221a81d66ccd5492f313733aca66534af9350f427c50a6b30c7a65dce1ea0fbb

General

Target

2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe
Size

943KB
MD5

21e603ea77b316cce2ec68a44cd735c7
SHA1

2bc285f3a8bd60f55bd659b360b1c77eab820b5e
SHA256

221a81d66ccd5492f313733aca66534af9350f427c50a6b30c7a65dce1ea0fbb
SHA512

0256baa5a9e545d3936e98a77eebdaa457aaa78c25c2c9717762d2fbaa103ab26f45bb93164a40374ec0b324b538c42992440ffda7df89b8bef621d2a694b39e
SSDEEP

12288:ziWHxYV/jqmkMD2DExj6L+lMBebblLTMGa9EDL9y3r9FibYjIaCJVbDGo:ztHxYgExj6L+lMBebbRMCD7sjIxJDv

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1920	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe
940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe
940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe
940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe
940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 1920	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	28
PID 940 wrote to memory of 1920	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	28
PID 940 wrote to memory of 1920	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	28
PID 940 wrote to memory of 1920	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	28
PID 940 wrote to memory of 1916	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	30
PID 940 wrote to memory of 1916	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	30
PID 940 wrote to memory of 1916	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	30
PID 940 wrote to memory of 1916	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	30
PID 940 wrote to memory of 1500	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	31
PID 940 wrote to memory of 1500	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	31
PID 940 wrote to memory of 1500	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	31
PID 940 wrote to memory of 1500	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	31
PID 940 wrote to memory of 1200	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	32
PID 940 wrote to memory of 1200	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	32
PID 940 wrote to memory of 1200	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	32
PID 940 wrote to memory of 1200	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	32
PID 940 wrote to memory of 1208	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	33
PID 940 wrote to memory of 1208	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	33
PID 940 wrote to memory of 1208	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	33
PID 940 wrote to memory of 1208	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	33
PID 940 wrote to memory of 1244	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	34
PID 940 wrote to memory of 1244	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	34
PID 940 wrote to memory of 1244	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	34
PID 940 wrote to memory of 1244	940	2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe	34

C:\Users\Admin\AppData\Local\Temp\2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe
"C:\Users\Admin\AppData\Local\Temp\2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CDNABzJvQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8009.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1920
- C:\Users\Admin\AppData\Local\Temp\2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe
  "{path}"
  2⤵
  PID:1916
- C:\Users\Admin\AppData\Local\Temp\2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe
  "{path}"
  2⤵
  PID:1500
- C:\Users\Admin\AppData\Local\Temp\2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe
  "{path}"
  2⤵
  PID:1200
- C:\Users\Admin\AppData\Local\Temp\2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe
  "{path}"
  2⤵
  PID:1208
- C:\Users\Admin\AppData\Local\Temp\2bc285f3a8bd60f55bd659b360b1c77eab820b5e.exe
  "{path}"
  2⤵
  PID:1244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8009.tmp

Filesize
1KB

MD5
6f362ed0ddd7f2450df47f2e2b4ceffd

SHA1
b9f6466b251fa7214f3599a794a3ad1a34baf055

SHA256
5dede807b14dc42b3698cdeaddab890933604e7612ccd8a32313f88abfc9ec32

SHA512
23c32e5d6da5954fdb4cdfc3e5e43d6e3c5dcc0e5a23f1e5808be10e539ff7110cc3265bf51425d0743c5c57a072352bd946680f34383bcd5f6d62488aeabeed

Download Submit
memory/940-54-0x00000000003B0000-0x00000000004A2000-memory.dmp

Filesize
968KB

Download
memory/940-55-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/940-56-0x00000000006D0000-0x00000000006E2000-memory.dmp

Filesize
72KB

Download
memory/940-57-0x00000000052A0000-0x000000000531A000-memory.dmp

Filesize
488KB

Download
memory/940-58-0x0000000004590000-0x00000000045CC000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads