30154c70502adee36efa577e0e13b7e8379e362a6739a2f71f3c9ee5039f0df5

Analysis

max time kernel
42s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30154c70502adee36efa577e0e13b7e8379e362a6739a2f71f3c9ee5039f0df5.exe
Size

200KB
MD5

49ac57001ffa72e9a90d53f06a77d08e
SHA1

1a19eae3deae41a868e1a28d545bf5333ac79e85
SHA256

30154c70502adee36efa577e0e13b7e8379e362a6739a2f71f3c9ee5039f0df5
SHA512

efc50643d6364cf23a3e0aec96cc41fa05c28cc09f4f3efa57df43c907b1afe4f20907537480df0958d3c56290df061fc6a5d987dfe412a3b0e04b46e884128d
SSDEEP

6144:UOUgO6oBJLca1QRTkxV/LiQp6wtYCyccjBQ7G:m6Cn1Q9yNtY0G

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

min2.exe

pid process

1924 min2.exe

pid	process
1924	min2.exe

Loads dropped DLL 2 IoCs

Processes:

30154c70502adee36efa577e0e13b7e8379e362a6739a2f71f3c9ee5039f0df5.exe

pid	process
2008	30154c70502adee36efa577e0e13b7e8379e362a6739a2f71f3c9ee5039f0df5.exe
2008	30154c70502adee36efa577e0e13b7e8379e362a6739a2f71f3c9ee5039f0df5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

min2.exe

description	pid	process
Token: SeDebugPrivilege	1924	min2.exe
Token: 33	1924	min2.exe
Token: SeIncBasePriorityPrivilege	1924	min2.exe
Token: 33	1924	min2.exe
Token: SeIncBasePriorityPrivilege	1924	min2.exe
Token: 33	1924	min2.exe
Token: SeIncBasePriorityPrivilege	1924	min2.exe
Token: 33	1924	min2.exe
Token: SeIncBasePriorityPrivilege	1924	min2.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

30154c70502adee36efa577e0e13b7e8379e362a6739a2f71f3c9ee5039f0df5.exe

description	pid	process	target process
PID 2008 wrote to memory of 1924	2008	30154c70502adee36efa577e0e13b7e8379e362a6739a2f71f3c9ee5039f0df5.exe	min2.exe
PID 2008 wrote to memory of 1924	2008	30154c70502adee36efa577e0e13b7e8379e362a6739a2f71f3c9ee5039f0df5.exe	min2.exe
PID 2008 wrote to memory of 1924	2008	30154c70502adee36efa577e0e13b7e8379e362a6739a2f71f3c9ee5039f0df5.exe	min2.exe
PID 2008 wrote to memory of 1924	2008	30154c70502adee36efa577e0e13b7e8379e362a6739a2f71f3c9ee5039f0df5.exe	min2.exe

C:\Users\Admin\AppData\Local\Temp\30154c70502adee36efa577e0e13b7e8379e362a6739a2f71f3c9ee5039f0df5.exe
"C:\Users\Admin\AppData\Local\Temp\30154c70502adee36efa577e0e13b7e8379e362a6739a2f71f3c9ee5039f0df5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\min2.exe
"C:\Users\Admin\AppData\Local\Temp\min2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\min2.exe

Filesize
187KB

MD5
c2fd4902bc2d6fbceab4c1187d563aa0

SHA1
25053093a8523f994ede985e3ca26c74ef6b93aa

SHA256
4f2750a7e382127bbba6bb53e3f80e64ec331bd18e067a96bc3cbdf483396c42

SHA512
4fc398f491a1002feaa272bfd8530ec2467f83973fce52104c3471133c7813ae59fe6ec8b6b426a25bd7b778c443069f45ecc8549da7866ac75172d7bfe8b308

Download Submit
C:\Users\Admin\AppData\Local\Temp\min2.exe

Filesize
187KB

MD5
c2fd4902bc2d6fbceab4c1187d563aa0

SHA1
25053093a8523f994ede985e3ca26c74ef6b93aa

SHA256
4f2750a7e382127bbba6bb53e3f80e64ec331bd18e067a96bc3cbdf483396c42

SHA512
4fc398f491a1002feaa272bfd8530ec2467f83973fce52104c3471133c7813ae59fe6ec8b6b426a25bd7b778c443069f45ecc8549da7866ac75172d7bfe8b308

Download Submit
\Users\Admin\AppData\Local\Temp\min2.exe

Filesize
187KB

MD5
c2fd4902bc2d6fbceab4c1187d563aa0

SHA1
25053093a8523f994ede985e3ca26c74ef6b93aa

SHA256
4f2750a7e382127bbba6bb53e3f80e64ec331bd18e067a96bc3cbdf483396c42

SHA512
4fc398f491a1002feaa272bfd8530ec2467f83973fce52104c3471133c7813ae59fe6ec8b6b426a25bd7b778c443069f45ecc8549da7866ac75172d7bfe8b308

Download Submit
\Users\Admin\AppData\Local\Temp\min2.exe

Filesize
187KB

MD5
c2fd4902bc2d6fbceab4c1187d563aa0

SHA1
25053093a8523f994ede985e3ca26c74ef6b93aa

SHA256
4f2750a7e382127bbba6bb53e3f80e64ec331bd18e067a96bc3cbdf483396c42

SHA512
4fc398f491a1002feaa272bfd8530ec2467f83973fce52104c3471133c7813ae59fe6ec8b6b426a25bd7b778c443069f45ecc8549da7866ac75172d7bfe8b308

Download Submit
memory/1924-57-0x0000000000000000-mapping.dmp

Download
memory/1924-61-0x00000000741B0000-0x000000007475B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-62-0x00000000741B0000-0x000000007475B000-memory.dmp

Filesize
5.7MB

Download
memory/2008-54-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download