fc729002ac4f2ca65757920fe60351d318b329d854cbf709addf0761d0c68664

Analysis

max time kernel
75s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-02-2023 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e5fadebbb63160d78fab09972b795f7.exe
Size

2.1MB
MD5

0e5fadebbb63160d78fab09972b795f7
SHA1

64259d7e08928f9b2f5a8639ba970d8f36b904d6
SHA256

fc729002ac4f2ca65757920fe60351d318b329d854cbf709addf0761d0c68664
SHA512

949ab8bdb2e60941231faa2e744a78c8f7153536013296c459d025ce67ecd7bcf38c8f024fe4d7d79c0cc973781a4725ff07a2d1a32bb9286c0f41fcac6ebe96
SSDEEP

49152:LTQrHkWhCQyTmeBm/o56gJetPDI+55De8dKbfstgi/:WCrTPm/osgJi8+fzkfs//

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
676	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
668	0e5fadebbb63160d78fab09972b795f7.exe
668	0e5fadebbb63160d78fab09972b795f7.exe
668	0e5fadebbb63160d78fab09972b795f7.exe
668	0e5fadebbb63160d78fab09972b795f7.exe
668	0e5fadebbb63160d78fab09972b795f7.exe
668	0e5fadebbb63160d78fab09972b795f7.exe
668	0e5fadebbb63160d78fab09972b795f7.exe
668	0e5fadebbb63160d78fab09972b795f7.exe
668	0e5fadebbb63160d78fab09972b795f7.exe
668	0e5fadebbb63160d78fab09972b795f7.exe
816	powershell.exe
1684	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	668	0e5fadebbb63160d78fab09972b795f7.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 816	668	0e5fadebbb63160d78fab09972b795f7.exe	28
PID 668 wrote to memory of 816	668	0e5fadebbb63160d78fab09972b795f7.exe	28
PID 668 wrote to memory of 816	668	0e5fadebbb63160d78fab09972b795f7.exe	28
PID 668 wrote to memory of 816	668	0e5fadebbb63160d78fab09972b795f7.exe	28
PID 668 wrote to memory of 1684	668	0e5fadebbb63160d78fab09972b795f7.exe	30
PID 668 wrote to memory of 1684	668	0e5fadebbb63160d78fab09972b795f7.exe	30
PID 668 wrote to memory of 1684	668	0e5fadebbb63160d78fab09972b795f7.exe	30
PID 668 wrote to memory of 1684	668	0e5fadebbb63160d78fab09972b795f7.exe	30
PID 668 wrote to memory of 676	668	0e5fadebbb63160d78fab09972b795f7.exe	31
PID 668 wrote to memory of 676	668	0e5fadebbb63160d78fab09972b795f7.exe	31
PID 668 wrote to memory of 676	668	0e5fadebbb63160d78fab09972b795f7.exe	31
PID 668 wrote to memory of 676	668	0e5fadebbb63160d78fab09972b795f7.exe	31
PID 668 wrote to memory of 1540	668	0e5fadebbb63160d78fab09972b795f7.exe	34
PID 668 wrote to memory of 1540	668	0e5fadebbb63160d78fab09972b795f7.exe	34
PID 668 wrote to memory of 1540	668	0e5fadebbb63160d78fab09972b795f7.exe	34
PID 668 wrote to memory of 1540	668	0e5fadebbb63160d78fab09972b795f7.exe	34
PID 668 wrote to memory of 1560	668	0e5fadebbb63160d78fab09972b795f7.exe	35
PID 668 wrote to memory of 1560	668	0e5fadebbb63160d78fab09972b795f7.exe	35
PID 668 wrote to memory of 1560	668	0e5fadebbb63160d78fab09972b795f7.exe	35
PID 668 wrote to memory of 1560	668	0e5fadebbb63160d78fab09972b795f7.exe	35
PID 668 wrote to memory of 1516	668	0e5fadebbb63160d78fab09972b795f7.exe	36
PID 668 wrote to memory of 1516	668	0e5fadebbb63160d78fab09972b795f7.exe	36
PID 668 wrote to memory of 1516	668	0e5fadebbb63160d78fab09972b795f7.exe	36
PID 668 wrote to memory of 1516	668	0e5fadebbb63160d78fab09972b795f7.exe	36
PID 668 wrote to memory of 1756	668	0e5fadebbb63160d78fab09972b795f7.exe	37
PID 668 wrote to memory of 1756	668	0e5fadebbb63160d78fab09972b795f7.exe	37
PID 668 wrote to memory of 1756	668	0e5fadebbb63160d78fab09972b795f7.exe	37
PID 668 wrote to memory of 1756	668	0e5fadebbb63160d78fab09972b795f7.exe	37
PID 668 wrote to memory of 1260	668	0e5fadebbb63160d78fab09972b795f7.exe	38
PID 668 wrote to memory of 1260	668	0e5fadebbb63160d78fab09972b795f7.exe	38
PID 668 wrote to memory of 1260	668	0e5fadebbb63160d78fab09972b795f7.exe	38
PID 668 wrote to memory of 1260	668	0e5fadebbb63160d78fab09972b795f7.exe	38

C:\Users\Admin\AppData\Local\Temp\0e5fadebbb63160d78fab09972b795f7.exe
"C:\Users\Admin\AppData\Local\Temp\0e5fadebbb63160d78fab09972b795f7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0e5fadebbb63160d78fab09972b795f7.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OHAxhhFlhLD.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OHAxhhFlhLD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp53F.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:676
- C:\Users\Admin\AppData\Local\Temp\0e5fadebbb63160d78fab09972b795f7.exe
  "C:\Users\Admin\AppData\Local\Temp\0e5fadebbb63160d78fab09972b795f7.exe"
  2⤵
  PID:1540
- C:\Users\Admin\AppData\Local\Temp\0e5fadebbb63160d78fab09972b795f7.exe
  "C:\Users\Admin\AppData\Local\Temp\0e5fadebbb63160d78fab09972b795f7.exe"
  2⤵
  PID:1560
- C:\Users\Admin\AppData\Local\Temp\0e5fadebbb63160d78fab09972b795f7.exe
  "C:\Users\Admin\AppData\Local\Temp\0e5fadebbb63160d78fab09972b795f7.exe"
  2⤵
  PID:1516
- C:\Users\Admin\AppData\Local\Temp\0e5fadebbb63160d78fab09972b795f7.exe
  "C:\Users\Admin\AppData\Local\Temp\0e5fadebbb63160d78fab09972b795f7.exe"
  2⤵
  PID:1756
- C:\Users\Admin\AppData\Local\Temp\0e5fadebbb63160d78fab09972b795f7.exe
  "C:\Users\Admin\AppData\Local\Temp\0e5fadebbb63160d78fab09972b795f7.exe"
  2⤵
  PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp53F.tmp

Filesize
1KB

MD5
7e27a57ca0363b47c5a883cd84bd21b7

SHA1
9f40f0b545ccabe599de4e1b580c7cc16d0f013c

SHA256
9e71bd2085431f14145f71c86be5f1920cceb8169780a6152eee0a774099681d

SHA512
e14386e84ec40ed797543a83b0ea110c6c18877933ede0ad386957e11557e12ebaf5f24f60092cdec3bfb9f8550df5f869ec9a92a6b2db21738b6247a4cd46b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0822b979676e2929d9a2ac57523c8c7a

SHA1
cd1e8e182a71941c7af8a2e722c037e716bb1a36

SHA256
58d67692db6eb8fdaec532d5ae24c0a780873075964afe00fdd05964c1ade399

SHA512
6b225a48dc7f5a510070fead877efc446c8f2cba520e5eaac142a8fb0780adbc4ab7cd1ef3b5fcea022e4c783ad4e4bcffb7e6f1bb92744a0b734e3c67a17d8b

Download Submit
memory/668-57-0x0000000001F40000-0x0000000001F4C000-memory.dmp

Filesize
48KB

Download
memory/668-54-0x00000000000E0000-0x00000000002F6000-memory.dmp

Filesize
2.1MB

Download
memory/668-58-0x0000000008490000-0x0000000008664000-memory.dmp

Filesize
1.8MB

Download
memory/668-56-0x00000000007A0000-0x00000000007B4000-memory.dmp

Filesize
80KB

Download
memory/668-55-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/668-66-0x0000000009D60000-0x0000000009EDA000-memory.dmp

Filesize
1.5MB

Download
memory/816-68-0x000000006D120000-0x000000006D6CB000-memory.dmp

Filesize
5.7MB

Download
memory/816-69-0x000000006D120000-0x000000006D6CB000-memory.dmp

Filesize
5.7MB

Download
memory/1684-67-0x000000006D120000-0x000000006D6CB000-memory.dmp

Filesize
5.7MB

Download
memory/1684-70-0x000000006D120000-0x000000006D6CB000-memory.dmp

Filesize
5.7MB

Download