8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d

General

Target

8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe
Size

168KB
MD5

8e4be2eb83b42225b500ca568d023e9a
SHA1

8ea1f7cd198e9d6c6567444fffd1f0af0f1753f3
SHA256

8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d
SHA512

c809d76695b8aad93e6785af453d13ae8ad6f19af175efd134685538c41cab069c8b92ee1b3a210fe31efea067639e68f1a925527cdbd4fedfdb1069eb33c2b3
SSDEEP

3072:5v9cbTFhDHGrwpfwtTsZVQ3zY54tyeh8ZtkEqXJzRzaLrt:5Fcbhhb3p8TAQ3zY54tpqZtkEqZc

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1044 cmd.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2020 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

pid	process
1044	cmd.exe

pid	process
2020	sc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe

pid	process
772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe
772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe
772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe
772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exenet.exenet.execmd.execmd.exenet.exe

description	pid	process	target process
PID 772 wrote to memory of 940	772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	net.exe
PID 772 wrote to memory of 940	772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	net.exe
PID 772 wrote to memory of 940	772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	net.exe
PID 772 wrote to memory of 940	772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	net.exe
PID 940 wrote to memory of 704	940	net.exe	net1.exe
PID 940 wrote to memory of 704	940	net.exe	net1.exe
PID 940 wrote to memory of 704	940	net.exe	net1.exe
PID 940 wrote to memory of 704	940	net.exe	net1.exe
PID 772 wrote to memory of 1836	772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	net.exe
PID 772 wrote to memory of 1836	772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	net.exe
PID 772 wrote to memory of 1836	772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	net.exe
PID 772 wrote to memory of 1836	772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	net.exe
PID 1836 wrote to memory of 1740	1836	net.exe	net1.exe
PID 1836 wrote to memory of 1740	1836	net.exe	net1.exe
PID 1836 wrote to memory of 1740	1836	net.exe	net1.exe
PID 1836 wrote to memory of 1740	1836	net.exe	net1.exe
PID 772 wrote to memory of 1280	772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	cmd.exe
PID 772 wrote to memory of 1280	772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	cmd.exe
PID 772 wrote to memory of 1280	772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	cmd.exe
PID 772 wrote to memory of 1280	772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	cmd.exe
PID 772 wrote to memory of 556	772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	cmd.exe
PID 772 wrote to memory of 556	772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	cmd.exe
PID 772 wrote to memory of 556	772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	cmd.exe
PID 772 wrote to memory of 556	772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	cmd.exe
PID 1280 wrote to memory of 388	1280	cmd.exe	net.exe
PID 1280 wrote to memory of 388	1280	cmd.exe	net.exe
PID 1280 wrote to memory of 388	1280	cmd.exe	net.exe
PID 1280 wrote to memory of 388	1280	cmd.exe	net.exe
PID 556 wrote to memory of 2020	556	cmd.exe	sc.exe
PID 556 wrote to memory of 2020	556	cmd.exe	sc.exe
PID 556 wrote to memory of 2020	556	cmd.exe	sc.exe
PID 556 wrote to memory of 2020	556	cmd.exe	sc.exe
PID 388 wrote to memory of 432	388	net.exe	net1.exe
PID 388 wrote to memory of 432	388	net.exe	net1.exe
PID 388 wrote to memory of 432	388	net.exe	net1.exe
PID 388 wrote to memory of 432	388	net.exe	net1.exe
PID 772 wrote to memory of 1044	772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	cmd.exe
PID 772 wrote to memory of 1044	772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	cmd.exe
PID 772 wrote to memory of 1044	772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	cmd.exe
PID 772 wrote to memory of 1044	772	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe
"C:\Users\Admin\AppData\Local\Temp\8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\net.exe
net group /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group /domain
3⤵
PID:704

C:\Windows\SysWOW64\net.exe
net group /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group /domain
3⤵
PID:1740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C net.exe stop foundation
2⤵
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\net.exe
net.exe stop foundation
3⤵
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop foundation
4⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc delete foundation
2⤵
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\sc.exe
sc delete foundation
3⤵
- Launches sc.exe
PID:2020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\823571~1.EXE >> NUL
2⤵
- Deletes itself
PID:1044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/388-62-0x0000000000000000-mapping.dmp

Download
memory/432-64-0x0000000000000000-mapping.dmp

Download
memory/556-61-0x0000000000000000-mapping.dmp

Download
memory/704-56-0x0000000000000000-mapping.dmp

Download
memory/772-65-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/772-67-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/772-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/772-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/940-55-0x0000000000000000-mapping.dmp

Download
memory/1044-66-0x0000000000000000-mapping.dmp

Download
memory/1280-60-0x0000000000000000-mapping.dmp

Download
memory/1740-58-0x0000000000000000-mapping.dmp

Download
memory/1836-57-0x0000000000000000-mapping.dmp

Download
memory/2020-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing