abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c

General

Target

abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe
Size

274KB
MD5

545474e5e27aceaf673b1ae0e72bec43
SHA1

da2ee3a1fb37e3c7906b49f9816272d0020bbf7f
SHA256

abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c
SHA512

10a3188e1f93d43caacdbb6160e26ae1898b099da9b7edde4443637d8cd6b43235cae2b68b5732f7ced1bc098e51508b4aeb914a4e684e7d6b1892fd4f581f43
SSDEEP

6144:Iy9v17kwzVKndyPJMnDEXZBWqNpPB5leWe92TbpYViUbE+6kQL:597kAKndybnWqNpJ7e6TdiLB6kQ

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Loads dropped DLL 1 IoCs

Processes:

abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe

pid process

1392 abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1392	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe

description	pid	process	target process
PID 1392 set thread context of 952	1392	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe

pid	process
952	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe
952	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe
952	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe
952	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe
952	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe
952	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe

pid process

1392 abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe

pid	process
1392	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	952	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe
Token: SeIncreaseQuotaPrivilege	604	WMIC.exe
Token: SeSecurityPrivilege	604	WMIC.exe
Token: SeTakeOwnershipPrivilege	604	WMIC.exe
Token: SeLoadDriverPrivilege	604	WMIC.exe
Token: SeSystemProfilePrivilege	604	WMIC.exe
Token: SeSystemtimePrivilege	604	WMIC.exe
Token: SeProfSingleProcessPrivilege	604	WMIC.exe
Token: SeIncBasePriorityPrivilege	604	WMIC.exe
Token: SeCreatePagefilePrivilege	604	WMIC.exe
Token: SeBackupPrivilege	604	WMIC.exe
Token: SeRestorePrivilege	604	WMIC.exe
Token: SeShutdownPrivilege	604	WMIC.exe
Token: SeDebugPrivilege	604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	604	WMIC.exe
Token: SeRemoteShutdownPrivilege	604	WMIC.exe
Token: SeUndockPrivilege	604	WMIC.exe
Token: SeManageVolumePrivilege	604	WMIC.exe
Token: 33	604	WMIC.exe
Token: 34	604	WMIC.exe
Token: 35	604	WMIC.exe
Token: SeIncreaseQuotaPrivilege	604	WMIC.exe
Token: SeSecurityPrivilege	604	WMIC.exe
Token: SeTakeOwnershipPrivilege	604	WMIC.exe
Token: SeLoadDriverPrivilege	604	WMIC.exe
Token: SeSystemProfilePrivilege	604	WMIC.exe
Token: SeSystemtimePrivilege	604	WMIC.exe
Token: SeProfSingleProcessPrivilege	604	WMIC.exe
Token: SeIncBasePriorityPrivilege	604	WMIC.exe
Token: SeCreatePagefilePrivilege	604	WMIC.exe
Token: SeBackupPrivilege	604	WMIC.exe
Token: SeRestorePrivilege	604	WMIC.exe
Token: SeShutdownPrivilege	604	WMIC.exe
Token: SeDebugPrivilege	604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	604	WMIC.exe
Token: SeRemoteShutdownPrivilege	604	WMIC.exe
Token: SeUndockPrivilege	604	WMIC.exe
Token: SeManageVolumePrivilege	604	WMIC.exe
Token: 33	604	WMIC.exe
Token: 34	604	WMIC.exe
Token: 35	604	WMIC.exe
Token: SeBackupPrivilege	648	vssvc.exe
Token: SeRestorePrivilege	648	vssvc.exe
Token: SeAuditPrivilege	648	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exeabfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.execmd.exe

description	pid	process	target process
PID 1392 wrote to memory of 952	1392	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe
PID 1392 wrote to memory of 952	1392	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe
PID 1392 wrote to memory of 952	1392	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe
PID 1392 wrote to memory of 952	1392	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe
PID 1392 wrote to memory of 952	1392	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe
PID 952 wrote to memory of 1688	952	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe	cmd.exe
PID 952 wrote to memory of 1688	952	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe	cmd.exe
PID 952 wrote to memory of 1688	952	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe	cmd.exe
PID 952 wrote to memory of 1688	952	abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe	cmd.exe
PID 1688 wrote to memory of 604	1688	cmd.exe	WMIC.exe
PID 1688 wrote to memory of 604	1688	cmd.exe	WMIC.exe
PID 1688 wrote to memory of 604	1688	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe
"C:\Users\Admin\AppData\Local\Temp\abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe
"C:\Users\Admin\AppData\Local\Temp\abfad32a54931bced34394373381e2d5e2565a30648daca1a2462ee25caa3a3c.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

1

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nso61B.tmp\System.dll

Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
memory/604-62-0x0000000000000000-mapping.dmp

Download
memory/952-57-0x0000000000402BDD-mapping.dmp

Download
memory/952-60-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/952-63-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1392-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/1392-56-0x0000000001E70000-0x0000000001E9C000-memory.dmp

Filesize
176KB

Download
memory/1392-59-0x0000000001E70000-0x0000000001E9C000-memory.dmp

Filesize
176KB

Download
memory/1688-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads