Overview
overview
10Static
static
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
6ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
9ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10Resubmissions
03-07-2024 22:59
240703-2yn7wszhlp 1003-07-2024 16:13
240703-tn93lsyglf 1003-07-2024 16:11
240703-tm84xsyfma 1010-05-2024 16:25
240510-tw1h5shh47 1024-08-2023 11:16
230824-nda8msdf8z 10Analysis
-
max time kernel
1114s -
max time network
1124s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-11-2020 06:42
Static task
static1
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
Behavioral task
behavioral24
Sample
Endermanch@NavaShield(1).exe
Resource
win10v20201028
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
Errors
General
-
Target
-
Size
378KB
-
MD5
c718a1cbf0e13674714c66694be02421
-
SHA1
001d5370d3a7ee48db6caaecb1c213b5dfdf8e65
-
SHA256
cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f
-
SHA512
ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Deletes NTFS Change Journal 2 TTPs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
-
Clears Windows event logs 1 TTPs
-
Executes dropped EXE 10 IoCs
Processes:
J85I76F5H12Y1PL1S45.exeS10V01V3L11M6OD8P42.exeG88W21X8G47E0AB2I54.exeO52O64X6S58T8BO3W18.exeW26F16X3E60I7BB4L52.exeS68Y70Z6L16Q1OL7S28.exeN13X65W6F66Z2TD3W45.exeV12P68I3Q77O8EK3N44.exeG84X40G7I50D8LB8S68.exeAC54.tmppid Process 3904 J85I76F5H12Y1PL1S45.exe 2160 S10V01V3L11M6OD8P42.exe 560 G88W21X8G47E0AB2I54.exe 644 O52O64X6S58T8BO3W18.exe 396 W26F16X3E60I7BB4L52.exe 1252 S68Y70Z6L16Q1OL7S28.exe 1376 N13X65W6F66Z2TD3W45.exe 2888 V12P68I3Q77O8EK3N44.exe 2004 G84X40G7I50D8LB8S68.exe 196 AC54.tmp -
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
Processes:
LogonUI.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc Process File opened for modification C:\Users\Admin\Pictures\EnterApprove.tiff rundll32.exe -
Processes:
V12P68I3Q77O8EK3N44.exeG84X40G7I50D8LB8S68.exeG88W21X8G47E0AB2I54.exeW26F16X3E60I7BB4L52.exeN13X65W6F66Z2TD3W45.exeS68Y70Z6L16Q1OL7S28.exe[email protected]J85I76F5H12Y1PL1S45.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" V12P68I3Q77O8EK3N44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" G84X40G7I50D8LB8S68.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" G88W21X8G47E0AB2I54.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA W26F16X3E60I7BB4L52.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N13X65W6F66Z2TD3W45.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA S68Y70Z6L16Q1OL7S28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" S68Y70Z6L16Q1OL7S28.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA G88W21X8G47E0AB2I54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" W26F16X3E60I7BB4L52.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA V12P68I3Q77O8EK3N44.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" J85I76F5H12Y1PL1S45.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N13X65W6F66Z2TD3W45.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA G84X40G7I50D8LB8S68.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" [email protected] Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA J85I76F5H12Y1PL1S45.exe -
Drops file in Windows directory 4 IoCs
Processes:
rundll32.exedescription ioc Process File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\AC54.tmp rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 2436 schtasks.exe 1384 schtasks.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 181 IoCs
Processes:
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
[email protected]J85I76F5H12Y1PL1S45.exeN13X65W6F66Z2TD3W45.exeV12P68I3Q77O8EK3N44.exerundll32.exeAC54.tmpwevtutil.exewevtutil.exewevtutil.exewevtutil.exedescription pid Process Token: SeDebugPrivilege 4764 [email protected] Token: SeDebugPrivilege 3904 J85I76F5H12Y1PL1S45.exe Token: SeDebugPrivilege 1376 N13X65W6F66Z2TD3W45.exe Token: SeDebugPrivilege 2888 V12P68I3Q77O8EK3N44.exe Token: SeShutdownPrivilege 3644 rundll32.exe Token: SeDebugPrivilege 3644 rundll32.exe Token: SeTcbPrivilege 3644 rundll32.exe Token: SeDebugPrivilege 196 AC54.tmp Token: SeSecurityPrivilege 416 wevtutil.exe Token: SeBackupPrivilege 416 wevtutil.exe Token: SeSecurityPrivilege 1416 wevtutil.exe Token: SeBackupPrivilege 1416 wevtutil.exe Token: SeSecurityPrivilege 8 wevtutil.exe Token: SeBackupPrivilege 8 wevtutil.exe Token: SeSecurityPrivilege 1168 wevtutil.exe Token: SeBackupPrivilege 1168 wevtutil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid Process 1272 LogonUI.exe -
Suspicious use of WriteProcessMemory 74 IoCs
Processes:
[email protected]N13X65W6F66Z2TD3W45.exeV12P68I3Q77O8EK3N44.exerundll32.exerundll32.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 4764 wrote to memory of 3904 4764 [email protected] 77 PID 4764 wrote to memory of 3904 4764 [email protected] 77 PID 4764 wrote to memory of 3904 4764 [email protected] 77 PID 4764 wrote to memory of 2160 4764 [email protected] 78 PID 4764 wrote to memory of 2160 4764 [email protected] 78 PID 4764 wrote to memory of 2160 4764 [email protected] 78 PID 4764 wrote to memory of 560 4764 [email protected] 79 PID 4764 wrote to memory of 560 4764 [email protected] 79 PID 4764 wrote to memory of 560 4764 [email protected] 79 PID 4764 wrote to memory of 644 4764 [email protected] 80 PID 4764 wrote to memory of 644 4764 [email protected] 80 PID 4764 wrote to memory of 644 4764 [email protected] 80 PID 4764 wrote to memory of 396 4764 [email protected] 81 PID 4764 wrote to memory of 396 4764 [email protected] 81 PID 4764 wrote to memory of 396 4764 [email protected] 81 PID 4764 wrote to memory of 1252 4764 [email protected] 82 PID 4764 wrote to memory of 1252 4764 [email protected] 82 PID 4764 wrote to memory of 1252 4764 [email protected] 82 PID 4764 wrote to memory of 1376 4764 [email protected] 83 PID 4764 wrote to memory of 1376 4764 [email protected] 83 PID 4764 wrote to memory of 1376 4764 [email protected] 83 PID 1376 wrote to memory of 2888 1376 N13X65W6F66Z2TD3W45.exe 86 PID 1376 wrote to memory of 2888 1376 N13X65W6F66Z2TD3W45.exe 86 PID 1376 wrote to memory of 2888 1376 N13X65W6F66Z2TD3W45.exe 86 PID 2888 wrote to memory of 2004 2888 V12P68I3Q77O8EK3N44.exe 87 PID 2888 wrote to memory of 2004 2888 V12P68I3Q77O8EK3N44.exe 87 PID 2888 wrote to memory of 2004 2888 V12P68I3Q77O8EK3N44.exe 87 PID 4560 wrote to memory of 3644 4560 rundll32.exe 89 PID 4560 wrote to memory of 3644 4560 rundll32.exe 89 PID 4560 wrote to memory of 3644 4560 rundll32.exe 89 PID 3644 wrote to memory of 4632 3644 rundll32.exe 90 PID 3644 wrote to memory of 4632 3644 rundll32.exe 90 PID 3644 wrote to memory of 4632 3644 rundll32.exe 90 PID 4632 wrote to memory of 4724 4632 cmd.exe 92 PID 4632 wrote to memory of 4724 4632 cmd.exe 92 PID 4632 wrote to memory of 4724 4632 cmd.exe 92 PID 3644 wrote to memory of 2844 3644 rundll32.exe 93 PID 3644 wrote to memory of 2844 3644 rundll32.exe 93 PID 3644 wrote to memory of 2844 3644 rundll32.exe 93 PID 3644 wrote to memory of 4292 3644 rundll32.exe 95 PID 3644 wrote to memory of 4292 3644 rundll32.exe 95 PID 3644 wrote to memory of 4292 3644 rundll32.exe 95 PID 3644 wrote to memory of 196 3644 rundll32.exe 96 PID 3644 wrote to memory of 196 3644 rundll32.exe 96 PID 4292 wrote to memory of 2436 4292 cmd.exe 99 PID 4292 wrote to memory of 2436 4292 cmd.exe 99 PID 4292 wrote to memory of 2436 4292 cmd.exe 99 PID 2844 wrote to memory of 1384 2844 cmd.exe 100 PID 2844 wrote to memory of 1384 2844 cmd.exe 100 PID 2844 wrote to memory of 1384 2844 cmd.exe 100 PID 3644 wrote to memory of 492 3644 rundll32.exe 102 PID 3644 wrote to memory of 492 3644 rundll32.exe 102 PID 3644 wrote to memory of 492 3644 rundll32.exe 102 PID 492 wrote to memory of 416 492 cmd.exe 104 PID 492 wrote to memory of 416 492 cmd.exe 104 PID 492 wrote to memory of 416 492 cmd.exe 104 PID 492 wrote to memory of 1416 492 cmd.exe 105 PID 492 wrote to memory of 1416 492 cmd.exe 105 PID 492 wrote to memory of 1416 492 cmd.exe 105 PID 492 wrote to memory of 8 492 cmd.exe 106 PID 492 wrote to memory of 8 492 cmd.exe 106 PID 492 wrote to memory of 8 492 cmd.exe 106 PID 492 wrote to memory of 1168 492 cmd.exe 107 PID 492 wrote to memory of 1168 492 cmd.exe 107 PID 492 wrote to memory of 1168 492 cmd.exe 107 PID 492 wrote to memory of 2332 492 cmd.exe 108 PID 492 wrote to memory of 2332 492 cmd.exe 108 PID 492 wrote to memory of 2332 492 cmd.exe 108 PID 3644 wrote to memory of 2440 3644 rundll32.exe 109 PID 3644 wrote to memory of 2440 3644 rundll32.exe 109 PID 3644 wrote to memory of 2440 3644 rundll32.exe 109 PID 2440 wrote to memory of 1844 2440 cmd.exe 112 PID 2440 wrote to memory of 1844 2440 cmd.exe 112 PID 2440 wrote to memory of 1844 2440 cmd.exe 112 -
System policy modification 1 TTPs 8 IoCs
Processes:
N13X65W6F66Z2TD3W45.exeS68Y70Z6L16Q1OL7S28.exeV12P68I3Q77O8EK3N44.exeG84X40G7I50D8LB8S68.exe[email protected]J85I76F5H12Y1PL1S45.exeG88W21X8G47E0AB2I54.exeW26F16X3E60I7BB4L52.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N13X65W6F66Z2TD3W45.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" S68Y70Z6L16Q1OL7S28.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" V12P68I3Q77O8EK3N44.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" G84X40G7I50D8LB8S68.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" J85I76F5H12Y1PL1S45.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" G88W21X8G47E0AB2I54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" W26F16X3E60I7BB4L52.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\318897691\J85I76F5H12Y1PL1S45.exe"C:\Users\Admin\AppData\Local\Temp\318897691\J85I76F5H12Y1PL1S45.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3904
-
-
C:\Users\Admin\AppData\Local\Temp\acrocef_low\S10V01V3L11M6OD8P42.exe"C:\Users\Admin\AppData\Local\Temp\acrocef_low\S10V01V3L11M6OD8P42.exe"2⤵
- Executes dropped EXE
PID:2160
-
-
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\G88W21X8G47E0AB2I54.exe"C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\G88W21X8G47E0AB2I54.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:560
-
-
C:\Users\Admin\AppData\Local\Temp\Low\O52O64X6S58T8BO3W18.exe"C:\Users\Admin\AppData\Local\Temp\Low\O52O64X6S58T8BO3W18.exe"2⤵
- Executes dropped EXE
PID:644
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\W26F16X3E60I7BB4L52.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\W26F16X3E60I7BB4L52.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:396
-
-
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\S68Y70Z6L16Q1OL7S28.exe"C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\S68Y70Z6L16Q1OL7S28.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:1252
-
-
C:\Users\Admin\AppData\Local\Temp\___ _ _____ __ ___\N13X65W6F66Z2TD3W45.exe"C:\Users\Admin\AppData\Local\Temp\___ _ _____ __ ___\N13X65W6F66Z2TD3W45.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\___ _ _____ __ ___\전산 및 비전산자료 보존 요청서\V12P68I3Q77O8EK3N44.exe"C:\Users\Admin\AppData\Local\Temp\___ _ _____ __ ___\전산 및 비전산자료 보존 요청서\V12P68I3Q77O8EK3N44.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\___ _ _____ __ ___\전산 및 비전산자료 보존 요청서\전산 및 비전산자료 보존 요청서\G84X40G7I50D8LB8S68.exe"C:\Users\Admin\AppData\Local\Temp\___ _ _____ __ ___\전산 및 비전산자료 보존 요청서\전산 및 비전산자료 보존 요청서\G84X40G7I50D8LB8S68.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:2004
-
-
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\infpub.dat",#2 151⤵
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Modifies extensions of user files
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:4724
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 792295676 && exit"3⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 792295676 && exit"4⤵
- Creates scheduled task(s)
PID:1384
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:02:003⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:02:004⤵
- Creates scheduled task(s)
PID:2436
-
-
-
C:\Windows\AC54.tmp"C:\Windows\AC54.tmp" \\.\pipe\{24C8E6B6-8808-4076-8267-C1DBF29ABE4D}3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:196
-
-
C:\Windows\SysWOW64\cmd.exe/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:3⤵
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\SysWOW64\wevtutil.exewevtutil cl Setup4⤵
- Suspicious use of AdjustPrivilegeToken
PID:416
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl System4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl Security4⤵
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl Application4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
-
C:\Windows\SysWOW64\fsutil.exefsutil usn deletejournal /D C:4⤵PID:2332
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN drogon3⤵PID:2440
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN drogon4⤵PID:1844
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad2855 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1272
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c718a1cbf0e13674714c66694be02421
SHA1001d5370d3a7ee48db6caaecb1c213b5dfdf8e65
SHA256cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f
SHA512ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a
-
MD5
c718a1cbf0e13674714c66694be02421
SHA1001d5370d3a7ee48db6caaecb1c213b5dfdf8e65
SHA256cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f
SHA512ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a
-
MD5
c718a1cbf0e13674714c66694be02421
SHA1001d5370d3a7ee48db6caaecb1c213b5dfdf8e65
SHA256cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f
SHA512ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a
-
MD5
c718a1cbf0e13674714c66694be02421
SHA1001d5370d3a7ee48db6caaecb1c213b5dfdf8e65
SHA256cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f
SHA512ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\W26F16X3E60I7BB4L52.exe
MD5c718a1cbf0e13674714c66694be02421
SHA1001d5370d3a7ee48db6caaecb1c213b5dfdf8e65
SHA256cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f
SHA512ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\W26F16X3E60I7BB4L52.exe
MD5c718a1cbf0e13674714c66694be02421
SHA1001d5370d3a7ee48db6caaecb1c213b5dfdf8e65
SHA256cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f
SHA512ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a
-
MD5
c718a1cbf0e13674714c66694be02421
SHA1001d5370d3a7ee48db6caaecb1c213b5dfdf8e65
SHA256cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f
SHA512ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a
-
MD5
c718a1cbf0e13674714c66694be02421
SHA1001d5370d3a7ee48db6caaecb1c213b5dfdf8e65
SHA256cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f
SHA512ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a
-
MD5
c718a1cbf0e13674714c66694be02421
SHA1001d5370d3a7ee48db6caaecb1c213b5dfdf8e65
SHA256cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f
SHA512ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a
-
MD5
c718a1cbf0e13674714c66694be02421
SHA1001d5370d3a7ee48db6caaecb1c213b5dfdf8e65
SHA256cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f
SHA512ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a
-
C:\Users\Admin\AppData\Local\Temp\___ _ _____ __ ___\전산 및 비전산자료 보존 요청서\전산 및 비전산자료 보존 요청서\G84X40G7I50D8LB8S68.exe
MD5c718a1cbf0e13674714c66694be02421
SHA1001d5370d3a7ee48db6caaecb1c213b5dfdf8e65
SHA256cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f
SHA512ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a
-
C:\Users\Admin\AppData\Local\Temp\___ _ _____ __ ___\전산 및 비전산자료 보존 요청서\전산 및 비전산자료 보존 요청서\G84X40G7I50D8LB8S68.exe
MD5c718a1cbf0e13674714c66694be02421
SHA1001d5370d3a7ee48db6caaecb1c213b5dfdf8e65
SHA256cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f
SHA512ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a
-
MD5
c718a1cbf0e13674714c66694be02421
SHA1001d5370d3a7ee48db6caaecb1c213b5dfdf8e65
SHA256cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f
SHA512ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a
-
MD5
c718a1cbf0e13674714c66694be02421
SHA1001d5370d3a7ee48db6caaecb1c213b5dfdf8e65
SHA256cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f
SHA512ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a
-
MD5
c718a1cbf0e13674714c66694be02421
SHA1001d5370d3a7ee48db6caaecb1c213b5dfdf8e65
SHA256cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f
SHA512ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a
-
MD5
c718a1cbf0e13674714c66694be02421
SHA1001d5370d3a7ee48db6caaecb1c213b5dfdf8e65
SHA256cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f
SHA512ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a
-
MD5
c718a1cbf0e13674714c66694be02421
SHA1001d5370d3a7ee48db6caaecb1c213b5dfdf8e65
SHA256cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f
SHA512ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a
-
MD5
c718a1cbf0e13674714c66694be02421
SHA1001d5370d3a7ee48db6caaecb1c213b5dfdf8e65
SHA256cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f
SHA512ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a
-
MD5
347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
MD5
347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787