b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73

General

Target

b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
Size

1006KB
MD5

8fb066db4762a35fac7f31cedd97cab7
SHA1

5e77aa679dba9ce1ba300de84c40e86f4b8d3864
SHA256

b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73
SHA512

2d9104e01763315394103ca44b17ce702e7aa86e098c75f8497a2a9df175ef5ed53015b2520d7c35d2f713e566e4ae987aad9f4e1497b248bc3099f09b0ca498
SSDEEP

24576:6RL1fJwm75YaYh0kpwIzOalXqBpSnJh9whgefucd9Tb7:CxRwm1lYhLpwISIXqzSn/9whBfbxb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4068	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3880 set thread context of 1980	3880	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	69
PID 4068 set thread context of 5020	4068	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	76

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
4152	powershell.exe
4152	powershell.exe
4152	powershell.exe
3880	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
3512	powershell.exe
3512	powershell.exe
3512	powershell.exe
4956	powershell.exe
4956	powershell.exe
4956	powershell.exe
4068	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	3880	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
Token: SeDebugPrivilege	1980	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeIncreaseQuotaPrivilege	3512	powershell.exe
Token: SeSecurityPrivilege	3512	powershell.exe
Token: SeTakeOwnershipPrivilege	3512	powershell.exe
Token: SeLoadDriverPrivilege	3512	powershell.exe
Token: SeSystemProfilePrivilege	3512	powershell.exe
Token: SeSystemtimePrivilege	3512	powershell.exe
Token: SeProfSingleProcessPrivilege	3512	powershell.exe
Token: SeIncBasePriorityPrivilege	3512	powershell.exe
Token: SeCreatePagefilePrivilege	3512	powershell.exe
Token: SeBackupPrivilege	3512	powershell.exe
Token: SeRestorePrivilege	3512	powershell.exe
Token: SeShutdownPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeSystemEnvironmentPrivilege	3512	powershell.exe
Token: SeRemoteShutdownPrivilege	3512	powershell.exe
Token: SeUndockPrivilege	3512	powershell.exe
Token: SeManageVolumePrivilege	3512	powershell.exe
Token: 33	3512	powershell.exe
Token: 34	3512	powershell.exe
Token: 35	3512	powershell.exe
Token: 36	3512	powershell.exe
Token: SeDebugPrivilege	4068	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
Token: SeDebugPrivilege	5020	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 4152	3880	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	67
PID 3880 wrote to memory of 4152	3880	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	67
PID 3880 wrote to memory of 1980	3880	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	69
PID 3880 wrote to memory of 1980	3880	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	69
PID 3880 wrote to memory of 1980	3880	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	69
PID 3880 wrote to memory of 1980	3880	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	69
PID 3880 wrote to memory of 1980	3880	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	69
PID 3880 wrote to memory of 1980	3880	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	69
PID 1980 wrote to memory of 3512	1980	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	70
PID 1980 wrote to memory of 3512	1980	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	70
PID 4068 wrote to memory of 4956	4068	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	73
PID 4068 wrote to memory of 4956	4068	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	73
PID 4068 wrote to memory of 5020	4068	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	76
PID 4068 wrote to memory of 5020	4068	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	76
PID 4068 wrote to memory of 5020	4068	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	76
PID 4068 wrote to memory of 5020	4068	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	76
PID 4068 wrote to memory of 5020	4068	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	76
PID 4068 wrote to memory of 5020	4068	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	76

C:\Users\Admin\AppData\Local\Temp\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
"C:\Users\Admin\AppData\Local\Temp\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4152
- C:\Users\Admin\AppData\Local\Temp\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
  C:\Users\Admin\AppData\Local\Temp\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3; Set-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3512

C:\Users\Admin\AppData\Roaming\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
C:\Users\Admin\AppData\Roaming\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4956
- C:\Users\Admin\AppData\Roaming\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
  C:\Users\Admin\AppData\Roaming\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe.log

Filesize
1KB

MD5
782642cae2d9f6598fb9eb578b369999

SHA1
f05208eb85a5b790b559526c512b20714f3faeaa

SHA256
3ad964dbd06b3a0107024de29cd3ffbd8e03661e23427c8d3b20376c273e7b25

SHA512
12c3f39bf6c09ef56373d9ed82563cfc8df450b1e3c98f3135c7cb3233a41b56fbc15320614ab4e5a8e7b66e0aaa9394c9e75006981bb6c5718499a67ad198dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4e14a0ac430343a239b008dfb620967c

SHA1
7d55c3ac565ddc87dea562137b581cc1d79205da

SHA256
8e799823408bf34837df07f87d5ab3fc66acf93aec4b9d52d4f1d933185c45f4

SHA512
8f9ce115a88aee18c1d2266e84eed536343899866dabc49cf8f157ea0bbb3914739f5126f789ba6cd1e37bf582c29c0af47c7b0adc625f2fa9f470f9b78b4496

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
792B

MD5
2ab627f16c893231abebd49199ad7862

SHA1
3974ed674dd1e9ff9ccf5e696cdaf47af18fd4dd

SHA256
326cb04603c1d03d7969615b78406b5ab72498f84ed648a9b7d9a5be2c8c50b1

SHA512
8c8e13ec8fc18a150f7f57b7f9ad926b3e4790668caed3152ba9e12a44718bad12e9eea416714bbb5860c62e359934133860b84652ffd8d5eccf891fd66bc1d3

Download Submit
C:\Users\Admin\AppData\Roaming\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe

Filesize
1006KB

MD5
8fb066db4762a35fac7f31cedd97cab7

SHA1
5e77aa679dba9ce1ba300de84c40e86f4b8d3864

SHA256
b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73

SHA512
2d9104e01763315394103ca44b17ce702e7aa86e098c75f8497a2a9df175ef5ed53015b2520d7c35d2f713e566e4ae987aad9f4e1497b248bc3099f09b0ca498

Download Submit
C:\Users\Admin\AppData\Roaming\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe

Filesize
1006KB

MD5
8fb066db4762a35fac7f31cedd97cab7

SHA1
5e77aa679dba9ce1ba300de84c40e86f4b8d3864

SHA256
b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73

SHA512
2d9104e01763315394103ca44b17ce702e7aa86e098c75f8497a2a9df175ef5ed53015b2520d7c35d2f713e566e4ae987aad9f4e1497b248bc3099f09b0ca498

Download Submit
C:\Users\Admin\AppData\Roaming\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe

Filesize
1006KB

MD5
8fb066db4762a35fac7f31cedd97cab7

SHA1
5e77aa679dba9ce1ba300de84c40e86f4b8d3864

SHA256
b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73

SHA512
2d9104e01763315394103ca44b17ce702e7aa86e098c75f8497a2a9df175ef5ed53015b2520d7c35d2f713e566e4ae987aad9f4e1497b248bc3099f09b0ca498

Download Submit
memory/1980-139-0x000002858E620000-0x000002858E676000-memory.dmp

Filesize
344KB

Download
memory/1980-135-0x0000000140000000-0x0000000140078000-memory.dmp

Filesize
480KB

Download
memory/1980-138-0x000002858E6C0000-0x000002858E760000-memory.dmp

Filesize
640KB

Download
memory/1980-140-0x000002858E760000-0x000002858E7AC000-memory.dmp

Filesize
304KB

Download
memory/1980-141-0x000002858E7B0000-0x000002858E804000-memory.dmp

Filesize
336KB

Download
memory/3880-115-0x000001AB1EA60000-0x000001AB1EB60000-memory.dmp

Filesize
1024KB

Download
memory/3880-118-0x000001AB39270000-0x000001AB39292000-memory.dmp

Filesize
136KB

Download
memory/3880-117-0x000001AB3AD80000-0x000001AB3AE12000-memory.dmp

Filesize
584KB

Download
memory/3880-116-0x000001AB3AB80000-0x000001AB3AC80000-memory.dmp

Filesize
1024KB

Download
memory/4152-127-0x00000225A36B0000-0x00000225A3726000-memory.dmp

Filesize
472KB

Download

Resubmissions

Analysis

Sharing