a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2

General

Target

a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe
Size

873KB
MD5

fc1fb033d57f72089fb4762245a8b18d
SHA1

7ec0f7ca5f0e0d20e5372bf69865d0a809e6cc8e
SHA256

a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2
SHA512

cff3833e592a5fe1f1fcb656c42e77fdd177c902f84cf396365cfa04edc9ec046de3473a943779d3815bc36bf48182101703b20b08ae580c2b3ba20508d231d0
SSDEEP

24576:g2DW/xbWX2YIb3Qsu3/PNL3Q7HybtTpAA+c:g2EaXSQsW/PNjQLY9ARc

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exea6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exea6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe

pid	process
3528	a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe
3528	a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe
3212	a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe
3212	a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe
3212	a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe
3212	a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe
1280	a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe
1280	a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe
1280	a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe
1280	a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exea6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe

pid	process
3528	a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe
432	a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exea6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe

description	pid	process
Token: SeDebugPrivilege	3212	a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe
Token: SeAssignPrimaryTokenPrivilege	3212	a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe
Token: SeIncreaseQuotaPrivilege	3212	a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe
Token: 0	3212	a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe
Token: SeDebugPrivilege	1280	a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe
Token: SeAssignPrimaryTokenPrivilege	1280	a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe
Token: SeIncreaseQuotaPrivilege	1280	a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe

description	pid	process	target process
PID 3528 wrote to memory of 3212	3528	a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe	a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe
PID 3528 wrote to memory of 3212	3528	a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe	a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe

C:\Users\Admin\AppData\Local\Temp\a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe
"C:\Users\Admin\AppData\Local\Temp\a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3528

C:\Users\Admin\AppData\Local\Temp\a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe
"C:\Users\Admin\AppData\Local\Temp\a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe" /P:131676
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Users\Admin\AppData\Local\Temp\a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe
"C:\Users\Admin\AppData\Local\Temp\a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe" /P:131676
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Users\Admin\AppData\Local\Temp\a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe
"C:\Users\Admin\AppData\Local\Temp\a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.exe" /TI/ /P:131676
4⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3c5k2w8l.tmp

Filesize
28KB

MD5
9e7bb9c31083cc3a0f561d12311c9d83

SHA1
9102b88339566d5f0490c25180632043c8bb1809

SHA256
2658178fd2cb498195032c531bf3bb037954e0614aaec4c4ac2637f08d949bc1

SHA512
1fb30279a1f951a98f609eb749deb6c77082c28a30e1fdd4f3224ddac8ddfad134e8f3c44f82c32501da8a93a978e6cf8dfe591039a0e6af0d4d2a1dc5445699

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2.ini

Filesize
3KB

MD5
6dd6d8ec5f4afea22c945badceb2771f

SHA1
1e6cb164ed2343423b1faaf6dd12c7de4d5f5697

SHA256
9b6c573622009185ca15dfdeea374db48570d41645d761d30c539b206b8e19f5

SHA512
86da4797046acff3aacd380a40370f17871edc5aa3e322f155a66be633557810ca182df3b6d34b72660f8b8e9b643744508a970b154eefaddd798c7fa11cb3a9

Download Submit
C:\Windows\Temp\2eih4b3l.tmp

Filesize
28KB

MD5
1524a28cbc30e70c60bc6cf977f82229

SHA1
664f15cea146b654ec4a60c76071ff83c4dfa651

SHA256
8561191653adc4ee6cb03a5c1953bd993782689600adebcd8776754147668f9b

SHA512
7fbee3bc38aca8ef368c1ff07eb1f4fb3f178628f8b41430eb1006c63bd908f26a1d85a19f2d661b02d3842505c9c762c8056fb2f1619b92a3a6d1085f0b9c50

Download Submit
C:\Windows\Temp\aut38A4.tmp

Filesize
11KB

MD5
4a83df1d945c2f5801ed59650d7460eb

SHA1
31827890e1df99268c0f80dcb26774225e4c3a5d

SHA256
2d993be76dfcf35f89b656b4dbc553e078d824974b482e56c6f76eaea87731c8

SHA512
eacb88683e3c999a1cdc9d9e4a4030723164e358d7cd85f7cfc02b99f33be991c89af5602349b48b5388520968a43a2a45b4b6d2f468f2b888088cf95bd591d2

Download Submit
C:\Windows\Temp\aut38A5.tmp

Filesize
10KB

MD5
09ca17eb552722bd7004097f59b07518

SHA1
36cf9da188460542e58acb97fa0ef0bfd9a4e172

SHA256
365c32c3c09228158ab5aaabfcf93cdfcd858be0b2a00031d82ab03070f61a5b

SHA512
3dc6ed86df50f87b12635032fb30840e94bea699ac193a16099a2ce1a9bd5e39147f115fb938c177991dc0dcfd5abab075632a1d0b46e6009a86eea3a27156bf

Download Submit
C:\Windows\Temp\aut38A6.tmp

Filesize
5KB

MD5
96c0e61f3298cb745b021f67e7dd0d48

SHA1
a61adbe460c68a3087ff1ba75620dbb86af28e40

SHA256
3e56c22a81ab1168036a289c7ffe2889dd678c422568dff9ef91d6a0f9005333

SHA512
dbbfdd4ad2c80ff9df0b21dfd011420baba54a7114d0e0ff5371dda9c9389d90422a4311881ac2bdb5ba7c4334d210b61c6c0fc691ae503e32930109d9251f3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads