ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb

General

Target

ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe
Size

1.4MB
MD5

939d6f6dd06eb826b27eda72f2ebe9c2
SHA1

2ca7b12d8473867b6667a463aec7588a41ef9803
SHA256

ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb
SHA512

c233dc59a41b1bec43b854d4f880efb3db4c0eeb0c5561b59a8a5e268824cc1a0e9f0dc5f4e98ef630606b2929c6784c97fbe79ac15cc5a6986f36beb2091201
SSDEEP

24576:O6/ZjTQHEFtxd/UdKir+X4vBrgQKf+VtHCi6uOUteZk:xy0Q81YtH1/e

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1700 set thread context of 1652	1700	ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1700	ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe
Token: SeDebugPrivilege	1652	ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 520	1700	ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe	28
PID 1700 wrote to memory of 520	1700	ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe	28
PID 1700 wrote to memory of 520	1700	ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe	28
PID 1700 wrote to memory of 520	1700	ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe	28
PID 1700 wrote to memory of 1628	1700	ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe	30
PID 1700 wrote to memory of 1628	1700	ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe	30
PID 1700 wrote to memory of 1628	1700	ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe	30
PID 1700 wrote to memory of 1628	1700	ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe	30
PID 1700 wrote to memory of 1652	1700	ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe	31
PID 1700 wrote to memory of 1652	1700	ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe	31
PID 1700 wrote to memory of 1652	1700	ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe	31
PID 1700 wrote to memory of 1652	1700	ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe	31
PID 1700 wrote to memory of 1652	1700	ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe	31
PID 1700 wrote to memory of 1652	1700	ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe	31
PID 1700 wrote to memory of 1652	1700	ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe	31
PID 1700 wrote to memory of 1652	1700	ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe	31
PID 1700 wrote to memory of 1652	1700	ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe	31

C:\Users\Admin\AppData\Local\Temp\ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe
"C:\Users\Admin\AppData\Local\Temp\ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LthjWtJJuAygQr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6CF7.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:520
- C:\Users\Admin\AppData\Local\Temp\ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe
  "{path}"
  2⤵
  PID:1628
- C:\Users\Admin\AppData\Local\Temp\ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb.exe
  "{path}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6CF7.tmp

Filesize
1KB

MD5
cd945affbaed1e936386d4e6600ae67e

SHA1
11149087e930e7ed6e032c08e269cedd5e2495a6

SHA256
3db66dca96186b40343218b5fabe1347ae3f342e22f822a7c38d3a2a1e1f1fd4

SHA512
11f675558d402991adba9c2b7a5e54507995ad9fa48f034248139562cb3fa9d0e2905608266e97d5920aef11aa2d342bf519987925f8d99b735538c795192bb4

Download Submit
memory/1652-65-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1652-61-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1652-62-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1652-64-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1652-66-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1652-69-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1652-71-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1700-57-0x0000000007E40000-0x0000000007F52000-memory.dmp

Filesize
1.1MB

Download
memory/1700-58-0x0000000004E60000-0x0000000004F24000-memory.dmp

Filesize
784KB

Download
memory/1700-56-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/1700-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1700-54-0x00000000000C0000-0x0000000000236000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads