ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e

General

Target

ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
Size

240KB
MD5

6d6e6a3b4dec71ff268e5db800d5bcf5
SHA1

61c6eab37adfe8231a5ee19b9923be87b00bac13
SHA256

ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e
SHA512

b5688457b9625f2ec0d82494fa492d98461afdeefe4b5f0336bc2c2470f90e0e952faf9a7784177dc0623beab5e0549f0c39a2a248291c7dad63c0b51ff21d14
SSDEEP

6144:qn/L+2uabXMfTOi16wtYSjcJvcw51NhL9emV9jtpzkkxmh3Z:U1uabXMfTz9tMJX51Nhd7jwUa3Z

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Loads dropped DLL 3 IoCs

Processes:

ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe

pid	process
1428	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
1428	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
1428	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe

description	pid	process	target process
PID 1428 set thread context of 1320	1428	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe

Drops file in Windows directory 1 IoCs

Processes:

ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe

description ioc process

File opened for modification C:\Windows\ ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe

pid	process
1320	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
1320	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
1320	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
1320	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
1320	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
1320	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
1320	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
1320	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
1320	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
1320	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
1320	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
1320	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
1320	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1320	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
Token: SeIncreaseQuotaPrivilege	576	WMIC.exe
Token: SeSecurityPrivilege	576	WMIC.exe
Token: SeTakeOwnershipPrivilege	576	WMIC.exe
Token: SeLoadDriverPrivilege	576	WMIC.exe
Token: SeSystemProfilePrivilege	576	WMIC.exe
Token: SeSystemtimePrivilege	576	WMIC.exe
Token: SeProfSingleProcessPrivilege	576	WMIC.exe
Token: SeIncBasePriorityPrivilege	576	WMIC.exe
Token: SeCreatePagefilePrivilege	576	WMIC.exe
Token: SeBackupPrivilege	576	WMIC.exe
Token: SeRestorePrivilege	576	WMIC.exe
Token: SeShutdownPrivilege	576	WMIC.exe
Token: SeDebugPrivilege	576	WMIC.exe
Token: SeSystemEnvironmentPrivilege	576	WMIC.exe
Token: SeRemoteShutdownPrivilege	576	WMIC.exe
Token: SeUndockPrivilege	576	WMIC.exe
Token: SeManageVolumePrivilege	576	WMIC.exe
Token: 33	576	WMIC.exe
Token: 34	576	WMIC.exe
Token: 35	576	WMIC.exe
Token: SeIncreaseQuotaPrivilege	576	WMIC.exe
Token: SeSecurityPrivilege	576	WMIC.exe
Token: SeTakeOwnershipPrivilege	576	WMIC.exe
Token: SeLoadDriverPrivilege	576	WMIC.exe
Token: SeSystemProfilePrivilege	576	WMIC.exe
Token: SeSystemtimePrivilege	576	WMIC.exe
Token: SeProfSingleProcessPrivilege	576	WMIC.exe
Token: SeIncBasePriorityPrivilege	576	WMIC.exe
Token: SeCreatePagefilePrivilege	576	WMIC.exe
Token: SeBackupPrivilege	576	WMIC.exe
Token: SeRestorePrivilege	576	WMIC.exe
Token: SeShutdownPrivilege	576	WMIC.exe
Token: SeDebugPrivilege	576	WMIC.exe
Token: SeSystemEnvironmentPrivilege	576	WMIC.exe
Token: SeRemoteShutdownPrivilege	576	WMIC.exe
Token: SeUndockPrivilege	576	WMIC.exe
Token: SeManageVolumePrivilege	576	WMIC.exe
Token: 33	576	WMIC.exe
Token: 34	576	WMIC.exe
Token: 35	576	WMIC.exe
Token: SeBackupPrivilege	1112	vssvc.exe
Token: SeRestorePrivilege	1112	vssvc.exe
Token: SeAuditPrivilege	1112	vssvc.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exeac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.execmd.exe

description	pid	process	target process
PID 1428 wrote to memory of 1320	1428	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
PID 1428 wrote to memory of 1320	1428	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
PID 1428 wrote to memory of 1320	1428	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
PID 1428 wrote to memory of 1320	1428	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
PID 1428 wrote to memory of 1320	1428	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
PID 1428 wrote to memory of 1320	1428	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
PID 1428 wrote to memory of 1320	1428	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
PID 1428 wrote to memory of 1320	1428	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
PID 1428 wrote to memory of 1320	1428	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
PID 1428 wrote to memory of 1320	1428	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
PID 1320 wrote to memory of 1984	1320	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe	cmd.exe
PID 1320 wrote to memory of 1984	1320	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe	cmd.exe
PID 1320 wrote to memory of 1984	1320	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe	cmd.exe
PID 1320 wrote to memory of 1984	1320	ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe	cmd.exe
PID 1984 wrote to memory of 576	1984	cmd.exe	WMIC.exe
PID 1984 wrote to memory of 576	1984	cmd.exe	WMIC.exe
PID 1984 wrote to memory of 576	1984	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
"C:\Users\Admin\AppData\Local\Temp\ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Local\Temp\ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe
"C:\Users\Admin\AppData\Local\Temp\ac0f47391a3fc4481d1ddeefcdb5e54b43e6b963c5c73dae8dd29887b47f180e.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

1

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nstA7E.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
\Users\Admin\AppData\Local\Temp\nstA7E.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
\Users\Admin\AppData\Roaming\CDRom.dll

Filesize
28KB

MD5
51a7abee56ca990662a30e7366ceb97c

SHA1
eb69ff9bed5cc81589db302f86731c263531aabb

SHA256
f025b184cda7bc7d61d92818171bf16a3596d962034ff42ed0f38b8054620beb

SHA512
66c2879c24a06320c4397ef87efe532ea262483f9271884c76da610321ee7be8ab156c0d7c81dbac37a0ba9a3ef109273edede72efed036819e027697bd6ecf2

Download Submit
memory/576-73-0x0000000000000000-mapping.dmp

Download
memory/1320-64-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1320-59-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1320-60-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1320-62-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1320-66-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1320-67-0x00000000004028CF-mapping.dmp

Download
memory/1320-70-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1320-71-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1320-58-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1320-74-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1428-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1984-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads