b434c6569d5241ebf1cdbaa6d68b5ad26bf9cacc869f395ba6d39bd6aaa44a08

Analysis

max time kernel
206s
max time network
218s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:56

Target

b434c6569d5241ebf1cdbaa6d68b5ad26bf9cacc869f395ba6d39bd6aaa44a08.exe
Size

659KB
MD5

d12ec99b99607e7a2536499c710d55e9
SHA1

4bfc6a7ab6ceedea818ca0be0c0a5847d46a0327
SHA256

b434c6569d5241ebf1cdbaa6d68b5ad26bf9cacc869f395ba6d39bd6aaa44a08
SHA512

e9984860bca840fa04c110571e07ba1b7b82138b376e73f043c3714da50e60c84293c33770ff578783f29a7bd0806006f9d747f3b184224cdd581daf22fd50f3
SSDEEP

12288:9AyvpfnHq+NRkqR+RqgHvpRdEzWmLLuLAkyUyaAGY5OKCy5Z5DePzqh545+aXh5d:eyv5KAeqR+RqSHdEzJmfJixOKCy5Z5DI

Score

8^/10

upx

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/3660-132-0x0000000002140000-0x0000000002286000-memory.dmp	upx
behavioral2/memory/3660-136-0x0000000002140000-0x0000000002286000-memory.dmp	upx
behavioral2/memory/3660-135-0x0000000002140000-0x0000000002286000-memory.dmp	upx
behavioral2/memory/3660-139-0x0000000002140000-0x0000000002286000-memory.dmp	upx
behavioral2/memory/3660-140-0x0000000002140000-0x0000000002286000-memory.dmp	upx
behavioral2/memory/1720-142-0x0000000002120000-0x0000000002266000-memory.dmp	upx
behavioral2/memory/1720-145-0x0000000002120000-0x0000000002266000-memory.dmp	upx
behavioral2/memory/1720-146-0x0000000002120000-0x0000000002266000-memory.dmp	upx
behavioral2/memory/1720-148-0x0000000002120000-0x0000000002266000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3660	b434c6569d5241ebf1cdbaa6d68b5ad26bf9cacc869f395ba6d39bd6aaa44a08.exe
3660	b434c6569d5241ebf1cdbaa6d68b5ad26bf9cacc869f395ba6d39bd6aaa44a08.exe
3660	b434c6569d5241ebf1cdbaa6d68b5ad26bf9cacc869f395ba6d39bd6aaa44a08.exe
3660	b434c6569d5241ebf1cdbaa6d68b5ad26bf9cacc869f395ba6d39bd6aaa44a08.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3660	b434c6569d5241ebf1cdbaa6d68b5ad26bf9cacc869f395ba6d39bd6aaa44a08.exe
Token: SeCreatePagefilePrivilege	3660	b434c6569d5241ebf1cdbaa6d68b5ad26bf9cacc869f395ba6d39bd6aaa44a08.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3660	b434c6569d5241ebf1cdbaa6d68b5ad26bf9cacc869f395ba6d39bd6aaa44a08.exe
3660	b434c6569d5241ebf1cdbaa6d68b5ad26bf9cacc869f395ba6d39bd6aaa44a08.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 1720	3660	b434c6569d5241ebf1cdbaa6d68b5ad26bf9cacc869f395ba6d39bd6aaa44a08.exe	83
PID 3660 wrote to memory of 1720	3660	b434c6569d5241ebf1cdbaa6d68b5ad26bf9cacc869f395ba6d39bd6aaa44a08.exe	83
PID 3660 wrote to memory of 1720	3660	b434c6569d5241ebf1cdbaa6d68b5ad26bf9cacc869f395ba6d39bd6aaa44a08.exe	83

C:\Users\Admin\AppData\Local\Temp\b434c6569d5241ebf1cdbaa6d68b5ad26bf9cacc869f395ba6d39bd6aaa44a08.exe
"C:\Users\Admin\AppData\Local\Temp\b434c6569d5241ebf1cdbaa6d68b5ad26bf9cacc869f395ba6d39bd6aaa44a08.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Users\Admin\AppData\Local\Temp\b434c6569d5241ebf1cdbaa6d68b5ad26bf9cacc869f395ba6d39bd6aaa44a08.exe
  "C:\Users\Admin\AppData\Local\Temp\b434c6569d5241ebf1cdbaa6d68b5ad26bf9cacc869f395ba6d39bd6aaa44a08.exe" /_ShowProgress
  2⤵
  PID:1720

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1720-141-0x0000000000000000-mapping.dmp

Download
memory/1720-148-0x0000000002120000-0x0000000002266000-memory.dmp

Filesize
1.3MB

Download
memory/1720-147-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1720-146-0x0000000002120000-0x0000000002266000-memory.dmp

Filesize
1.3MB

Download
memory/1720-145-0x0000000002120000-0x0000000002266000-memory.dmp

Filesize
1.3MB

Download
memory/1720-142-0x0000000002120000-0x0000000002266000-memory.dmp

Filesize
1.3MB

Download
memory/3660-137-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3660-140-0x0000000002140000-0x0000000002286000-memory.dmp

Filesize
1.3MB

Download
memory/3660-139-0x0000000002140000-0x0000000002286000-memory.dmp

Filesize
1.3MB

Download
memory/3660-138-0x0000000002040000-0x00000000020E5000-memory.dmp

Filesize
660KB

Download
memory/3660-132-0x0000000002140000-0x0000000002286000-memory.dmp

Filesize
1.3MB

Download
memory/3660-135-0x0000000002140000-0x0000000002286000-memory.dmp

Filesize
1.3MB

Download
memory/3660-136-0x0000000002140000-0x0000000002286000-memory.dmp

Filesize
1.3MB

Download