Analysis
-
max time kernel
151s -
max time network
141s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
07-05-2020 11:11
Static task
static1
Behavioral task
behavioral1
Sample
8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
Resource
win10v200430
General
-
Target
8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
-
Size
835KB
-
MD5
2cc70c4beed0ba6db11c63bf435c6bf2
-
SHA1
18348a70148e1424ba4c30298b05f3f8820313cd
-
SHA256
8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8
-
SHA512
a455468af2b3b4793f959a31826337a89ede5117e17a7d622b1fcc12bdacd503a371742ed47e9cc89ba1e4b7819b18db75aadca6993f9bcb3515cec1964c04fd
Malware Config
Extracted
C:\_readme.txt
helpmanager@mail.ch
restoremanager@firemail.cc
https://we.tl/t-xcn1Dtzak4
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
updatewin1.exeupdatewin2.exeupdatewin1.exe5.exe8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exepid process 1836 updatewin1.exe 1260 updatewin2.exe 308 updatewin1.exe 1580 5.exe 1468 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe -
Checks for installed software on the system 1 TTPs 29 IoCs
Processes:
5.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName 5.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName 5.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName 5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName 5.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 ip-api.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exepowershell.exe5.exepowershell.exepowershell.exe8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exepid process 1304 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 820 powershell.exe 820 powershell.exe 1580 5.exe 1580 5.exe 1580 5.exe 820 powershell.exe 1064 powershell.exe 1064 powershell.exe 1580 5.exe 1596 powershell.exe 1468 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 1468 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe -
Loads dropped DLL 16 IoCs
Processes:
8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeupdatewin1.exeupdatewin1.exe5.exepid process 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 1836 updatewin1.exe 1836 updatewin1.exe 1836 updatewin1.exe 1836 updatewin1.exe 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 1836 updatewin1.exe 308 updatewin1.exe 308 updatewin1.exe 308 updatewin1.exe 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 1580 5.exe 1580 5.exe 1580 5.exe 1580 5.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
5.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
updatewin2.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts updatewin2.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 964 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 80 IoCs
Processes:
8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeupdatewin1.exeupdatewin1.exepowershell.exedescription pid process target process PID 1304 wrote to memory of 1100 1304 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe icacls.exe PID 1304 wrote to memory of 1100 1304 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe icacls.exe PID 1304 wrote to memory of 1100 1304 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe icacls.exe PID 1304 wrote to memory of 1100 1304 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe icacls.exe PID 1304 wrote to memory of 1672 1304 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe PID 1304 wrote to memory of 1672 1304 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe PID 1304 wrote to memory of 1672 1304 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe PID 1304 wrote to memory of 1672 1304 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe PID 1672 wrote to memory of 1836 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe updatewin1.exe PID 1672 wrote to memory of 1836 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe updatewin1.exe PID 1672 wrote to memory of 1836 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe updatewin1.exe PID 1672 wrote to memory of 1836 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe updatewin1.exe PID 1672 wrote to memory of 1836 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe updatewin1.exe PID 1672 wrote to memory of 1836 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe updatewin1.exe PID 1672 wrote to memory of 1836 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe updatewin1.exe PID 1836 wrote to memory of 308 1836 updatewin1.exe updatewin1.exe PID 1836 wrote to memory of 308 1836 updatewin1.exe updatewin1.exe PID 1836 wrote to memory of 308 1836 updatewin1.exe updatewin1.exe PID 1836 wrote to memory of 308 1836 updatewin1.exe updatewin1.exe PID 1836 wrote to memory of 308 1836 updatewin1.exe updatewin1.exe PID 1836 wrote to memory of 308 1836 updatewin1.exe updatewin1.exe PID 1672 wrote to memory of 1260 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe updatewin2.exe PID 1672 wrote to memory of 1260 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe updatewin2.exe PID 1672 wrote to memory of 1260 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe updatewin2.exe PID 1672 wrote to memory of 1260 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe updatewin2.exe PID 1672 wrote to memory of 1260 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe updatewin2.exe PID 1672 wrote to memory of 1260 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe updatewin2.exe PID 1672 wrote to memory of 1260 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe updatewin2.exe PID 1836 wrote to memory of 308 1836 updatewin1.exe updatewin1.exe PID 308 wrote to memory of 820 308 updatewin1.exe powershell.exe PID 308 wrote to memory of 820 308 updatewin1.exe powershell.exe PID 308 wrote to memory of 820 308 updatewin1.exe powershell.exe PID 308 wrote to memory of 820 308 updatewin1.exe powershell.exe PID 308 wrote to memory of 820 308 updatewin1.exe powershell.exe PID 308 wrote to memory of 820 308 updatewin1.exe powershell.exe PID 308 wrote to memory of 820 308 updatewin1.exe powershell.exe PID 1672 wrote to memory of 1580 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 5.exe PID 1672 wrote to memory of 1580 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 5.exe PID 1672 wrote to memory of 1580 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 5.exe PID 1672 wrote to memory of 1580 1672 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe 5.exe PID 308 wrote to memory of 1064 308 updatewin1.exe powershell.exe PID 308 wrote to memory of 1064 308 updatewin1.exe powershell.exe PID 308 wrote to memory of 1064 308 updatewin1.exe powershell.exe PID 308 wrote to memory of 1064 308 updatewin1.exe powershell.exe PID 308 wrote to memory of 1064 308 updatewin1.exe powershell.exe PID 308 wrote to memory of 1064 308 updatewin1.exe powershell.exe PID 308 wrote to memory of 1064 308 updatewin1.exe powershell.exe PID 1064 wrote to memory of 1596 1064 powershell.exe powershell.exe PID 1064 wrote to memory of 1596 1064 powershell.exe powershell.exe PID 1064 wrote to memory of 1596 1064 powershell.exe powershell.exe PID 1064 wrote to memory of 1596 1064 powershell.exe powershell.exe PID 1064 wrote to memory of 1596 1064 powershell.exe powershell.exe PID 1064 wrote to memory of 1596 1064 powershell.exe powershell.exe PID 1064 wrote to memory of 1596 1064 powershell.exe powershell.exe PID 308 wrote to memory of 1360 308 updatewin1.exe mpcmdrun.exe PID 308 wrote to memory of 1360 308 updatewin1.exe mpcmdrun.exe PID 308 wrote to memory of 1360 308 updatewin1.exe mpcmdrun.exe PID 308 wrote to memory of 1360 308 updatewin1.exe mpcmdrun.exe PID 308 wrote to memory of 1648 308 updatewin1.exe cmd.exe PID 308 wrote to memory of 1648 308 updatewin1.exe cmd.exe PID 308 wrote to memory of 1648 308 updatewin1.exe cmd.exe PID 308 wrote to memory of 1648 308 updatewin1.exe cmd.exe PID 308 wrote to memory of 1648 308 updatewin1.exe cmd.exe PID 308 wrote to memory of 1648 308 updatewin1.exe cmd.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\64f06f71-f1ea-4bc2-9e1c-73eea48b1772\\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe\" --AutoStart" 8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe -
Office loads VBA resources, possible macro or embedded object present
-
Makes http(s) request 19 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 20 http://chumashpeople.com/freebl3.dll HTTP URL 20 http://chumashpeople.com/mozglue.dll HTTP URL 20 http://chumashpeople.com/softokn3.dll HTTP URL 20 http://chumashpeople.com/ HTTP URL 30 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP URL 6 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP URL 12 http://akbz.top/ydtftysdtyftysdfsdpen3/get.php?pid=ADD92632311B7FBC9E7C4B15A8803926&first=true HTTP URL 14 http://akbz.top/files/penelop/updatewin.exe HTTP URL 20 http://chumashpeople.com/msvcp140.dll HTTP URL 20 http://chumashpeople.com/vcruntime140.dll HTTP URL 9 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP URL 11 http://akbz.top/files/penelop/updatewin1.exe HTTP URL 13 http://akbz.top/files/penelop/updatewin2.exe HTTP URL 15 http://akbz.top/files/penelop/3.exe HTTP URL 16 http://akbz.top/files/penelop/4.exe HTTP URL 17 http://akbz.top/files/penelop/5.exe HTTP URL 20 http://chumashpeople.com/517 HTTP URL 20 http://chumashpeople.com/nss3.dll HTTP URL 22 http://ip-api.com/line/ -
Modifies file permissions 1 TTPs 1 IoCs
-
Modifies registry class 11 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\sqpc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\sqpc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\.sqpc rundll32.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\sqpc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\sqpc_auto_file\shell\edit\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\sqpc_auto_file\shell\edit\command\ = "\"C:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\sqpc_auto_file\shell\edit\ = "&Edit" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\.sqpc\ = "sqpc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\sqpc_auto_file\shell\edit rundll32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exetaskkill.exedescription pid process Token: SeDebugPrivilege 820 powershell.exe Token: SeDebugPrivilege 1064 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 1532 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1920 WINWORD.EXE 1920 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1920 WINWORD.EXE -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1532 taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe"C:\Users\Admin\AppData\Local\Temp\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\64f06f71-f1ea-4bc2-9e1c-73eea48b1772" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe"C:\Users\Admin\AppData\Local\Temp\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe"C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe"C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe" --Admin4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps16⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""5⤵
