1cf4ca22e9fae2f14ec510910ca68dbe2bdad715af613b391bcb53414ddeb19f

General

Target

51a709bfee4438611f3afbe3fd4a9257.exe
Size

580KB
MD5

51a709bfee4438611f3afbe3fd4a9257
SHA1

7352a87e19c7b949643811d50b0a6f0e170cf6ac
SHA256

1cf4ca22e9fae2f14ec510910ca68dbe2bdad715af613b391bcb53414ddeb19f
SHA512

e5a46cbd165dc71893740d043816f7802dfb5126f2527eadb6372921c14c5477623da493f83da08b0f075ed630fb8ac447358d2590a179bb9ff530b840c33b16
SSDEEP

12288:PKqjWycOHr+5n1UxrSAHAhsxwpdBLIartbDA+VI2CZQi6sFIMyYOGqa4c:PKgyTmQyaTBN5k+VI2Cx6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2008	51a709bfee4438611f3afbe3fd4a9257.exe

Loads dropped DLL 1 IoCs

pid	Process
1268	taskeng.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1496	powershell.exe
2008	51a709bfee4438611f3afbe3fd4a9257.exe
2008	51a709bfee4438611f3afbe3fd4a9257.exe
2008	51a709bfee4438611f3afbe3fd4a9257.exe
2008	51a709bfee4438611f3afbe3fd4a9257.exe
2008	51a709bfee4438611f3afbe3fd4a9257.exe
2008	51a709bfee4438611f3afbe3fd4a9257.exe
2008	51a709bfee4438611f3afbe3fd4a9257.exe
328	powershell.exe
328	powershell.exe
328	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	51a709bfee4438611f3afbe3fd4a9257.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	2008	51a709bfee4438611f3afbe3fd4a9257.exe
Token: SeDebugPrivilege	328	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1496	2012	51a709bfee4438611f3afbe3fd4a9257.exe	28
PID 2012 wrote to memory of 1496	2012	51a709bfee4438611f3afbe3fd4a9257.exe	28
PID 2012 wrote to memory of 1496	2012	51a709bfee4438611f3afbe3fd4a9257.exe	28
PID 1268 wrote to memory of 2008	1268	taskeng.exe	31
PID 1268 wrote to memory of 2008	1268	taskeng.exe	31
PID 1268 wrote to memory of 2008	1268	taskeng.exe	31
PID 2008 wrote to memory of 328	2008	51a709bfee4438611f3afbe3fd4a9257.exe	33
PID 2008 wrote to memory of 328	2008	51a709bfee4438611f3afbe3fd4a9257.exe	33
PID 2008 wrote to memory of 328	2008	51a709bfee4438611f3afbe3fd4a9257.exe	33

C:\Users\Admin\AppData\Local\Temp\51a709bfee4438611f3afbe3fd4a9257.exe
"C:\Users\Admin\AppData\Local\Temp\51a709bfee4438611f3afbe3fd4a9257.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3; Set-MpPreference -ExclusionPath C:\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1496

C:\Windows\system32\taskeng.exe
taskeng.exe {5491C51E-B79D-4CEC-9F4D-BC6808B96BF7} S-1-5-21-1214520366-621468234-4062160515-1000:VDWSWJJD\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Roaming\51a709bfee4438611f3afbe3fd4a9257.exe
  C:\Users\Admin\AppData\Roaming\51a709bfee4438611f3afbe3fd4a9257.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 5; Stop-Process 2008 -Force; Start-Sleep -Seconds 2; Remove-Item "C:\Users\Admin\AppData\Roaming\51a709bfee4438611f3afbe3fd4a9257.exe" -Force
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\51a709bfee4438611f3afbe3fd4a9257.exe

Filesize
580KB

MD5
51a709bfee4438611f3afbe3fd4a9257

SHA1
7352a87e19c7b949643811d50b0a6f0e170cf6ac

SHA256
1cf4ca22e9fae2f14ec510910ca68dbe2bdad715af613b391bcb53414ddeb19f

SHA512
e5a46cbd165dc71893740d043816f7802dfb5126f2527eadb6372921c14c5477623da493f83da08b0f075ed630fb8ac447358d2590a179bb9ff530b840c33b16

Download Submit
C:\Users\Admin\AppData\Roaming\51a709bfee4438611f3afbe3fd4a9257.exe

Filesize
580KB

MD5
51a709bfee4438611f3afbe3fd4a9257

SHA1
7352a87e19c7b949643811d50b0a6f0e170cf6ac

SHA256
1cf4ca22e9fae2f14ec510910ca68dbe2bdad715af613b391bcb53414ddeb19f

SHA512
e5a46cbd165dc71893740d043816f7802dfb5126f2527eadb6372921c14c5477623da493f83da08b0f075ed630fb8ac447358d2590a179bb9ff530b840c33b16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
be78ee559badb7f6130cea8b43b83231

SHA1
87a22f420f82798f50032354e0509ef9a4c2ca4d

SHA256
ce9238ee57bf38898c3ce65b5302b22f1eaceaf7a0d112c465f7d3298e75f383

SHA512
8d3c0bc658f1c737f7d80b4d42b138977c9ff83cf57af689c114f77cb13a967d30353e24b6bfb5e45cf77a507ef3e9ff41260bd8b9c9aa17933513bbb6cb5f4c

Download Submit
\Users\Admin\AppData\Roaming\51a709bfee4438611f3afbe3fd4a9257.exe

Filesize
580KB

MD5
51a709bfee4438611f3afbe3fd4a9257

SHA1
7352a87e19c7b949643811d50b0a6f0e170cf6ac

SHA256
1cf4ca22e9fae2f14ec510910ca68dbe2bdad715af613b391bcb53414ddeb19f

SHA512
e5a46cbd165dc71893740d043816f7802dfb5126f2527eadb6372921c14c5477623da493f83da08b0f075ed630fb8ac447358d2590a179bb9ff530b840c33b16

Download Submit
memory/328-82-0x00000000026C4000-0x00000000026C7000-memory.dmp

Filesize
12KB

Download
memory/328-83-0x00000000026CB000-0x00000000026EA000-memory.dmp

Filesize
124KB

Download
memory/328-81-0x000007FEF3390000-0x000007FEF3EED000-memory.dmp

Filesize
11.4MB

Download
memory/328-85-0x00000000026CB000-0x00000000026EA000-memory.dmp

Filesize
124KB

Download
memory/328-80-0x000007FEF3EF0000-0x000007FEF4913000-memory.dmp

Filesize
10.1MB

Download
memory/328-84-0x00000000026C4000-0x00000000026C7000-memory.dmp

Filesize
12KB

Download
memory/1496-63-0x000007FEFC361000-0x000007FEFC363000-memory.dmp

Filesize
8KB

Download
memory/1496-74-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download
memory/1496-66-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/1496-65-0x000007FEF60D0000-0x000007FEF6C2D000-memory.dmp

Filesize
11.4MB

Download
memory/1496-72-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download
memory/1496-73-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/2008-76-0x000000001B346000-0x000000001B365000-memory.dmp

Filesize
124KB

Download
memory/2008-71-0x000000013F150000-0x000000013F1E6000-memory.dmp

Filesize
600KB

Download
memory/2012-54-0x000000013F2B0000-0x000000013F346000-memory.dmp

Filesize
600KB

Download
memory/2012-61-0x000000001B4A0000-0x000000001B4F4000-memory.dmp

Filesize
336KB

Download
memory/2012-60-0x000000001ACC0000-0x000000001AD0C000-memory.dmp

Filesize
304KB

Download
memory/2012-59-0x00000000024E0000-0x0000000002536000-memory.dmp

Filesize
344KB

Download
memory/2012-58-0x000000001B400000-0x000000001B49E000-memory.dmp

Filesize
632KB

Download
memory/2012-57-0x0000000000550000-0x0000000000556000-memory.dmp

Filesize
24KB

Download
memory/2012-56-0x0000000000960000-0x00000000009E8000-memory.dmp

Filesize
544KB

Download
memory/2012-55-0x0000000000540000-0x0000000000546000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing