993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522

General

Target

993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe
Size

394KB
MD5

4c6b88b2c0c75bf38d88826995a4204c
SHA1

08b3ade2efba22b5c758f42197dd642ae48138a9
SHA256

993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522
SHA512

8886ddeab05a97e1fa3f39b8132b9bb759a745d11d961f6c16497095861bc841a8ffa06db029158eccf74447eef0880e8ad30e0584d14e3cfb91c24380b099a6
SSDEEP

6144:DCm3gJX5z2ODOUlSZF64zfINQIVK7gAtqGIaH+5UpWPgPta/qe9xvAZZC/fREKGO:DeZ9/Tp2QfK7XfH+5zPgV3s6Zo5EK2G

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1120 set thread context of 1116	1120	993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe	30

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1200	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1116	993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1120	993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe
Token: SeDebugPrivilege	1116	993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 1560	1120	993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe	27
PID 1120 wrote to memory of 1560	1120	993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe	27
PID 1120 wrote to memory of 1560	1120	993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe	27
PID 1120 wrote to memory of 1560	1120	993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe	27
PID 1560 wrote to memory of 1200	1560	cmd.exe	29
PID 1560 wrote to memory of 1200	1560	cmd.exe	29
PID 1560 wrote to memory of 1200	1560	cmd.exe	29
PID 1560 wrote to memory of 1200	1560	cmd.exe	29
PID 1120 wrote to memory of 1116	1120	993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe	30
PID 1120 wrote to memory of 1116	1120	993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe	30
PID 1120 wrote to memory of 1116	1120	993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe	30
PID 1120 wrote to memory of 1116	1120	993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe	30
PID 1120 wrote to memory of 1116	1120	993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe	30
PID 1120 wrote to memory of 1116	1120	993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe	30
PID 1120 wrote to memory of 1116	1120	993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe	30
PID 1120 wrote to memory of 1116	1120	993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe	30
PID 1120 wrote to memory of 1116	1120	993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe	30
PID 1120 wrote to memory of 1116	1120	993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe	30
PID 1120 wrote to memory of 1116	1120	993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe	30

C:\Users\Admin\AppData\Local\Temp\993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe
"C:\Users\Admin\AppData\Local\Temp\993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 10
    3⤵
    - Runs ping.exe
    PID:1200
- C:\Users\Admin\AppData\Local\Temp\993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe
  "C:\Users\Admin\AppData\Local\Temp\993f3ca57197b1a47adf464f599625fd65b1ec06d08887160aebfafa27ac8522.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1116-77-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1116-78-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1116-100-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1116-98-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1116-96-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1116-95-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1116-60-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1116-61-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1116-63-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1116-65-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1116-67-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1116-68-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1116-69-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1116-72-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1116-74-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1116-92-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1116-91-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1116-79-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1116-80-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1116-81-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1116-82-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1116-83-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1116-84-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1116-86-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1116-87-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1116-89-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1120-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1120-55-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1120-59-0x00000000009C5000-0x00000000009D6000-memory.dmp

Filesize
68KB

Download
memory/1120-58-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1120-99-0x00000000009C5000-0x00000000009D6000-memory.dmp

Filesize
68KB

Download
memory/1120-101-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing