5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151

Analysis

max time kernel
294s
max time network
332s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 23:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
Size

465KB
MD5

dd3543ab8ebc670d9a2dd54e15b4f48e
SHA1

7b76a1b51cf5495beeada377ef0221a977988dca
SHA256

5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151
SHA512

f95cdb807991cf61bfca5fcca17a3c123cb5939cb1481a568a9119fb9bed764a15b5ddf2478f41ee5c2b35aea57f48e0363993157640c02b4720c36c63606679
SSDEEP

12288:06WJxSJSP2qIbjPTOc5/W1hn9YjvD8xY+:06WJwSYjPTO6a9kh+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe

Loads dropped DLL 1 IoCs

pid	Process
1284	taskeng.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1652	powershell.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	536	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	544	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 1652	536	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe	28
PID 536 wrote to memory of 1652	536	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe	28
PID 536 wrote to memory of 1652	536	5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe	28
PID 1284 wrote to memory of 544	1284	taskeng.exe	31
PID 1284 wrote to memory of 544	1284	taskeng.exe	31
PID 1284 wrote to memory of 544	1284	taskeng.exe	31

C:\Users\Admin\AppData\Local\Temp\5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
"C:\Users\Admin\AppData\Local\Temp\5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3; Set-MpPreference -ExclusionPath C:\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652

C:\Windows\system32\taskeng.exe
taskeng.exe {5BE8202E-442C-40AF-BCD7-67B56656E0A6} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Roaming\5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
  C:\Users\Admin\AppData\Roaming\5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe

Filesize
465KB

MD5
dd3543ab8ebc670d9a2dd54e15b4f48e

SHA1
7b76a1b51cf5495beeada377ef0221a977988dca

SHA256
5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151

SHA512
f95cdb807991cf61bfca5fcca17a3c123cb5939cb1481a568a9119fb9bed764a15b5ddf2478f41ee5c2b35aea57f48e0363993157640c02b4720c36c63606679

Download Submit
C:\Users\Admin\AppData\Roaming\5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe

Filesize
465KB

MD5
dd3543ab8ebc670d9a2dd54e15b4f48e

SHA1
7b76a1b51cf5495beeada377ef0221a977988dca

SHA256
5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151

SHA512
f95cdb807991cf61bfca5fcca17a3c123cb5939cb1481a568a9119fb9bed764a15b5ddf2478f41ee5c2b35aea57f48e0363993157640c02b4720c36c63606679

Download Submit
\Users\Admin\AppData\Roaming\5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151.exe

Filesize
465KB

MD5
dd3543ab8ebc670d9a2dd54e15b4f48e

SHA1
7b76a1b51cf5495beeada377ef0221a977988dca

SHA256
5745e6498f2e66aa784578ba5e8b606ba69d49000dbc0550c9df3cc59ef8f151

SHA512
f95cdb807991cf61bfca5fcca17a3c123cb5939cb1481a568a9119fb9bed764a15b5ddf2478f41ee5c2b35aea57f48e0363993157640c02b4720c36c63606679

Download Submit
memory/536-55-0x000000001B360000-0x000000001B400000-memory.dmp

Filesize
640KB

Download
memory/536-56-0x00000000007E0000-0x0000000000836000-memory.dmp

Filesize
344KB

Download
memory/536-57-0x00000000020F0000-0x000000000213C000-memory.dmp

Filesize
304KB

Download
memory/536-58-0x000000001B400000-0x000000001B454000-memory.dmp

Filesize
336KB

Download
memory/536-59-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/536-54-0x000000013F410000-0x000000013F488000-memory.dmp

Filesize
480KB

Download
memory/544-70-0x000000013F2F0000-0x000000013F368000-memory.dmp

Filesize
480KB

Download
memory/544-74-0x000000001B8F6000-0x000000001B915000-memory.dmp

Filesize
124KB

Download
memory/544-75-0x000000001B970000-0x000000001B986000-memory.dmp

Filesize
88KB

Download
memory/1652-65-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/1652-63-0x000007FEEC900000-0x000007FEED45D000-memory.dmp

Filesize
11.4MB

Download
memory/1652-64-0x00000000027C4000-0x00000000027C7000-memory.dmp

Filesize
12KB

Download
memory/1652-62-0x000007FEED460000-0x000007FEEDE83000-memory.dmp

Filesize
10.1MB

Download
memory/1652-71-0x00000000027CB000-0x00000000027EA000-memory.dmp

Filesize
124KB

Download
memory/1652-72-0x00000000027C4000-0x00000000027C7000-memory.dmp

Filesize
12KB

Download
memory/1652-73-0x00000000027CB000-0x00000000027EA000-memory.dmp

Filesize
124KB

Download