11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477

General

Target

11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe
Size

707KB
MD5

99e41abf752c282789b0159ceee0dc00
SHA1

8077d1d93fab469d38f7452245e49b9c7b0de4fc
SHA256

11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477
SHA512

a3b0e625ab96a040ec777d4f68182486bdc112e71dcb2582bb02de576beda687a2410d32abc7bd2b70447c98458573f58a145e02300178f83a1ccc0297480900
SSDEEP

12288:PSmPwRYnOELz89WJ+3XExp+LUX514Ua75hrLlOU72hQ14tdDWCbJi8nbWDfR2IH2:PSmP0Y74nExp+L6j4h7xOU72+1qdr0pT

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1040 set thread context of 2548	1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2432	2548	WerFault.exe	34

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2816	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe
1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe
1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe
1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe
1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe
1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe
1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe
2668	powershell.exe
2808	powershell.exe
2548	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 2808	1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	28
PID 1040 wrote to memory of 2808	1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	28
PID 1040 wrote to memory of 2808	1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	28
PID 1040 wrote to memory of 2808	1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	28
PID 1040 wrote to memory of 2668	1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	30
PID 1040 wrote to memory of 2668	1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	30
PID 1040 wrote to memory of 2668	1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	30
PID 1040 wrote to memory of 2668	1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	30
PID 1040 wrote to memory of 2816	1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	32
PID 1040 wrote to memory of 2816	1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	32
PID 1040 wrote to memory of 2816	1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	32
PID 1040 wrote to memory of 2816	1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	32
PID 1040 wrote to memory of 2548	1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	34
PID 1040 wrote to memory of 2548	1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	34
PID 1040 wrote to memory of 2548	1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	34
PID 1040 wrote to memory of 2548	1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	34
PID 1040 wrote to memory of 2548	1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	34
PID 1040 wrote to memory of 2548	1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	34
PID 1040 wrote to memory of 2548	1040	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	34
PID 2548 wrote to memory of 2432	2548	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	35
PID 2548 wrote to memory of 2432	2548	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	35
PID 2548 wrote to memory of 2432	2548	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	35
PID 2548 wrote to memory of 2432	2548	11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe	35

C:\Users\Admin\AppData\Local\Temp\11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe
"C:\Users\Admin\AppData\Local\Temp\11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EvIChUgZDOyFJ.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EvIChUgZDOyFJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp83DF.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe
  "C:\Users\Admin\AppData\Local\Temp\11e6ab62f510d436211942941718cf7ae1efc83653b74f87722799b51eac4477.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 36
    3⤵
    - Program crash
    PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp83DF.tmp

Filesize
1KB

MD5
0334bcc7b3d2858010e96a0fcdfb5afe

SHA1
ad8385edffb5155cebe64739d863c95b3bc64a00

SHA256
7312ed60fc344f955c0a8cb94dd1038ec6c92e4753b644d295a5025212176a20

SHA512
9d37035f3f060667a9715aa8a92c4fdf6595ca37df3445ee64ac9883f7e3b0afb036ad559f9d6e6000a9bd212f086390b02a431b15ffb2127b434a83b7d0f90f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b0463f918575e26fe5564b2d8fc7b340

SHA1
13dc90eb2b101ef79f28589eb6aac166d472c527

SHA256
d70314ba32cc3b5b21e9a15cc327d5f35ef56b8db81448bbb8a56ec2c67dd4de

SHA512
32343b68a3f49ed448b3d4269ff4954982175a099bbe25a86d75513eb961b6c0108d8fdeaa53adbd866950e8ebf1d26cfc8d6dbfdd2db90e067d5c0e9ff58cdc

Download Submit
memory/1040-27-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/1040-19-0x0000000004F30000-0x0000000004F70000-memory.dmp

Filesize
256KB

Download
memory/1040-4-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/1040-5-0x0000000005280000-0x0000000005308000-memory.dmp

Filesize
544KB

Download
memory/1040-6-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/1040-2-0x0000000004F30000-0x0000000004F70000-memory.dmp

Filesize
256KB

Download
memory/1040-1-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/1040-0-0x0000000001270000-0x0000000001328000-memory.dmp

Filesize
736KB

Download
memory/1040-3-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/2548-22-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2548-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2548-26-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2548-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2548-38-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/2548-33-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2668-35-0x0000000001DB0000-0x0000000001DF0000-memory.dmp

Filesize
256KB

Download
memory/2668-31-0x000000006EBA0000-0x000000006F14B000-memory.dmp

Filesize
5.7MB

Download
memory/2668-30-0x0000000001DB0000-0x0000000001DF0000-memory.dmp

Filesize
256KB

Download
memory/2668-34-0x0000000001DB0000-0x0000000001DF0000-memory.dmp

Filesize
256KB

Download
memory/2668-28-0x000000006EBA0000-0x000000006F14B000-memory.dmp

Filesize
5.7MB

Download
memory/2668-39-0x000000006EBA0000-0x000000006F14B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-32-0x000000006EBA0000-0x000000006F14B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-29-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/2808-36-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/2808-37-0x000000006EBA0000-0x000000006F14B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-40-0x000000006EBA0000-0x000000006F14B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads