e42d1655cf256fb3d144d5eb4d7264e5caf50c2379f76859dcee1dc06233f42f

Analysis

max time kernel
57s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-03-2023 10:25

Target

6c53b530f6eb1312895a0818ca0bac5e28acffc04521284bf4d1168902fa3395.exe
Size

1.0MB
MD5

21f7fd1bf4759b63e04892f4ecbdf0e4
SHA1

b49914222bd11ca626dd247f350b549d7d78692a
SHA256

6c53b530f6eb1312895a0818ca0bac5e28acffc04521284bf4d1168902fa3395
SHA512

896be3dcda05f92108369355b9733af108377cf765febfcb106641d4a4ac81b95e6cd2af1beb8548bde2fac8d2baa9e65a97967a01238b1124fa0a8ee0ce59e9
SSDEEP

12288:eDX3gBVmNUfqBe4EAsUVxFSsWN2HWFYHg6vpV8aSvkCRbuWlTXQPZIHF/EFH:c+YNUfqBpEAsU4sW28YAwt4SBPZn

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1744	6c53b530f6eb1312895a0818ca0bac5e28acffc04521284bf4d1168902fa3395.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1744	6c53b530f6eb1312895a0818ca0bac5e28acffc04521284bf4d1168902fa3395.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1744-54-0x00000000000A0000-0x00000000001AA000-memory.dmp

Filesize
1.0MB

Download
memory/1744-55-0x0000000004300000-0x0000000004340000-memory.dmp

Filesize
256KB

Download
memory/1744-56-0x0000000000A60000-0x0000000000A76000-memory.dmp

Filesize
88KB

Download
memory/1744-57-0x0000000004300000-0x0000000004340000-memory.dmp

Filesize
256KB

Download
memory/1744-58-0x0000000001FC0000-0x0000000001FCC000-memory.dmp

Filesize
48KB

Download
memory/1744-59-0x0000000007E30000-0x0000000007EDA000-memory.dmp

Filesize
680KB

Download