3e7ce7699a593f1d639a4aa2c8677a3de3ecff16703ab56bc7fea72236c3792a

General

Target

ce5c4f58083434d5fe6f9e070a7a1c53.exe
Size

580KB
MD5

ce5c4f58083434d5fe6f9e070a7a1c53
SHA1

f8264dfb89cc00365e61810e860916ee9a461ae2
SHA256

3e7ce7699a593f1d639a4aa2c8677a3de3ecff16703ab56bc7fea72236c3792a
SHA512

588ca0d4dc723010eb30a50bb71101d0370a59bd5fef01283a655bfa930f789349afc27f3df7b4f1f5b5942d484cc1852f68abb0c75874bbecba52172be9febb
SSDEEP

12288:5nXijMFGimJdnrMqJGWK6ahfqeKTTkmB/cIuYJ0SYXs5q24G6:5nXi9im3rMqJGWKtniZu

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1636	ce5c4f58083434d5fe6f9e070a7a1c53.exe

Loads dropped DLL 1 IoCs

pid	Process
520	taskeng.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1480	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1572	ce5c4f58083434d5fe6f9e070a7a1c53.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	1636	ce5c4f58083434d5fe6f9e070a7a1c53.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 1480	1572	ce5c4f58083434d5fe6f9e070a7a1c53.exe	27
PID 1572 wrote to memory of 1480	1572	ce5c4f58083434d5fe6f9e070a7a1c53.exe	27
PID 1572 wrote to memory of 1480	1572	ce5c4f58083434d5fe6f9e070a7a1c53.exe	27
PID 520 wrote to memory of 1636	520	taskeng.exe	30
PID 520 wrote to memory of 1636	520	taskeng.exe	30
PID 520 wrote to memory of 1636	520	taskeng.exe	30

C:\Users\Admin\AppData\Local\Temp\ce5c4f58083434d5fe6f9e070a7a1c53.exe
"C:\Users\Admin\AppData\Local\Temp\ce5c4f58083434d5fe6f9e070a7a1c53.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3; Set-MpPreference -ExclusionPath C:\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480

C:\Windows\system32\taskeng.exe
taskeng.exe {59632A3A-CC90-4013-A5CE-E5A053A2FCAD} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:520
- C:\Users\Admin\AppData\Roaming\ce5c4f58083434d5fe6f9e070a7a1c53.exe
  C:\Users\Admin\AppData\Roaming\ce5c4f58083434d5fe6f9e070a7a1c53.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ce5c4f58083434d5fe6f9e070a7a1c53.exe

Filesize
580KB

MD5
ce5c4f58083434d5fe6f9e070a7a1c53

SHA1
f8264dfb89cc00365e61810e860916ee9a461ae2

SHA256
3e7ce7699a593f1d639a4aa2c8677a3de3ecff16703ab56bc7fea72236c3792a

SHA512
588ca0d4dc723010eb30a50bb71101d0370a59bd5fef01283a655bfa930f789349afc27f3df7b4f1f5b5942d484cc1852f68abb0c75874bbecba52172be9febb

Download Submit
C:\Users\Admin\AppData\Roaming\ce5c4f58083434d5fe6f9e070a7a1c53.exe

Filesize
580KB

MD5
ce5c4f58083434d5fe6f9e070a7a1c53

SHA1
f8264dfb89cc00365e61810e860916ee9a461ae2

SHA256
3e7ce7699a593f1d639a4aa2c8677a3de3ecff16703ab56bc7fea72236c3792a

SHA512
588ca0d4dc723010eb30a50bb71101d0370a59bd5fef01283a655bfa930f789349afc27f3df7b4f1f5b5942d484cc1852f68abb0c75874bbecba52172be9febb

Download Submit
\Users\Admin\AppData\Roaming\ce5c4f58083434d5fe6f9e070a7a1c53.exe

Filesize
580KB

MD5
ce5c4f58083434d5fe6f9e070a7a1c53

SHA1
f8264dfb89cc00365e61810e860916ee9a461ae2

SHA256
3e7ce7699a593f1d639a4aa2c8677a3de3ecff16703ab56bc7fea72236c3792a

SHA512
588ca0d4dc723010eb30a50bb71101d0370a59bd5fef01283a655bfa930f789349afc27f3df7b4f1f5b5942d484cc1852f68abb0c75874bbecba52172be9febb

Download Submit
memory/1480-66-0x00000000027C4000-0x00000000027C7000-memory.dmp

Filesize
12KB

Download
memory/1480-73-0x00000000027C4000-0x00000000027C7000-memory.dmp

Filesize
12KB

Download
memory/1480-74-0x00000000027CB000-0x00000000027EA000-memory.dmp

Filesize
124KB

Download
memory/1480-72-0x00000000027CB000-0x00000000027EA000-memory.dmp

Filesize
124KB

Download
memory/1480-65-0x000007FEED730000-0x000007FEEE28D000-memory.dmp

Filesize
11.4MB

Download
memory/1480-63-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

Filesize
8KB

Download
memory/1480-64-0x000007FEEE290000-0x000007FEEECB3000-memory.dmp

Filesize
10.1MB

Download
memory/1572-59-0x0000000000610000-0x0000000000666000-memory.dmp

Filesize
344KB

Download
memory/1572-61-0x000000001B4C0000-0x000000001B514000-memory.dmp

Filesize
336KB

Download
memory/1572-60-0x000000001ADA0000-0x000000001ADEC000-memory.dmp

Filesize
304KB

Download
memory/1572-54-0x000000013FB00000-0x000000013FB96000-memory.dmp

Filesize
600KB

Download
memory/1572-58-0x000000001AD00000-0x000000001AD9E000-memory.dmp

Filesize
632KB

Download
memory/1572-57-0x00000000005D0000-0x00000000005D6000-memory.dmp

Filesize
24KB

Download
memory/1572-56-0x000000001AC00000-0x000000001AC88000-memory.dmp

Filesize
544KB

Download
memory/1572-55-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download
memory/1636-71-0x000000013FB80000-0x000000013FC16000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing