e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c

General

Target

e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
Size

10KB
MD5

b3014f9ea7de6b7acb56519e9e02a879
SHA1

030cf651b1e0ba2405b758f22d28ca86ed46a1de
SHA256

e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c
SHA512

a6d93dd44d3ef34d0dcdab36b72e5b7392681202a528799f4d77831b7b25380a37d6ad0d0bc617bf894cb0cb5344489c6116392134bbdb70433c838f2e27a93a
SSDEEP

192:v7Cja853xv6+bLlllCdA78stYcFmVc03KY:TCjlvXbLdaA7ptYcFmVc03K

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wakyxcujr = "\"C:\\Users\\Admin\\AppData\\Roaming\\Flqkfexqja\\Wakyxcujr.exe\""	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

powershell.exepowershell.exee4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe

pid	process
472	powershell.exe
1092	powershell.exe
1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exee4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	472	powershell.exe
Token: SeDebugPrivilege	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
Token: SeDebugPrivilege	1092	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe

C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
"C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-Date
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAOQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
2⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
2⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
2⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
2⤵
PID:572

C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
2⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
2⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
2⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
2⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
2⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
C:\Users\Admin\AppData\Local\Temp\e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
2⤵
PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ed5a645ea7697bc360552dc42f993eb0

SHA1
32dff99d448e5dde24db089c3578090e5ee8b762

SHA256
a7cbe7df6b1f3d595af3d4eb53119df0720e4d9d8c3163e79f3b50c46b4a7754

SHA512
dae135aa3f58130529302325ec835d13d3c8e7f8d3626995c7dc076a7b160248f08c847b9c162087806855f086c94581959d7c11cf0fed50a7394584fcef0f04

Download Submit
memory/472-60-0x0000000001F64000-0x0000000001F67000-memory.dmp

Filesize
12KB

Download
memory/472-56-0x000007FEFC191000-0x000007FEFC193000-memory.dmp

Filesize
8KB

Download
memory/472-57-0x000007FEED430000-0x000007FEEDE53000-memory.dmp

Filesize
10.1MB

Download
memory/472-58-0x000007FEEBE80000-0x000007FEEC9DD000-memory.dmp

Filesize
11.4MB

Download
memory/472-59-0x0000000001F64000-0x0000000001F67000-memory.dmp

Filesize
12KB

Download
memory/472-61-0x0000000001F6B000-0x0000000001F8A000-memory.dmp

Filesize
124KB

Download
memory/472-55-0x0000000000000000-mapping.dmp

Download
memory/1092-70-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/1092-72-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/1092-63-0x0000000000000000-mapping.dmp

Download
memory/1092-67-0x000007FEE9BB0000-0x000007FEEA70D000-memory.dmp

Filesize
11.4MB

Download
memory/1092-71-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/1092-69-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/1688-62-0x000000001F090000-0x000000001F330000-memory.dmp

Filesize
2.6MB

Download
memory/1688-68-0x000000001AE67000-0x000000001AE86000-memory.dmp

Filesize
124KB

Download
memory/1688-54-0x0000000000B60000-0x0000000000B66000-memory.dmp

Filesize
24KB

Download
memory/1688-73-0x000000001AE67000-0x000000001AE86000-memory.dmp

Filesize
124KB

Download

description	pid	process	target process
PID 1688 wrote to memory of 472	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	powershell.exe
PID 1688 wrote to memory of 472	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	powershell.exe
PID 1688 wrote to memory of 472	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	powershell.exe
PID 1688 wrote to memory of 1092	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	powershell.exe
PID 1688 wrote to memory of 1092	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	powershell.exe
PID 1688 wrote to memory of 1092	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	powershell.exe
PID 1688 wrote to memory of 548	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 548	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 548	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1812	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1812	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1812	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1924	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1924	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1924	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 572	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 572	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 572	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1936	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1936	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1936	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1640	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1640	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1640	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1336	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1336	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1336	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1376	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1376	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1376	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1704	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1704	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1704	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1660	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1660	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe
PID 1688 wrote to memory of 1660	1688	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe	e4bc0106363b1f9157405ffc64d4c5632f86a86b3e466dfc3f909127049e370c.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads