124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf

General

Target

124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe
Size

245KB
MD5

e538f67d529d672c55304f3c9ad05392
SHA1

f7ff40a1901d51dd6222b420bbece575b46b2cd2
SHA256

124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf
SHA512

22344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6
SSDEEP

3072:eTIu4ZQ8M2A1vA7m5+C6ZoEHBAnpK37nXz8o1008Q75wPsoB74tyJhvSK/KkMc/X:LHA1vweOR8CTwPnLKkM/u

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1580 powershell.exe
536 powershell.exe

pid	process
1580	powershell.exe
536	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exevssvc.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1488	124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe
Token: SeBackupPrivilege	1620	vssvc.exe
Token: SeRestorePrivilege	1620	vssvc.exe
Token: SeAuditPrivilege	1620	vssvc.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe

description	pid	process	target process
PID 1488 wrote to memory of 1580	1488	124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe	powershell.exe
PID 1488 wrote to memory of 1580	1488	124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe	powershell.exe
PID 1488 wrote to memory of 1580	1488	124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe	powershell.exe
PID 1488 wrote to memory of 536	1488	124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe	powershell.exe
PID 1488 wrote to memory of 536	1488	124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe	powershell.exe
PID 1488 wrote to memory of 536	1488	124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe
"C:\Users\Admin\AppData\Local\Temp\124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\taskshostw.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskshostw.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a300432f80ed22d0d618b9b87919ec22

SHA1
5e86c5a11d7d38b2cd7884ee5d38ef3279c85dcd

SHA256
f6ec2c8f1b497c35922009c92e4c4bae8af40c9c6b9fdaaa5ff5bd2ec898bf37

SHA512
130aab5d7fe1ead62496b8935270b66f2c678d1e156934d540756d7f4e38a563c920493c79170ce31688d29bcf78d79dc2f5f1b7a058a2deff2115e1db24ff83

Download Submit
memory/536-65-0x0000000000000000-mapping.dmp

Download
memory/536-73-0x00000000024EB000-0x000000000250A000-memory.dmp

Filesize
124KB

Download
memory/536-72-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/536-71-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/536-70-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/536-69-0x000007FEE98E0000-0x000007FEEA43D000-memory.dmp

Filesize
11.4MB

Download
memory/536-68-0x000007FEEA440000-0x000007FEEAE63000-memory.dmp

Filesize
10.1MB

Download
memory/1488-55-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmp

Filesize
8KB

Download
memory/1488-54-0x0000000000BF0000-0x0000000000C34000-memory.dmp

Filesize
272KB

Download
memory/1580-59-0x00000000023D4000-0x00000000023D7000-memory.dmp

Filesize
12KB

Download
memory/1580-64-0x00000000023DB000-0x00000000023FA000-memory.dmp

Filesize
124KB

Download
memory/1580-63-0x00000000023D4000-0x00000000023D7000-memory.dmp

Filesize
12KB

Download
memory/1580-62-0x00000000023DB000-0x00000000023FA000-memory.dmp

Filesize
124KB

Download
memory/1580-61-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/1580-60-0x000007FEEA280000-0x000007FEEADDD000-memory.dmp

Filesize
11.4MB

Download
memory/1580-58-0x000007FEEADE0000-0x000007FEEB803000-memory.dmp

Filesize
10.1MB

Download
memory/1580-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing