07f394e3db99be6f61c72753ed941e38b485fe436ddc02358dfa34c39ac9e0c5

General

Target

titles.lnk
Size

1KB
MD5

cd40170ef364117a2ee437c47ec6b564
SHA1

48346fe1585ead2a8ab4f5fdccd264c5f9cd502a
SHA256

24bb33a3a191cb0fba721820a31a8560abd7b3d0fafabe5f85a700e47772b571
SHA512

a901f85abbb2be9d8f2165de0aceb502c8c95797c987ad0fea4a9781eaf509d2e1e4ccd5b1c51eb4b16d86a78fcb25c52d20b91623c0511c89c4eb585f6b209f

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1728	powershell.exe
1728	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1728	2036	cmd.exe	28
PID 2036 wrote to memory of 1728	2036	cmd.exe	28
PID 2036 wrote to memory of 1728	2036	cmd.exe	28
PID 1728 wrote to memory of 1340	1728	powershell.exe	29
PID 1728 wrote to memory of 1340	1728	powershell.exe	29
PID 1728 wrote to memory of 1340	1728	powershell.exe	29
PID 1340 wrote to memory of 968	1340	csc.exe	30
PID 1340 wrote to memory of 968	1340	csc.exe	30
PID 1340 wrote to memory of 968	1340	csc.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\titles.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file comics.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qexahram.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B02.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1B01.tmp"
      4⤵
      PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1B02.tmp

Filesize
1KB

MD5
d2ad9119c539f0be94761ce67d0c5585

SHA1
30a0547cf35c3904b7a82117e4595585918791c6

SHA256
1140ea3fcf6e14827b3ddee34cf45ae82aa44aa1d8e5fca9e531e689304ca93c

SHA512
e6e920f8a58132646c20d8ec226f6c77c672cc7b58481e5e3b0795d416cbadc244e8d7eaf433b60ae78794762bab94bc678273bece6150500e037fc71bb1f86d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qexahram.dll

Filesize
3KB

MD5
3f391270d1956b936c8e317798b7137a

SHA1
68dae32d1bd80249466ea16716519d8599df29e3

SHA256
750e334ca369f979a2b24bc321c3a625ab753024dee479c0f9a83be14ba33608

SHA512
fc05301751eecc0cc3a03f3d543de3b5dc0bf2d2a1f0d817d8340e75d76f1f54082f1202eed8a941dc538800aad4df5cc1782f071468ecd4ba83441fea4cb1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\qexahram.pdb

Filesize
7KB

MD5
a21e3cf057cc5373f2ae89c0c3f42abd

SHA1
c601c426f74b61039484bf57cfab8651ece35082

SHA256
71d851cb073145a8c9c0e4d5a67a82e0f8484f4c4c4014f4eec50ea9bad9b6e8

SHA512
37a5b9d8f8e811b9c7771935a58ed6855a8be54e8e8baede04a5633863a9cde809e2b5d6f64679c2129447b22011b3c825eb85fd3d8a7676e360acc0249fce1f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1B01.tmp

Filesize
652B

MD5
1cc2d48d5b7b06a86a56e07301ec914b

SHA1
8d7d54a04163bdeda281f4bceef6568b76df3001

SHA256
f4795c1f965f5f545a1a5b6fe91e0a657478d8206d9ba2615b74371c65d17034

SHA512
6dfef9888b44cf86896b3247b517793127bd70fa7b2d90ddbc3ac11760f3301024e81b88489317fd8a61ce4cef52dded0171c7e82275678ab9beebcd342f3c0d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qexahram.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qexahram.cmdline

Filesize
309B

MD5
015eb74e813257d802bed387abf7561c

SHA1
0ffa671e6d35129e182a9af574145881877faa62

SHA256
816cbadf7b40f52b3386e91c2ae589e88702b5bb4915ce9c34877153f12da2c9

SHA512
ac1964359e499584bfb9580bf58597219b4d9173d86f0805f260781d914c6439c46fcba87a55e882a22a42fd49b9e90d1737a1aa5ad14ecf02e97ed57852e101

Download Submit
memory/1728-92-0x00000000026E0000-0x0000000002760000-memory.dmp

Filesize
512KB

Download
memory/1728-93-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/1728-94-0x00000000023D0000-0x00000000023D8000-memory.dmp

Filesize
32KB

Download
memory/1728-95-0x00000000026E0000-0x0000000002760000-memory.dmp

Filesize
512KB

Download
memory/1728-96-0x00000000026E0000-0x0000000002760000-memory.dmp

Filesize
512KB

Download
memory/1728-110-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing