7ce7ca5deeb35f3cce19ca4e01e28aebe9f1b03dc8778a2e85e0d515a6df1a3e

General

Target

c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
Size

1.1MB
MD5

e9ad14c57de3288fd9de4d5cdcbf66e0
SHA1

c21ec1560b66e3e4581a8c6cb41fa769527cfd7a
SHA256

7ce7ca5deeb35f3cce19ca4e01e28aebe9f1b03dc8778a2e85e0d515a6df1a3e
SHA512

61199ba16efbe0036e909a05b46ce41a36b019bc6af9cdd8c39bde1ff595d0309bbaca766820c9bfef9d221d3bc850cd5f7e42729fc43a1d5d6a1fb6c8236ba5
SSDEEP

24576:e0pUTyvWX1Qf+cBX0RxfAx5lv2s6MDYTbJNkj:TUT3XTcR0zIBv2lMDYTbJNM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

460 schtasks.exe

pid	process
460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exepowershell.exe

pid	process
1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
1492	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1732 c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
Token: SeDebugPrivilege 1492 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
Token: SeDebugPrivilege	1492	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe

C:\Users\Admin\AppData\Local\Temp\c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
"C:\Users\Admin\AppData\Local\Temp\c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nLaCRhtjINQTQ.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nLaCRhtjINQTQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9E91.tmp"
2⤵
- Creates scheduled task(s)
PID:460

C:\Users\Admin\AppData\Local\Temp\c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
"C:\Users\Admin\AppData\Local\Temp\c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe"
2⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
"C:\Users\Admin\AppData\Local\Temp\c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe"
2⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
"C:\Users\Admin\AppData\Local\Temp\c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe"
2⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
"C:\Users\Admin\AppData\Local\Temp\c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe"
2⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
"C:\Users\Admin\AppData\Local\Temp\c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe"
2⤵
PID:1636

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9E91.tmp
Filesize
1KB

MD5
cf859c4acaf18a86b9d8e56a31fc9221

SHA1
20290fad0677a2e24b0ab99026927c2588ac7957

SHA256
28ef62baa324be4c4278e1917383b52145f73575d3c90d3f13f411721226126d

SHA512
5e2a95de7ddda7cbdcea087b2f6aa7d66d46c78ce80578e122d24a1362aa7e5ffb580f0ab9f73c3ac8833b1e0763644169b83a7343ea08f01c4306766594b1a2

Download Submit
memory/460-61-0x0000000000000000-mapping.dmp

Download
memory/1492-59-0x0000000000000000-mapping.dmp

Download
memory/1492-64-0x000000006E690000-0x000000006EC3B000-memory.dmp

Filesize
5.7MB

Download
memory/1492-65-0x000000006E690000-0x000000006EC3B000-memory.dmp

Filesize
5.7MB

Download
memory/1732-54-0x00000000003D0000-0x00000000004E6000-memory.dmp

Filesize
1.1MB

Download
memory/1732-55-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download
memory/1732-56-0x0000000000350000-0x0000000000366000-memory.dmp

Filesize
88KB

Download
memory/1732-57-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/1732-58-0x0000000005570000-0x0000000005608000-memory.dmp

Filesize
608KB

Download
memory/1732-63-0x0000000004E30000-0x0000000004E8E000-memory.dmp

Filesize
376KB

Download

description	pid	process	target process
PID 1732 wrote to memory of 1492	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	powershell.exe
PID 1732 wrote to memory of 1492	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	powershell.exe
PID 1732 wrote to memory of 1492	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	powershell.exe
PID 1732 wrote to memory of 1492	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	powershell.exe
PID 1732 wrote to memory of 460	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	schtasks.exe
PID 1732 wrote to memory of 460	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	schtasks.exe
PID 1732 wrote to memory of 460	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	schtasks.exe
PID 1732 wrote to memory of 460	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	schtasks.exe
PID 1732 wrote to memory of 2000	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
PID 1732 wrote to memory of 2000	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
PID 1732 wrote to memory of 2000	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
PID 1732 wrote to memory of 2000	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
PID 1732 wrote to memory of 920	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
PID 1732 wrote to memory of 920	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
PID 1732 wrote to memory of 920	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
PID 1732 wrote to memory of 920	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
PID 1732 wrote to memory of 1520	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
PID 1732 wrote to memory of 1520	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
PID 1732 wrote to memory of 1520	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
PID 1732 wrote to memory of 1520	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
PID 1732 wrote to memory of 668	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
PID 1732 wrote to memory of 668	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
PID 1732 wrote to memory of 668	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
PID 1732 wrote to memory of 668	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
PID 1732 wrote to memory of 1636	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
PID 1732 wrote to memory of 1636	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
PID 1732 wrote to memory of 1636	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe
PID 1732 wrote to memory of 1636	1732	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe	c21ec1560b66e3e4581a8c6cb41fa769527cfd7a.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads