Analysis
-
max time kernel
151s -
max time network
84s -
platform
windows7_x64 -
resource
win7 -
submitted
22-09-2020 17:31
Static task
static1
Behavioral task
behavioral1
Sample
pewpew_p.bin.exe
Resource
win7
Behavioral task
behavioral2
Sample
pewpew_p.bin.exe
Resource
win10v200722
General
-
Target
pewpew_p.bin.exe
-
Size
1.0MB
-
MD5
202bf9be9a4e45526e482f08104717ad
-
SHA1
1e5bbfb9167150935c6eb25bbbebbe5c77a97aa2
-
SHA256
7282df1360af4c028930ffd9fbc30ea9d17f08f14b725f8020677dd9df961c55
-
SHA512
89db20536030f28af5997d4b93e90ead0ccd7299d6777d422159a0a41b658274743a390fed1a9f942b668f4f04afd1119e7b4a41356b10ea37393c8b5e05f5ea
Malware Config
Extracted
C:\info-decrypt.txt
pewpew@TuTa.io
pewpew@Protonmail.Com
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
pewpew_p.bin.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\info-decrypt.hta pewpew_p.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 87 IoCs
Processes:
pewpew_p.bin.exedescription ioc process File created C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TGVUK4BG\desktop.ini pewpew_p.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V8SX06NR\desktop.ini pewpew_p.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini pewpew_p.bin.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini pewpew_p.bin.exe File created C:\Program Files\desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini pewpew_p.bin.exe File created C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini pewpew_p.bin.exe File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini pewpew_p.bin.exe File created C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini pewpew_p.bin.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini pewpew_p.bin.exe File created C:\Users\Public\Documents\desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AJM03J3Y\desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\Downloads\desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\Saved Games\desktop.ini pewpew_p.bin.exe File created C:\Users\Public\Videos\desktop.ini pewpew_p.bin.exe File created C:\Users\Public\Pictures\Sample Pictures\desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GVV7BJHB\desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\Videos\desktop.ini pewpew_p.bin.exe File created C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini pewpew_p.bin.exe File created C:\Users\Public\Pictures\desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\Contacts\desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\Documents\desktop.ini pewpew_p.bin.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini pewpew_p.bin.exe File created C:\Users\Public\Music\Sample Music\desktop.ini pewpew_p.bin.exe File created C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZMLBLRQ7\desktop.ini pewpew_p.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\Searches\desktop.ini pewpew_p.bin.exe File created C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini pewpew_p.bin.exe File created C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini pewpew_p.bin.exe File created C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OLSU73OI\desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini pewpew_p.bin.exe File created C:\Users\Public\Videos\Sample Videos\desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\Links\desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini pewpew_p.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini pewpew_p.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini pewpew_p.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\Desktop\desktop.ini pewpew_p.bin.exe File created C:\Users\Public\Music\desktop.ini pewpew_p.bin.exe File created C:\Users\Public\Recorded TV\Sample Media\desktop.ini pewpew_p.bin.exe File created C:\Users\Public\Downloads\desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RBDIK06K\desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini pewpew_p.bin.exe File created C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini pewpew_p.bin.exe File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini pewpew_p.bin.exe File created C:\Users\Public\Libraries\desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini pewpew_p.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini pewpew_p.bin.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini pewpew_p.bin.exe File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini pewpew_p.bin.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Modifies service 2 TTPs 15 IoCs
Processes:
netsh.exenetsh.exevssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
Processes:
pewpew_p.bin.exepid process 240 pewpew_p.bin.exe 240 pewpew_p.bin.exe 240 pewpew_p.bin.exe 240 pewpew_p.bin.exe 240 pewpew_p.bin.exe 240 pewpew_p.bin.exe 240 pewpew_p.bin.exe 240 pewpew_p.bin.exe 240 pewpew_p.bin.exe 240 pewpew_p.bin.exe 240 pewpew_p.bin.exe 240 pewpew_p.bin.exe 240 pewpew_p.bin.exe 240 pewpew_p.bin.exe 240 pewpew_p.bin.exe -
Drops file in Program Files directory 2049 IoCs
Processes:
pewpew_p.bin.exedescription ioc process File created C:\Program Files (x86)\Google\Chrome\Application\83.0.4103.106\default_apps\info-decrypt.hta pewpew_p.bin.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll pewpew_p.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUI.XML pewpew_p.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MUOPTIN.DLL pewpew_p.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\RICEPAPR\THMBNAIL.PNG pewpew_p.bin.exe File opened for modification C:\Program Files\OutExport.potx pewpew_p.bin.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\skchobj.dll pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Google\Chrome\Application\83.0.4103.106\chrome.dll pewpew_p.bin.exe File created C:\Program Files\Common Files\System\Ole DB\oledb32r.dll pewpew_p.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe pewpew_p.bin.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\info-decrypt.hta pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_ca.dll pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VVIEWDWG.DLL pewpew_p.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png pewpew_p.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACERCLR.DLL pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\psmachine.dll pewpew_p.bin.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\info-decrypt.hta pewpew_p.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png pewpew_p.bin.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Visualizer.zip pewpew_p.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png pewpew_p.bin.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini pewpew_p.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\EQUATION\eqnedt32.exe.manifest pewpew_p.bin.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\info-decrypt.hta pewpew_p.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\PowerPointMUI.XML pewpew_p.bin.exe File created C:\Program Files\Common Files\System\Ole DB\msdaosp.dll pewpew_p.bin.exe File opened for modification C:\Program Files\ConvertFromRestore.docx pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\3difr.x3d pewpew_p.bin.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\info-decrypt.hta pewpew_p.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png pewpew_p.bin.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\micaut.dll.mui pewpew_p.bin.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Design.dll pewpew_p.bin.exe File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\info-decrypt.hta pewpew_p.bin.exe File created C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Google\Chrome\Application\83.0.4103.106\Locales\fi.pak pewpew_p.bin.exe File created C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll pewpew_p.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png pewpew_p.bin.exe File created C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\rt3d.dll pewpew_p.bin.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\info-decrypt.hta pewpew_p.bin.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp pewpew_p.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png pewpew_p.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv pewpew_p.bin.exe File created C:\Program Files (x86)\Common Files\System\msadc\en-US\info-decrypt.hta pewpew_p.bin.exe File opened for modification C:\Program Files\PushRemove.crw pewpew_p.bin.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml pewpew_p.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll pewpew_p.bin.exe File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm pewpew_p.bin.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeLinguistic.dll pewpew_p.bin.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\info-decrypt.hta pewpew_p.bin.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\info-decrypt.hta pewpew_p.bin.exe File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_lt.dll pewpew_p.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\REFINED\PREVIEW.GIF pewpew_p.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png pewpew_p.bin.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths pewpew_p.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\info-decrypt.hta pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip pewpew_p.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSLaunch.dll pewpew_p.bin.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf pewpew_p.bin.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca pewpew_p.bin.exe -
Drops file in Windows directory 1 IoCs
Processes:
pewpew_p.bin.exedescription ioc process File created C:\Windows\info-decrypt.txt pewpew_p.bin.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 876 vssadmin.exe 1508 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
pewpew_p.bin.exevssvc.exedescription pid process Token: SeDebugPrivilege 240 pewpew_p.bin.exe Token: SeBackupPrivilege 804 vssvc.exe Token: SeRestorePrivilege 804 vssvc.exe Token: SeAuditPrivilege 804 vssvc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
pewpew_p.bin.exepid process 240 pewpew_p.bin.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
pewpew_p.bin.execmd.execmd.exedescription pid process target process PID 240 wrote to memory of 1148 240 pewpew_p.bin.exe cmd.exe PID 240 wrote to memory of 1148 240 pewpew_p.bin.exe cmd.exe PID 240 wrote to memory of 1148 240 pewpew_p.bin.exe cmd.exe PID 240 wrote to memory of 1148 240 pewpew_p.bin.exe cmd.exe PID 240 wrote to memory of 2044 240 pewpew_p.bin.exe cmd.exe PID 240 wrote to memory of 2044 240 pewpew_p.bin.exe cmd.exe PID 240 wrote to memory of 2044 240 pewpew_p.bin.exe cmd.exe PID 240 wrote to memory of 2044 240 pewpew_p.bin.exe cmd.exe PID 1148 wrote to memory of 876 1148 cmd.exe vssadmin.exe PID 1148 wrote to memory of 876 1148 cmd.exe vssadmin.exe PID 1148 wrote to memory of 876 1148 cmd.exe vssadmin.exe PID 1148 wrote to memory of 876 1148 cmd.exe vssadmin.exe PID 2044 wrote to memory of 1508 2044 cmd.exe vssadmin.exe PID 2044 wrote to memory of 1508 2044 cmd.exe vssadmin.exe PID 2044 wrote to memory of 1508 2044 cmd.exe vssadmin.exe PID 240 wrote to memory of 1792 240 pewpew_p.bin.exe netsh.exe PID 240 wrote to memory of 1792 240 pewpew_p.bin.exe netsh.exe PID 240 wrote to memory of 1792 240 pewpew_p.bin.exe netsh.exe PID 240 wrote to memory of 1792 240 pewpew_p.bin.exe netsh.exe PID 240 wrote to memory of 1664 240 pewpew_p.bin.exe netsh.exe PID 240 wrote to memory of 1664 240 pewpew_p.bin.exe netsh.exe PID 240 wrote to memory of 1664 240 pewpew_p.bin.exe netsh.exe PID 240 wrote to memory of 1664 240 pewpew_p.bin.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pewpew_p.bin.exe"C:\Users\Admin\AppData\Local\Temp\pewpew_p.bin.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"cmd" /C vssadmin Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\netsh.exe"netsh.exe" Advfirewall set allprofiles state off2⤵
- Modifies service
-
C:\Windows\system32\netsh.exe"netsh.exe" Advfirewall set allprofiles state off2⤵
- Modifies service
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/240-0-0x0000000002890000-0x00000000028A1000-memory.dmpFilesize
68KB
-
memory/240-1-0x0000000002AF0000-0x0000000002B01000-memory.dmpFilesize
68KB
-
memory/240-2-0x0000000073DF0000-0x00000000744DE000-memory.dmpFilesize
6.9MB
-
memory/240-3-0x0000000000A80000-0x0000000000A81000-memory.dmpFilesize
4KB
-
memory/876-7-0x0000000000000000-mapping.dmp
-
memory/1148-5-0x0000000000000000-mapping.dmp
-
memory/1508-8-0x0000000000000000-mapping.dmp
-
memory/1664-10-0x0000000000000000-mapping.dmp
-
memory/1792-9-0x0000000000000000-mapping.dmp
-
memory/2044-6-0x0000000000000000-mapping.dmp