7ff1e5591884821027c211ee2cbca5e94f6784caaa1dc3462ede047daf831570 | Triage

Analysis

max time kernel
52s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/02/2023, 07:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ReduceMemory/ReduceMemory.exe
Size

776KB
MD5

0d626331715cc35aa377a8503f85c92a
SHA1

26aad89595f00068151d3676297ceec394e718af
SHA256

3e541100c869dba06ee62252a9661e5a06c2e685a7ddd5288ea1358703412385
SHA512

6dcdc39672dd00873c55753ba02ad05dc61ef028a4de385d5af38f30c4959342ac25f0ae936a19fb29100a49ab379f16f5288578434e1aea83b03e596d999996
SSDEEP

12288:UaWzgMg7v3qnCiHErQohh0F4aCJ8lny7QSpJJ9vZ+dAy2s:LaHMv6C7rjCny7QQx+Is

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1008	ReduceMemory.exe
1008	ReduceMemory.exe
1008	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1008	ReduceMemory.exe
Token: SeAssignPrimaryTokenPrivilege	1008	ReduceMemory.exe
Token: SeIncreaseQuotaPrivilege	1008	ReduceMemory.exe
Token: 0	1008	ReduceMemory.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe

Suspicious use of SendNotifyMessage 52 IoCs

pid	Process
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe
336	ReduceMemory.exe

C:\Users\Admin\AppData\Local\Temp\ReduceMemory\ReduceMemory.exe
"C:\Users\Admin\AppData\Local\Temp\ReduceMemory\ReduceMemory.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008
- C:\Users\Admin\AppData\Local\Temp\ReduceMemory\ReduceMemory.exe
  C:\Users\Admin\AppData\Local\Temp\ReduceMemory\ReduceMemory.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1008-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download