8f130ed18524730bdeab3cb340518acddaa6fb8ed2947bcbf902b2b94b2cdb69

General

Target

A1DB2DK7S9.CNT.exe
Size

2.1MB
MD5

9cb1667d78bac6997eefe37a44397558
SHA1

992651316c65ac2f6e0bd301543bea6c6cc507b1
SHA256

8f130ed18524730bdeab3cb340518acddaa6fb8ed2947bcbf902b2b94b2cdb69
SHA512

21e73434d0ba367f6eb45fd92b24f3d1567ef6aaccee2871620cf311f698b8ec3ac22261c95931f6a998ba1e3f8f3bc06b119d8164ddd2e4d376edb00c933a69
SSDEEP

24576:RUMPXPReQkyrfVQHxsvw2HuSOVyrGYZF0CV8twiylCS9u+cY7KPJ+HlD9IExKMac:3pe9qNQHxfwGUlype8+cY7KUx3

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

584 schtasks.exe

pid	process
584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

A1DB2DK7S9.CNT.exepowershell.exepowershell.exe

pid	process
1540	A1DB2DK7S9.CNT.exe
1540	A1DB2DK7S9.CNT.exe
1540	A1DB2DK7S9.CNT.exe
1540	A1DB2DK7S9.CNT.exe
1540	A1DB2DK7S9.CNT.exe
1540	A1DB2DK7S9.CNT.exe
1540	A1DB2DK7S9.CNT.exe
1540	A1DB2DK7S9.CNT.exe
1540	A1DB2DK7S9.CNT.exe
1540	A1DB2DK7S9.CNT.exe
1540	A1DB2DK7S9.CNT.exe
1540	A1DB2DK7S9.CNT.exe
1540	A1DB2DK7S9.CNT.exe
1540	A1DB2DK7S9.CNT.exe
1540	A1DB2DK7S9.CNT.exe
1540	A1DB2DK7S9.CNT.exe
1540	A1DB2DK7S9.CNT.exe
692	powershell.exe
1512	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

A1DB2DK7S9.CNT.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1540 A1DB2DK7S9.CNT.exe
Token: SeDebugPrivilege 1512 powershell.exe
Token: SeDebugPrivilege 692 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1540	A1DB2DK7S9.CNT.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

A1DB2DK7S9.CNT.exe

description	pid	process	target process
PID 1540 wrote to memory of 692	1540	A1DB2DK7S9.CNT.exe	powershell.exe
PID 1540 wrote to memory of 692	1540	A1DB2DK7S9.CNT.exe	powershell.exe
PID 1540 wrote to memory of 692	1540	A1DB2DK7S9.CNT.exe	powershell.exe
PID 1540 wrote to memory of 692	1540	A1DB2DK7S9.CNT.exe	powershell.exe
PID 1540 wrote to memory of 1512	1540	A1DB2DK7S9.CNT.exe	powershell.exe
PID 1540 wrote to memory of 1512	1540	A1DB2DK7S9.CNT.exe	powershell.exe
PID 1540 wrote to memory of 1512	1540	A1DB2DK7S9.CNT.exe	powershell.exe
PID 1540 wrote to memory of 1512	1540	A1DB2DK7S9.CNT.exe	powershell.exe
PID 1540 wrote to memory of 584	1540	A1DB2DK7S9.CNT.exe	schtasks.exe
PID 1540 wrote to memory of 584	1540	A1DB2DK7S9.CNT.exe	schtasks.exe
PID 1540 wrote to memory of 584	1540	A1DB2DK7S9.CNT.exe	schtasks.exe
PID 1540 wrote to memory of 584	1540	A1DB2DK7S9.CNT.exe	schtasks.exe
PID 1540 wrote to memory of 1572	1540	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1540 wrote to memory of 1572	1540	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1540 wrote to memory of 1572	1540	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1540 wrote to memory of 1572	1540	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1540 wrote to memory of 896	1540	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1540 wrote to memory of 896	1540	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1540 wrote to memory of 896	1540	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1540 wrote to memory of 896	1540	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1540 wrote to memory of 656	1540	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1540 wrote to memory of 656	1540	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1540 wrote to memory of 656	1540	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1540 wrote to memory of 656	1540	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1540 wrote to memory of 800	1540	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1540 wrote to memory of 800	1540	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1540 wrote to memory of 800	1540	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1540 wrote to memory of 800	1540	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1540 wrote to memory of 752	1540	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1540 wrote to memory of 752	1540	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1540 wrote to memory of 752	1540	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe
PID 1540 wrote to memory of 752	1540	A1DB2DK7S9.CNT.exe	A1DB2DK7S9.CNT.exe

C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe
"C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vWYrDTb.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vWYrDTb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4C2.tmp"
2⤵
- Creates scheduled task(s)
PID:584

C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe
"C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe"
2⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe
"C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe"
2⤵
PID:896

C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe
"C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe"
2⤵
PID:656

C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe
"C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe"
2⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe
"C:\Users\Admin\AppData\Local\Temp\A1DB2DK7S9.CNT.exe"
2⤵
PID:752

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4C2.tmp
Filesize
1KB

MD5
cf34ae4fe2bd329f642d6deacec14d1d

SHA1
4965afd754021cceceda64432a6d9d24d73a8541

SHA256
01bf1e58bedacafa28e163a506bc2d888e12216d27d59eb49d40a984ba3aa593

SHA512
ed099736de8f974e8ff5f07057f3a88a04f842ddf510e751e334d5432244f14d15a13a75e66825fac63ca6ae68edf41e491bfec0fab9b2eb611388664f544fcb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SILWCY6IAE0D3NYQPKMA.temp
Filesize
7KB

MD5
0adc5a423ebda054020cce07488a5625

SHA1
cd0c4f394fb610b5043228e0cf87d56cf9ae5db2

SHA256
e02473bf82551883a21d19c546a34c12d27c05928050484ec972181879496787

SHA512
b03b3a7084242f186d8e3fca927ce1eb65ffd772dd9c38940d373068e0ffb03072d4e6619986e902edb02de3d0bc1b8b1f3790a41c40bf35ebdd31f8ff2bdae8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0adc5a423ebda054020cce07488a5625

SHA1
cd0c4f394fb610b5043228e0cf87d56cf9ae5db2

SHA256
e02473bf82551883a21d19c546a34c12d27c05928050484ec972181879496787

SHA512
b03b3a7084242f186d8e3fca927ce1eb65ffd772dd9c38940d373068e0ffb03072d4e6619986e902edb02de3d0bc1b8b1f3790a41c40bf35ebdd31f8ff2bdae8

Download Submit
memory/692-75-0x00000000025B0000-0x00000000025F0000-memory.dmp

Filesize
256KB

Download
memory/1512-76-0x00000000021E0000-0x0000000002220000-memory.dmp

Filesize
256KB

Download
memory/1512-74-0x00000000021E0000-0x0000000002220000-memory.dmp

Filesize
256KB

Download
memory/1512-73-0x00000000021E0000-0x0000000002220000-memory.dmp

Filesize
256KB

Download
memory/1540-57-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/1540-59-0x0000000005C90000-0x0000000005DFA000-memory.dmp

Filesize
1.4MB

Download
memory/1540-72-0x00000000081C0000-0x00000000082A8000-memory.dmp

Filesize
928KB

Download
memory/1540-58-0x0000000000770000-0x000000000077C000-memory.dmp

Filesize
48KB

Download
memory/1540-54-0x0000000000200000-0x000000000041E000-memory.dmp

Filesize
2.1MB

Download
memory/1540-56-0x0000000000750000-0x0000000000764000-memory.dmp

Filesize
80KB

Download
memory/1540-55-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads