b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73

General

Target

b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
Size

1006KB
MD5

8fb066db4762a35fac7f31cedd97cab7
SHA1

5e77aa679dba9ce1ba300de84c40e86f4b8d3864
SHA256

b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73
SHA512

2d9104e01763315394103ca44b17ce702e7aa86e098c75f8497a2a9df175ef5ed53015b2520d7c35d2f713e566e4ae987aad9f4e1497b248bc3099f09b0ca498
SSDEEP

24576:6RL1fJwm75YaYh0kpwIzOalXqBpSnJh9whgefucd9Tb7:CxRwm1lYhLpwISIXqzSn/9whBfbxb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1940	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1696	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe

Loads dropped DLL 1 IoCs

pid	Process
304	taskeng.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 1212	1972	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	29
PID 1940 set thread context of 1696	1940	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1728	powershell.exe
1972	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1800	powershell.exe
1644	powershell.exe
1940	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1696	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1696	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1696	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1696	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1696	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1696	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1696	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1696	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1696	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1696	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1696	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1696	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1696	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1696	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1696	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1696	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1696	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1696	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1696	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1696	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
1696	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	1972	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
Token: SeDebugPrivilege	1212	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	1940	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
Token: SeDebugPrivilege	1696	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1728	1972	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	27
PID 1972 wrote to memory of 1728	1972	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	27
PID 1972 wrote to memory of 1728	1972	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	27
PID 1972 wrote to memory of 1212	1972	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	29
PID 1972 wrote to memory of 1212	1972	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	29
PID 1972 wrote to memory of 1212	1972	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	29
PID 1972 wrote to memory of 1212	1972	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	29
PID 1972 wrote to memory of 1212	1972	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	29
PID 1972 wrote to memory of 1212	1972	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	29
PID 1972 wrote to memory of 1212	1972	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	29
PID 1212 wrote to memory of 1800	1212	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	30
PID 1212 wrote to memory of 1800	1212	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	30
PID 1212 wrote to memory of 1800	1212	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	30
PID 304 wrote to memory of 1940	304	taskeng.exe	33
PID 304 wrote to memory of 1940	304	taskeng.exe	33
PID 304 wrote to memory of 1940	304	taskeng.exe	33
PID 1940 wrote to memory of 1644	1940	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	34
PID 1940 wrote to memory of 1644	1940	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	34
PID 1940 wrote to memory of 1644	1940	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	34
PID 1940 wrote to memory of 1696	1940	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	36
PID 1940 wrote to memory of 1696	1940	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	36
PID 1940 wrote to memory of 1696	1940	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	36
PID 1940 wrote to memory of 1696	1940	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	36
PID 1940 wrote to memory of 1696	1940	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	36
PID 1940 wrote to memory of 1696	1940	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	36
PID 1940 wrote to memory of 1696	1940	b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe	36

C:\Users\Admin\AppData\Local\Temp\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
"C:\Users\Admin\AppData\Local\Temp\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Users\Admin\AppData\Local\Temp\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
  C:\Users\Admin\AppData\Local\Temp\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3; Set-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1800

C:\Windows\system32\taskeng.exe
taskeng.exe {BC5001AD-0C6E-4FD3-B033-91A890EAFC5E} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:304
- C:\Users\Admin\AppData\Roaming\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
  C:\Users\Admin\AppData\Roaming\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAwAA==
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- - C:\Users\Admin\AppData\Roaming\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
    C:\Users\Admin\AppData\Roaming\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
73af784f3ea9f2615c26cbc819938856

SHA1
254508f5c4d1ca06d698d184ea62110d941a0026

SHA256
53eea0310571692f57d98fc698630d474bcb12007c78420c1f5e40c13b6a3fe7

SHA512
a03ea56e479a598ae44c5d02b88ba3dbb0795ea9cbf7df94aaa7d9287f25fa057aa8981e18baa77c7bbe85da87588a082b22c22043c7455272982e27860ef38c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
73af784f3ea9f2615c26cbc819938856

SHA1
254508f5c4d1ca06d698d184ea62110d941a0026

SHA256
53eea0310571692f57d98fc698630d474bcb12007c78420c1f5e40c13b6a3fe7

SHA512
a03ea56e479a598ae44c5d02b88ba3dbb0795ea9cbf7df94aaa7d9287f25fa057aa8981e18baa77c7bbe85da87588a082b22c22043c7455272982e27860ef38c

Download Submit
C:\Users\Admin\AppData\Roaming\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe

Filesize
1006KB

MD5
8fb066db4762a35fac7f31cedd97cab7

SHA1
5e77aa679dba9ce1ba300de84c40e86f4b8d3864

SHA256
b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73

SHA512
2d9104e01763315394103ca44b17ce702e7aa86e098c75f8497a2a9df175ef5ed53015b2520d7c35d2f713e566e4ae987aad9f4e1497b248bc3099f09b0ca498

Download Submit
C:\Users\Admin\AppData\Roaming\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe

Filesize
1006KB

MD5
8fb066db4762a35fac7f31cedd97cab7

SHA1
5e77aa679dba9ce1ba300de84c40e86f4b8d3864

SHA256
b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73

SHA512
2d9104e01763315394103ca44b17ce702e7aa86e098c75f8497a2a9df175ef5ed53015b2520d7c35d2f713e566e4ae987aad9f4e1497b248bc3099f09b0ca498

Download Submit
C:\Users\Admin\AppData\Roaming\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe

Filesize
1006KB

MD5
8fb066db4762a35fac7f31cedd97cab7

SHA1
5e77aa679dba9ce1ba300de84c40e86f4b8d3864

SHA256
b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73

SHA512
2d9104e01763315394103ca44b17ce702e7aa86e098c75f8497a2a9df175ef5ed53015b2520d7c35d2f713e566e4ae987aad9f4e1497b248bc3099f09b0ca498

Download Submit
\Users\Admin\AppData\Roaming\b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73.exe

Filesize
1006KB

MD5
8fb066db4762a35fac7f31cedd97cab7

SHA1
5e77aa679dba9ce1ba300de84c40e86f4b8d3864

SHA256
b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73

SHA512
2d9104e01763315394103ca44b17ce702e7aa86e098c75f8497a2a9df175ef5ed53015b2520d7c35d2f713e566e4ae987aad9f4e1497b248bc3099f09b0ca498

Download Submit
memory/1212-67-0x0000000140000000-0x0000000140078000-memory.dmp

Filesize
480KB

Download
memory/1212-77-0x0000000000610000-0x0000000000666000-memory.dmp

Filesize
344KB

Download
memory/1212-79-0x00000000023E0000-0x0000000002434000-memory.dmp

Filesize
336KB

Download
memory/1212-78-0x0000000002290000-0x00000000022DC000-memory.dmp

Filesize
304KB

Download
memory/1212-75-0x000000001AE30000-0x000000001AED0000-memory.dmp

Filesize
640KB

Download
memory/1212-70-0x0000000140000000-0x0000000140078000-memory.dmp

Filesize
480KB

Download
memory/1212-68-0x0000000140000000-0x0000000140078000-memory.dmp

Filesize
480KB

Download
memory/1212-71-0x0000000140000000-0x0000000140078000-memory.dmp

Filesize
480KB

Download
memory/1644-103-0x00000000023F4000-0x00000000023F7000-memory.dmp

Filesize
12KB

Download
memory/1644-102-0x00000000023FB000-0x000000000241A000-memory.dmp

Filesize
124KB

Download
memory/1644-104-0x00000000023FB000-0x000000000241A000-memory.dmp

Filesize
124KB

Download
memory/1644-99-0x00000000023F4000-0x00000000023F7000-memory.dmp

Filesize
12KB

Download
memory/1644-97-0x000007FEF24D0000-0x000007FEF2EF3000-memory.dmp

Filesize
10.1MB

Download
memory/1644-98-0x000007FEED960000-0x000007FEEE4BD000-memory.dmp

Filesize
11.4MB

Download
memory/1696-115-0x000000001BF36000-0x000000001BF55000-memory.dmp

Filesize
124KB

Download
memory/1728-66-0x000000000279B000-0x00000000027BA000-memory.dmp

Filesize
124KB

Download
memory/1728-60-0x000007FEEBF20000-0x000007FEEC943000-memory.dmp

Filesize
10.1MB

Download
memory/1728-62-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/1728-61-0x000007FEEB3C0000-0x000007FEEBF1D000-memory.dmp

Filesize
11.4MB

Download
memory/1728-63-0x000000001B770000-0x000000001BA6F000-memory.dmp

Filesize
3.0MB

Download
memory/1728-64-0x000000000279B000-0x00000000027BA000-memory.dmp

Filesize
124KB

Download
memory/1728-65-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/1800-87-0x000000000281B000-0x000000000283A000-memory.dmp

Filesize
124KB

Download
memory/1800-86-0x0000000002814000-0x0000000002817000-memory.dmp

Filesize
12KB

Download
memory/1800-85-0x000007FEED960000-0x000007FEEE4BD000-memory.dmp

Filesize
11.4MB

Download
memory/1800-101-0x000000000281B000-0x000000000283A000-memory.dmp

Filesize
124KB

Download
memory/1800-100-0x0000000002814000-0x0000000002817000-memory.dmp

Filesize
12KB

Download
memory/1940-112-0x00000000008B6000-0x00000000008D5000-memory.dmp

Filesize
124KB

Download
memory/1940-92-0x0000000000F40000-0x0000000001040000-memory.dmp

Filesize
1024KB

Download
memory/1972-54-0x0000000000B80000-0x0000000000C80000-memory.dmp

Filesize
1024KB

Download
memory/1972-57-0x000000001B330000-0x000000001B3C2000-memory.dmp

Filesize
584KB

Download
memory/1972-56-0x000000001C6F0000-0x000000001C7F0000-memory.dmp

Filesize
1024KB

Download
memory/1972-76-0x000000001BEE6000-0x000000001BF05000-memory.dmp

Filesize
124KB

Download
memory/1972-55-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing