ae34a8fe38258ce946a24cd1a9ba4f70b689197a7acc8635bec0025c9ae51669

Analysis

max time kernel
151s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2022, 19:05

Target

ae34a8fe38258ce946a24cd1a9ba4f70b689197a7acc8635bec0025c9ae51669.exe
Size

581KB
MD5

50cf975b38e9fc470e405640649b3dd0
SHA1

185864d22b310cd278b071e10054b57704c7b5c5
SHA256

ae34a8fe38258ce946a24cd1a9ba4f70b689197a7acc8635bec0025c9ae51669
SHA512

15d67d9a729ba60433db3db7ec38089f6915fcb1d521c1937170daf0761751e838327b4a7364aa8a3981a857026db050e478db48f761d490828cf24ccb4f8308
SSDEEP

12288:3QFagZP7xohG/0QWUoNOkcRsLj1+E9iYmU7sk9KtUYqn:3QFNBtRtsLj159ipUaUFn

Score

8^/10

upx

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/908-132-0x0000000002240000-0x0000000002372000-memory.dmp	upx
behavioral2/memory/908-135-0x0000000002240000-0x0000000002372000-memory.dmp	upx
behavioral2/memory/908-137-0x0000000002240000-0x0000000002372000-memory.dmp	upx
behavioral2/memory/908-139-0x0000000002240000-0x0000000002372000-memory.dmp	upx
behavioral2/memory/908-140-0x0000000002240000-0x0000000002372000-memory.dmp	upx
behavioral2/memory/1656-142-0x0000000002120000-0x0000000002252000-memory.dmp	upx
behavioral2/memory/1656-145-0x0000000002120000-0x0000000002252000-memory.dmp	upx
behavioral2/memory/1656-146-0x0000000002120000-0x0000000002252000-memory.dmp	upx
behavioral2/memory/908-147-0x0000000002240000-0x0000000002372000-memory.dmp	upx
behavioral2/memory/1656-148-0x0000000002120000-0x0000000002252000-memory.dmp	upx
behavioral2/memory/908-149-0x0000000002240000-0x0000000002372000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
908	ae34a8fe38258ce946a24cd1a9ba4f70b689197a7acc8635bec0025c9ae51669.exe
908	ae34a8fe38258ce946a24cd1a9ba4f70b689197a7acc8635bec0025c9ae51669.exe
908	ae34a8fe38258ce946a24cd1a9ba4f70b689197a7acc8635bec0025c9ae51669.exe
908	ae34a8fe38258ce946a24cd1a9ba4f70b689197a7acc8635bec0025c9ae51669.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	908	ae34a8fe38258ce946a24cd1a9ba4f70b689197a7acc8635bec0025c9ae51669.exe
Token: SeCreatePagefilePrivilege	908	ae34a8fe38258ce946a24cd1a9ba4f70b689197a7acc8635bec0025c9ae51669.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
908	ae34a8fe38258ce946a24cd1a9ba4f70b689197a7acc8635bec0025c9ae51669.exe
908	ae34a8fe38258ce946a24cd1a9ba4f70b689197a7acc8635bec0025c9ae51669.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 1656	908	ae34a8fe38258ce946a24cd1a9ba4f70b689197a7acc8635bec0025c9ae51669.exe	79
PID 908 wrote to memory of 1656	908	ae34a8fe38258ce946a24cd1a9ba4f70b689197a7acc8635bec0025c9ae51669.exe	79
PID 908 wrote to memory of 1656	908	ae34a8fe38258ce946a24cd1a9ba4f70b689197a7acc8635bec0025c9ae51669.exe	79

C:\Users\Admin\AppData\Local\Temp\ae34a8fe38258ce946a24cd1a9ba4f70b689197a7acc8635bec0025c9ae51669.exe
"C:\Users\Admin\AppData\Local\Temp\ae34a8fe38258ce946a24cd1a9ba4f70b689197a7acc8635bec0025c9ae51669.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:908
- C:\Users\Admin\AppData\Local\Temp\ae34a8fe38258ce946a24cd1a9ba4f70b689197a7acc8635bec0025c9ae51669.exe
  "C:\Users\Admin\AppData\Local\Temp\ae34a8fe38258ce946a24cd1a9ba4f70b689197a7acc8635bec0025c9ae51669.exe" /_ShowProgress
  2⤵
  PID:1656

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/908-140-0x0000000002240000-0x0000000002372000-memory.dmp

Filesize
1.2MB

Download
memory/908-147-0x0000000002240000-0x0000000002372000-memory.dmp

Filesize
1.2MB

Download
memory/908-136-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/908-137-0x0000000002240000-0x0000000002372000-memory.dmp

Filesize
1.2MB

Download
memory/908-138-0x00000000021A0000-0x0000000002232000-memory.dmp

Filesize
584KB

Download
memory/908-139-0x0000000002240000-0x0000000002372000-memory.dmp

Filesize
1.2MB

Download
memory/908-149-0x0000000002240000-0x0000000002372000-memory.dmp

Filesize
1.2MB

Download
memory/908-132-0x0000000002240000-0x0000000002372000-memory.dmp

Filesize
1.2MB

Download
memory/908-135-0x0000000002240000-0x0000000002372000-memory.dmp

Filesize
1.2MB

Download
memory/1656-148-0x0000000002120000-0x0000000002252000-memory.dmp

Filesize
1.2MB

Download
memory/1656-146-0x0000000002120000-0x0000000002252000-memory.dmp

Filesize
1.2MB

Download
memory/1656-145-0x0000000002120000-0x0000000002252000-memory.dmp

Filesize
1.2MB

Download
memory/1656-142-0x0000000002120000-0x0000000002252000-memory.dmp

Filesize
1.2MB

Download