15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029

General

Target

15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe
Size

2.7MB
MD5

c8cf5b4e0b41f78a0578afd13d721fd1
SHA1

3c5fea380843bff19cf435322ec7a8a62d1ec3d4
SHA256

15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029
SHA512

f4bf2b8452a253aa45f64c6d05d3c7a1e8ec744a322892e1f03710129e43fa63f0064023341d37dd308be45c9385d50863d2b21461f82e94ba0e67526708c54e
SSDEEP

49152:eSBec0GPbErgBAmCke8D/MABBqVbKJ04TiSgviLoDbrBcp9:ecrzErgB+wM8IVmCiiLvxnrB

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
820	File.exe

Loads dropped DLL 1 IoCs

pid	Process
1268	15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1268	15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe
1268	15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe
1268	15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe
1268	15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1268	15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe
Token: 33	1268	15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe
Token: SeIncBasePriorityPrivilege	1268	15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe
Token: SeDebugPrivilege	820	File.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 820	1268	15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe	27
PID 1268 wrote to memory of 820	1268	15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe	27
PID 1268 wrote to memory of 820	1268	15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe	27
PID 1268 wrote to memory of 820	1268	15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe	27
PID 1268 wrote to memory of 932	1268	15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe	28
PID 1268 wrote to memory of 932	1268	15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe	28
PID 1268 wrote to memory of 932	1268	15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe	28
PID 1268 wrote to memory of 932	1268	15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe	28

C:\Users\Admin\AppData\Local\Temp\15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe
"C:\Users\Admin\AppData\Local\Temp\15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Users\Admin\AppData\Local\Temp\15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe
  C:\Users\Admin\AppData\Local\Temp\15843008b449ada1a722b2ea3ea46d3180d95995d8055181d884840f3ea7d029.exe
  2⤵
  PID:932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
787KB

MD5
67f9e88c73d954bc23235a1d00bd2d2a

SHA1
0990308a9ebb602900e8a77615906d5b669792eb

SHA256
8f9af964f56025b65831a1d2b9b66475423cee2e255ef6bd240955685c92bfbc

SHA512
a3a4df2d6972c057b6da54fd18ac803368aa98a7e1e07e859d3c36585040f300537a27e508924f2a212a87119e2219031277a015c7e9db70ac0935778d58bf92

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
787KB

MD5
67f9e88c73d954bc23235a1d00bd2d2a

SHA1
0990308a9ebb602900e8a77615906d5b669792eb

SHA256
8f9af964f56025b65831a1d2b9b66475423cee2e255ef6bd240955685c92bfbc

SHA512
a3a4df2d6972c057b6da54fd18ac803368aa98a7e1e07e859d3c36585040f300537a27e508924f2a212a87119e2219031277a015c7e9db70ac0935778d58bf92

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe

Filesize
787KB

MD5
67f9e88c73d954bc23235a1d00bd2d2a

SHA1
0990308a9ebb602900e8a77615906d5b669792eb

SHA256
8f9af964f56025b65831a1d2b9b66475423cee2e255ef6bd240955685c92bfbc

SHA512
a3a4df2d6972c057b6da54fd18ac803368aa98a7e1e07e859d3c36585040f300537a27e508924f2a212a87119e2219031277a015c7e9db70ac0935778d58bf92

Download Submit
memory/820-60-0x0000000000330000-0x00000000003FC000-memory.dmp

Filesize
816KB

Download
memory/820-62-0x0000000001F10000-0x0000000001F38000-memory.dmp

Filesize
160KB

Download
memory/820-63-0x0000000004396000-0x00000000043A7000-memory.dmp

Filesize
68KB

Download
memory/1268-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1268-59-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/1268-64-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing