25a081f933afb19d8230c9a6dd1b7ebcf9a2bb48fb664d77bdc8eb3388d.exe
"C:\Users\Admin\AppData\Local\Temp\338ca25a081f933afb19d8230c9a6dd1b7ebcf9a2bb48fb664d77bdc8eb3388d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 271301500 /t REG_SZ /d "%userprofile%\271301500.exe" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 271301500 /t REG_SZ /d "C:\Users\Admin\271301500.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1764
- C:\Windows\SysWOW64\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /r /f /t 3
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\338CA2~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1740

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1428

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1348-59-0x0000000000000000-mapping.dmp

Download
memory/1428-61-0x000007FEFC621000-0x000007FEFC623000-memory.dmp

Filesize
8KB

Download
memory/1740-60-0x0000000000000000-mapping.dmp

Download
memory/1764-58-0x0000000000000000-mapping.dmp

Download
memory/1920-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1920-55-0x00000000002B0000-0x00000000002C9000-memory.dmp

Filesize
100KB

Download
memory/1920-56-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1972-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors