f50b387ef7ab57a0caa05f0e89089b12d337d108d28a7a7ace1c2e7b324cbf66

General

Target

fcc555499698555ca835ae7bc4c4f734.exe
Size

764KB
MD5

fcc555499698555ca835ae7bc4c4f734
SHA1

32d7aa23603640ea5a54f2d3ce4284f4fc6c8de4
SHA256

f50b387ef7ab57a0caa05f0e89089b12d337d108d28a7a7ace1c2e7b324cbf66
SHA512

0bd602fe6398dbced3532f1933d84f022172b019dfe07edfb920f9f8fd448c0d66cb363cd4b6634d9a0d0011472e44cf4e387c701f3210e515c2f5ea4eafebb7
SSDEEP

12288:yg28uATAgSjSbHKo57lj73BaaIhpuHorws/:yhlSKoVl/3EaIhwH

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

660 schtasks.exe

pid	process
660	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

fcc555499698555ca835ae7bc4c4f734.exepowershell.exe

pid	process
1292	fcc555499698555ca835ae7bc4c4f734.exe
1292	fcc555499698555ca835ae7bc4c4f734.exe
1292	fcc555499698555ca835ae7bc4c4f734.exe
1292	fcc555499698555ca835ae7bc4c4f734.exe
1292	fcc555499698555ca835ae7bc4c4f734.exe
2040	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fcc555499698555ca835ae7bc4c4f734.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1292 fcc555499698555ca835ae7bc4c4f734.exe
Token: SeDebugPrivilege 2040 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1292	fcc555499698555ca835ae7bc4c4f734.exe
Token: SeDebugPrivilege	2040	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

fcc555499698555ca835ae7bc4c4f734.exe

C:\Users\Admin\AppData\Local\Temp\fcc555499698555ca835ae7bc4c4f734.exe
"C:\Users\Admin\AppData\Local\Temp\fcc555499698555ca835ae7bc4c4f734.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QodNNFzYR.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QodNNFzYR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD73D.tmp"
2⤵
- Creates scheduled task(s)
PID:660

C:\Users\Admin\AppData\Local\Temp\fcc555499698555ca835ae7bc4c4f734.exe
"C:\Users\Admin\AppData\Local\Temp\fcc555499698555ca835ae7bc4c4f734.exe"
2⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\fcc555499698555ca835ae7bc4c4f734.exe
"C:\Users\Admin\AppData\Local\Temp\fcc555499698555ca835ae7bc4c4f734.exe"
2⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\fcc555499698555ca835ae7bc4c4f734.exe
"C:\Users\Admin\AppData\Local\Temp\fcc555499698555ca835ae7bc4c4f734.exe"
2⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\fcc555499698555ca835ae7bc4c4f734.exe
"C:\Users\Admin\AppData\Local\Temp\fcc555499698555ca835ae7bc4c4f734.exe"
2⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\fcc555499698555ca835ae7bc4c4f734.exe
"C:\Users\Admin\AppData\Local\Temp\fcc555499698555ca835ae7bc4c4f734.exe"
2⤵
PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD73D.tmp

Filesize
1KB

MD5
df4b63244c2761e88f95e9fef1e1d9b6

SHA1
844369293f075ef1a964ee972c9c8e314177496d

SHA256
5d62e8695612a3078389189724572e6118f3e0c86d61f31773cac147c5ec9e86

SHA512
261a83a8b67f8b5e456581d390a4a6605b605e0923461de1669b1d0c0f51cbb4c1db6d8b9bd4a5ec6d162034abbb53d405426f8b3c469cd77cfbf920d8db096a

Download Submit
memory/660-60-0x0000000000000000-mapping.dmp

Download
memory/1292-54-0x0000000000340000-0x0000000000406000-memory.dmp

Filesize
792KB

Download
memory/1292-55-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1292-56-0x0000000000560000-0x000000000057A000-memory.dmp

Filesize
104KB

Download
memory/1292-57-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/1292-58-0x0000000000410000-0x0000000000490000-memory.dmp

Filesize
512KB

Download
memory/1292-63-0x0000000005E00000-0x0000000005E26000-memory.dmp

Filesize
152KB

Download
memory/2040-59-0x0000000000000000-mapping.dmp

Download
memory/2040-64-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-65-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download

description	pid	process	target process
PID 1292 wrote to memory of 2040	1292	fcc555499698555ca835ae7bc4c4f734.exe	powershell.exe
PID 1292 wrote to memory of 2040	1292	fcc555499698555ca835ae7bc4c4f734.exe	powershell.exe
PID 1292 wrote to memory of 2040	1292	fcc555499698555ca835ae7bc4c4f734.exe	powershell.exe
PID 1292 wrote to memory of 2040	1292	fcc555499698555ca835ae7bc4c4f734.exe	powershell.exe
PID 1292 wrote to memory of 660	1292	fcc555499698555ca835ae7bc4c4f734.exe	schtasks.exe
PID 1292 wrote to memory of 660	1292	fcc555499698555ca835ae7bc4c4f734.exe	schtasks.exe
PID 1292 wrote to memory of 660	1292	fcc555499698555ca835ae7bc4c4f734.exe	schtasks.exe
PID 1292 wrote to memory of 660	1292	fcc555499698555ca835ae7bc4c4f734.exe	schtasks.exe
PID 1292 wrote to memory of 1384	1292	fcc555499698555ca835ae7bc4c4f734.exe	fcc555499698555ca835ae7bc4c4f734.exe
PID 1292 wrote to memory of 1384	1292	fcc555499698555ca835ae7bc4c4f734.exe	fcc555499698555ca835ae7bc4c4f734.exe
PID 1292 wrote to memory of 1384	1292	fcc555499698555ca835ae7bc4c4f734.exe	fcc555499698555ca835ae7bc4c4f734.exe
PID 1292 wrote to memory of 1384	1292	fcc555499698555ca835ae7bc4c4f734.exe	fcc555499698555ca835ae7bc4c4f734.exe
PID 1292 wrote to memory of 1540	1292	fcc555499698555ca835ae7bc4c4f734.exe	fcc555499698555ca835ae7bc4c4f734.exe
PID 1292 wrote to memory of 1540	1292	fcc555499698555ca835ae7bc4c4f734.exe	fcc555499698555ca835ae7bc4c4f734.exe
PID 1292 wrote to memory of 1540	1292	fcc555499698555ca835ae7bc4c4f734.exe	fcc555499698555ca835ae7bc4c4f734.exe
PID 1292 wrote to memory of 1540	1292	fcc555499698555ca835ae7bc4c4f734.exe	fcc555499698555ca835ae7bc4c4f734.exe
PID 1292 wrote to memory of 1664	1292	fcc555499698555ca835ae7bc4c4f734.exe	fcc555499698555ca835ae7bc4c4f734.exe
PID 1292 wrote to memory of 1664	1292	fcc555499698555ca835ae7bc4c4f734.exe	fcc555499698555ca835ae7bc4c4f734.exe
PID 1292 wrote to memory of 1664	1292	fcc555499698555ca835ae7bc4c4f734.exe	fcc555499698555ca835ae7bc4c4f734.exe
PID 1292 wrote to memory of 1664	1292	fcc555499698555ca835ae7bc4c4f734.exe	fcc555499698555ca835ae7bc4c4f734.exe
PID 1292 wrote to memory of 548	1292	fcc555499698555ca835ae7bc4c4f734.exe	fcc555499698555ca835ae7bc4c4f734.exe
PID 1292 wrote to memory of 548	1292	fcc555499698555ca835ae7bc4c4f734.exe	fcc555499698555ca835ae7bc4c4f734.exe
PID 1292 wrote to memory of 548	1292	fcc555499698555ca835ae7bc4c4f734.exe	fcc555499698555ca835ae7bc4c4f734.exe
PID 1292 wrote to memory of 548	1292	fcc555499698555ca835ae7bc4c4f734.exe	fcc555499698555ca835ae7bc4c4f734.exe
PID 1292 wrote to memory of 568	1292	fcc555499698555ca835ae7bc4c4f734.exe	fcc555499698555ca835ae7bc4c4f734.exe
PID 1292 wrote to memory of 568	1292	fcc555499698555ca835ae7bc4c4f734.exe	fcc555499698555ca835ae7bc4c4f734.exe
PID 1292 wrote to memory of 568	1292	fcc555499698555ca835ae7bc4c4f734.exe	fcc555499698555ca835ae7bc4c4f734.exe
PID 1292 wrote to memory of 568	1292	fcc555499698555ca835ae7bc4c4f734.exe	fcc555499698555ca835ae7bc4c4f734.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads