6099616ae1b64e1b907d09fbab3d313ba27d398b24272733fc3b463a834d258f

Analysis

max time kernel
229s
max time network
343s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 00:06

Target

6099616ae1b64e1b907d09fbab3d313ba27d398b24272733fc3b463a834d258f.exe
Size

4.3MB
MD5

fd136b290c72f0c45cc878c7d6efdfa0
SHA1

b2cb8044417f5bd5e361787b8a2ffb7fbafa1425
SHA256

6099616ae1b64e1b907d09fbab3d313ba27d398b24272733fc3b463a834d258f
SHA512

4dff6c6d57e86602f16f10c3c2ea20457fc1acf4e67c0d48a1a7f8f9bbf302035611f522634727068f7aeeefcae72495a9d11dfcc542a517c50380c53fbbfbf2
SSDEEP

98304:o9MpHhvYzprr/vBHijXUMgBZwcU9hbkBjL2mGTO2+72AeqL//Hx:9pHh2nnQpgBZwv9xSky2+77/Hx

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

6099616ae1b64e1b907d09fbab3d313ba27d398b24272733fc3b463a834d258f.exe

pid process

1940 6099616ae1b64e1b907d09fbab3d313ba27d398b24272733fc3b463a834d258f.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6099616ae1b64e1b907d09fbab3d313ba27d398b24272733fc3b463a834d258f.exe

description pid process

Token: SeDebugPrivilege 1940 6099616ae1b64e1b907d09fbab3d313ba27d398b24272733fc3b463a834d258f.exe

pid	process
1940	6099616ae1b64e1b907d09fbab3d313ba27d398b24272733fc3b463a834d258f.exe

description	pid	process
Token: SeDebugPrivilege	1940	6099616ae1b64e1b907d09fbab3d313ba27d398b24272733fc3b463a834d258f.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1940-54-0x0000000075441000-0x0000000075443000-memory.dmp

Filesize
8KB

Download