-
C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin2.exe"C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin2.exe"3⤵
- Executes dropped EXE
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\5.exe"C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\5.exe"3⤵
- Executes dropped EXE
- Checks for installed software on the system
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\5.exe & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 5.exe /f5⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
-
C:\Windows\system32\taskeng.exetaskeng.exe {65C496CB-191E-440E-97FC-7685B6CEC89D} S-1-5-21-910373003-3952921535-3480519689-1000:DJRWGDLZ\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Local\64f06f71-f1ea-4bc2-9e1c-73eea48b1772\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeC:\Users\Admin\AppData\Local\64f06f71-f1ea-4bc2-9e1c-73eea48b1772\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe --Task2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\vcredist2010_x64.log.html.sqpc1⤵
- Modifies registry class
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\vcredist2010_x64.log.html.sqpc"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\_readme.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
-
C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\5.exe
-
C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\5.exe
-
C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe
-
C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe
-
C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe
-
C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin2.exe
-
C:\Users\Admin\AppData\Local\64f06f71-f1ea-4bc2-9e1c-73eea48b1772\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
-
C:\Users\Admin\AppData\Local\64f06f71-f1ea-4bc2-9e1c-73eea48b1772\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f8f6cc7-ae83-4f79-b06e-2b9a49e06c5b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3f934678-4276-4d7d-9a2b-7ccacecf398b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_670419ca-9b90-4e9d-a6c5-f73b7563d382
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9065e065-05e7-4eaa-bb93-1db6da178e99
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3b7b651-7089-41b5-9155-3fb877609508
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b7a807a3-f6b6-4397-972a-e9e81988f869
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e331f9c7-6ec8-40f5-b318-7a4a05eb497d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
-
C:\Users\Admin\AppData\Local\Temp\delself.bat
-
C:\Users\Admin\AppData\Local\script.ps1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
-
C:\_readme.txt
-
C:\vcredist2010_x64.log.html.sqpc
-
\ProgramData\mozglue.dll
-
\ProgramData\msvcp140.dll
-
\ProgramData\nss3.dll
-
\ProgramData\vcruntime140.dll
-
\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\5.exe
-
\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\5.exe
-
\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe
-
\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe
-
\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe
-
\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe
-
\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe
-
\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe
-
\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe
-
\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe
-
\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe
-
\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin2.exe
-
memory/308-25-0x00000000005D2000-0x00000000005D3000-memory.dmpFilesize
4KB
-
memory/308-23-0x0000000001EB0000-0x0000000001EC1000-memory.dmpFilesize
68KB
-
memory/1260-18-0x0000000001DF0000-0x0000000001E01000-memory.dmpFilesize
68KB
-
memory/1260-24-0x00000000005EF000-0x00000000005F0000-memory.dmpFilesize
4KB
-
memory/1304-1-0x0000000001EE0000-0x0000000001EF1000-memory.dmpFilesize
68KB
-
memory/1304-0-0x0000000000220000-0x00000000002B1000-memory.dmpFilesize
580KB
-
memory/1468-55-0x0000000000310000-0x00000000003A1000-memory.dmpFilesize
580KB
-
memory/1468-56-0x0000000001E40000-0x0000000001E51000-memory.dmpFilesize
68KB
-
memory/1580-29-0x0000000002FC8000-0x0000000002FD9000-memory.dmpFilesize
68KB
-
memory/1580-30-0x00000000030C0000-0x00000000030D1000-memory.dmpFilesize
68KB
-
memory/1672-4-0x0000000001FC0000-0x0000000001FD1000-memory.dmpFilesize
68KB
-
memory/1672-58-0x00000000039D0000-0x00000000039E1000-memory.dmpFilesize
68KB
-
memory/1672-59-0x0000000003DE0000-0x0000000003DF1000-memory.dmpFilesize
68KB
-
memory/1672-60-0x00000000039D0000-0x00000000039E1000-memory.dmpFilesize
68KB
-
memory/1672-3-0x0000000000220000-0x00000000002B1000-memory.dmpFilesize
580KB
-
memory/1836-12-0x0000000001E70000-0x0000000001E81000-memory.dmpFilesize
68KB
-
memory/1836-13-0x00000000002E0000-0x00000000002E1000-memory.dmpFilesize
4KB