86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee | Triage

Analysis

max time kernel
188s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 13:46

Sharing

Report Analysis Logs

General

Target

86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
Size

320KB
MD5

139aded90404e7566d4ece8ba1ba43aa
SHA1

95e5454aa03d07d3ff8d6de4fe743d8b6bd41508
SHA256

86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee
SHA512

30ef9e4de12713bdb808229edfba05e0561a2126bb7df8d1917ea9c868ced8bd462284a460dbe6405971725b8eff9b8cad2833ebc384cbfbc604ddac259a6bc0
SSDEEP

6144:R7NyWYhRghGq/998Ox2qf9QbmsrQIvKLnLjH9JXE9v2xkJwJuP8D:R7NyWYhRghGq/998Ox99emsrcLZ9u2xP

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe

description	ioc	process
File opened (read-only)	\??\X:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\Y:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\Z:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\A:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\B:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\N:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\S:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\T:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\M:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\G:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\H:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\J:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\K:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\L:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\F:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\O:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\P:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\V:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\W:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\E:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\I:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\Q:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\R:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
File opened (read-only)	\??\U:	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe

description	pid	process	target process
PID 1572 set thread context of 2772	1572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe

pid	process
1572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
1572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
1572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
1572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe

description	pid	process
Token: SeShutdownPrivilege	1572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
Token: SeCreatePagefilePrivilege	1572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe

pid	process
1572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
1572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe

description	pid	process	target process
PID 1572 wrote to memory of 2772	1572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
PID 1572 wrote to memory of 2772	1572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
PID 1572 wrote to memory of 2772	1572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
PID 1572 wrote to memory of 2772	1572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
PID 1572 wrote to memory of 2772	1572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
PID 1572 wrote to memory of 2772	1572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
PID 1572 wrote to memory of 2772	1572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
PID 1572 wrote to memory of 2772	1572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
PID 1572 wrote to memory of 2772	1572	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe	86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe

C:\Users\Admin\AppData\Local\Temp\86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
"C:\Users\Admin\AppData\Local\Temp\86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572

C:\Users\Admin\AppData\Local\Temp\86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
C:\Users\Admin\AppData\Local\Temp\86c5df9499a895636348644f1342182f0ae92a90f78308877ee1d1c5cd7acfee.exe
2⤵
PID:2772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1572-135-0x0000000004650000-0x0000000004654000-memory.dmp

Filesize
16KB

Download
memory/2772-132-0x0000000000000000-mapping.dmp

Download
memory/2772-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2772-134-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2772-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2772-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download