731fa6c85f53a183b700091affd3768d5c40b23ff434a6b99cf92dbbd51c94a8

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/11/2022, 13:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

731fa6c85f53a183b700091affd3768d5c40b23ff434a6b99cf92dbbd51c94a8.exe
Size

550KB
MD5

0933d5217a0f31be15f1ee9d168982a0
SHA1

b2416379b816b46e7dfcfc3e7ab89f26956105ce
SHA256

731fa6c85f53a183b700091affd3768d5c40b23ff434a6b99cf92dbbd51c94a8
SHA512

d9db8da6f4f3b694366ef6777cb36dee6a273525349c1cb774288d738b4cb60feaf78cc562efefabbc023ce60a3fe8f3efc2f43a2bdfd5e08a2353646d01797e
SSDEEP

12288:N3uguAaNa0ydmRSjLTHJyr8QDQoyazsfpLcXXksnnfxGXKu:NuAlBCSDH88KwVg7n5GXKu

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1892	GetMarkPhoto.exe

Loads dropped DLL 1 IoCs

pid	Process
900	731fa6c85f53a183b700091affd3768d5c40b23ff434a6b99cf92dbbd51c94a8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: 33	900	731fa6c85f53a183b700091affd3768d5c40b23ff434a6b99cf92dbbd51c94a8.exe
Token: SeIncBasePriorityPrivilege	900	731fa6c85f53a183b700091affd3768d5c40b23ff434a6b99cf92dbbd51c94a8.exe
Token: 33	900	731fa6c85f53a183b700091affd3768d5c40b23ff434a6b99cf92dbbd51c94a8.exe
Token: SeIncBasePriorityPrivilege	900	731fa6c85f53a183b700091affd3768d5c40b23ff434a6b99cf92dbbd51c94a8.exe
Token: 33	900	731fa6c85f53a183b700091affd3768d5c40b23ff434a6b99cf92dbbd51c94a8.exe
Token: SeIncBasePriorityPrivilege	900	731fa6c85f53a183b700091affd3768d5c40b23ff434a6b99cf92dbbd51c94a8.exe
Token: 33	1892	GetMarkPhoto.exe
Token: SeIncBasePriorityPrivilege	1892	GetMarkPhoto.exe
Token: 33	1892	GetMarkPhoto.exe
Token: SeIncBasePriorityPrivilege	1892	GetMarkPhoto.exe
Token: 33	1892	GetMarkPhoto.exe
Token: SeIncBasePriorityPrivilege	1892	GetMarkPhoto.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1892	900	731fa6c85f53a183b700091affd3768d5c40b23ff434a6b99cf92dbbd51c94a8.exe	27
PID 900 wrote to memory of 1892	900	731fa6c85f53a183b700091affd3768d5c40b23ff434a6b99cf92dbbd51c94a8.exe	27
PID 900 wrote to memory of 1892	900	731fa6c85f53a183b700091affd3768d5c40b23ff434a6b99cf92dbbd51c94a8.exe	27
PID 900 wrote to memory of 1892	900	731fa6c85f53a183b700091affd3768d5c40b23ff434a6b99cf92dbbd51c94a8.exe	27

C:\Users\Admin\AppData\Local\Temp\731fa6c85f53a183b700091affd3768d5c40b23ff434a6b99cf92dbbd51c94a8.exe
"C:\Users\Admin\AppData\Local\Temp\731fa6c85f53a183b700091affd3768d5c40b23ff434a6b99cf92dbbd51c94a8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900
- \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\FaceBookCheck\1.0.0.0\2013.12.27T16.38\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\GetMarkPhoto.exe
  "C:\Users\Admin\AppData\Local\Temp\GetMarkPhoto.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\FaceBookCheck\1.0.0.0\2013.12.27T16.38\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\GetMarkPhoto.exe

Filesize
17KB

MD5
ddb1445b2ce7087c2d2f195b05cadfda

SHA1
43993558fb78245ef94a2c07d96bda0a0825ef63

SHA256
2bdc3bbfac7975551f6b8b7ab02251619c8fdcb1d8553a61ef4d8b92cdee3132

SHA512
b0b0e9778aeea6281b02590e1cd00b2fd14c7cae7dc86b61be76b9230831c1353edee6f4c4c2eba7eebfccf25aabdf42a3a2e767836a793d11fe33b0ddc49825

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\FaceBookCheck\1.0.0.0\2013.12.27T16.38\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\GetMarkPhoto.exe

Filesize
17KB

MD5
ddb1445b2ce7087c2d2f195b05cadfda

SHA1
43993558fb78245ef94a2c07d96bda0a0825ef63

SHA256
2bdc3bbfac7975551f6b8b7ab02251619c8fdcb1d8553a61ef4d8b92cdee3132

SHA512
b0b0e9778aeea6281b02590e1cd00b2fd14c7cae7dc86b61be76b9230831c1353edee6f4c4c2eba7eebfccf25aabdf42a3a2e767836a793d11fe33b0ddc49825

Download Submit
memory/900-57-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/900-54-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download
memory/900-58-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/900-59-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/900-56-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/900-55-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/900-66-0x0000000000230000-0x00000000002A2000-memory.dmp

Filesize
456KB

Download
memory/1892-64-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1892-65-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1892-67-0x0000000000490000-0x0000000000502000-memory.dmp

Filesize
456KB

Download
memory/1892-68-0x0000000002230000-0x0000000002270000-memory.dmp

Filesize
256KB

Download
memory/1892-69-0x0000000000490000-0x0000000000502000-memory.dmp

Filesize
456KB

Download