9a02671ffb82ee83b8f9afd028af3090ecd494bd7d8d7a2e2cc75f0ac187c3b8

General

Target

Photo-064-2021.jpg.scr
Size

126KB
MD5

ea4cf6019062e5555d81bb5510d79b3d
SHA1

0d95aa8ade975b9f85c54cdbabd08906a01e51ee
SHA256

9a02671ffb82ee83b8f9afd028af3090ecd494bd7d8d7a2e2cc75f0ac187c3b8
SHA512

8f1eb4eb9dd561faf05094552bf6769bbfb614de1c7c96cc568e7f45b22fdcdf7d7d7b518041e1ab15b9781ba85dca69c19b9a75cc85bd4aeea3e0540d9f17c9

Score

10^/10

discovery persistence ransomware spyware

Malware Config

Extracted

Path

C:\WERE_MY _FILES.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ------------------------------------------------ create a ticket to any of these addresses yip.su/2QstD5 cutt.ly/0htT0he shorturl.at/GOY24 bit.ly/3399Ozf ------------------------------------------------ you can also attach a small cryptted file for a free test decrypt Additional communication method ------------------------------- 1. Download Tor browser - httpps://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://helpqvrg3cc5mvb3.onion/ -------------------------------- You ID ��61 DF A8 CA 30 39 6F A9 05 E6 3F 62 34 AC 9C 01 EA 5B C8 88 29 AF 45 D8 3A FC FC 9D BA B9 92 06 F7 A4 C1 4D F5 D2 33 05 E6 FD 6F C3 CF BB 95 85 41 1A 87 56 46 4F 99 8F F2 78 77 3D 8E 8C 2C D3 1B 0D 89 9F BE D7 18 80 19 C2 56 1F 38 54 08 71 52 67 49 E3 D2 43 CD F5 EB 4B E8 6B FC A6 F0 D5 D5 8A 90 C1 8A 27 14 F4 96 9D D6 62 24 B4 49 E1 6B 62 36 95 C3 17 0B 9B 00 44 96 49 A7 F7 C8 C0 93 83 0F 1B EB E6 6D 19 E5 F3 11 3C 25 71 BA 8A 0A C7 FE D9 90 11 2A 14 8E 5F 4C 6B 80 34 16 2B 70 2C 1F 1D 90 C2 1E 08 FC 2C 6C 19 CA 62 C8 A2 00 8B 66 04 0F 76 D2 CB 06 63 C7 D6 15 00 1A E2 5D D2 AB B0 97 E3 82 6A 65 3A 40 9D FD 71 F6 A7 04 2F 4C 42 C0 1C 76 BE EC 4B 5E F1 9E 48 62 FF 95 7F 4A 35 49 8C 93 50 EC DA 09 DC 27 A7 BB C9 BA CF 4E 3B 1B 2D 7F BA AB 9A 42 04 B1 4B 81 10 ��

URLs

httpps://www.torproject.org/

http://helpqvrg3cc5mvb3.onion/

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

swhost.exesmhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\swhost.exe\""	swhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\smhost.exe\""	smhost.exe

Executes dropped EXE 2 IoCs

Processes:

swhost.exesmhost.exe

pid process

1636 swhost.exe
528 smhost.exe

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

aspnet_wp.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\MeasureResolve.tiff => C:\Users\Admin\Pictures\MeasureResolve.tiff.STAR	aspnet_wp.exe
File renamed	C:\Users\Admin\Pictures\MountFind.tif => C:\Users\Admin\Pictures\MountFind.tif.STAR	aspnet_wp.exe
File renamed	C:\Users\Admin\Pictures\ResolveUnlock.raw => C:\Users\Admin\Pictures\ResolveUnlock.raw.STAR	aspnet_wp.exe
File renamed	C:\Users\Admin\Pictures\WriteResolve.crw => C:\Users\Admin\Pictures\WriteResolve.crw.STAR	aspnet_wp.exe
File renamed	C:\Users\Admin\Pictures\EditStart.tif => C:\Users\Admin\Pictures\EditStart.tif.STAR	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Pictures\MeasureResolve.tiff	aspnet_wp.exe

Drops startup file 4 IoCs

Processes:

smhost.exeswhost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smhost.exe	smhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\swhost.exe	swhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\swhost.exe	swhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smhost.exe	smhost.exe

Loads dropped DLL 4 IoCs

Processes:

Photo-064-2021.jpg.scr

pid process

868 Photo-064-2021.jpg.scr
868 Photo-064-2021.jpg.scr
868 Photo-064-2021.jpg.scr
868 Photo-064-2021.jpg.scr
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
868	Photo-064-2021.jpg.scr
868	Photo-064-2021.jpg.scr
868	Photo-064-2021.jpg.scr
868	Photo-064-2021.jpg.scr

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

smhost.exeaspnet_wp.exeswhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\smhost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\smhost.exe"	smhost.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	aspnet_wp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\aspnet_wp.exe"	aspnet_wp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\swhost.exe"	swhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\swhost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\swhost.exe"	swhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\smhost.exe"	smhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 29 IoCs

Processes:

aspnet_wp.exe

description	ioc	process
File opened for modification	C:\Users\Public\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Program Files\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	aspnet_wp.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	aspnet_wp.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

swhost.exesmhost.exe

pid	process
1636	swhost.exe
1636	swhost.exe
1636	swhost.exe
1636	swhost.exe
1636	swhost.exe
1636	swhost.exe
1636	swhost.exe
1636	swhost.exe
528	smhost.exe
528	smhost.exe
528	smhost.exe
528	smhost.exe
528	smhost.exe
528	smhost.exe
528	smhost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

smhost.exeswhost.exe

description	pid	process	target process
PID 528 set thread context of 1188	528	smhost.exe	aspnet_wp.exe
PID 1636 set thread context of 1844	1636	swhost.exe	aspnet_wp.exe

Drops file in Program Files directory 5320 IoCs

Processes:

aspnet_wp.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OART.DLL	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_italic.gif	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageSmall.jpg	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FINCL_01.MID	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0321179.JPG	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15273_.GIF	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0291794.WMF	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01297_.GIF	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PSTPRX32.DLL	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\form_edit.js	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\Built-In Building Blocks.dotx	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR44F.GIF	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Clarity.xml	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Discussion14.gta	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287417.WMF	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZFORM.DPV	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_COL.HXC	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR51B.GIF	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14791_.GIF	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18221_.WMF	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\CAGCAT10.MMW	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107512.WMF	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN107.XML	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01179_.WMF	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialLetter.dotx	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ogalegit.dll	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR46F.GIF	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341455.JPG	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00629_.WMF	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB1A.BDR	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00177_.WMF	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099150.JPG	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Custom.propdesc	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGTEAR.DPV	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_alignleft.gif	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14981_.GIF	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099202.GIF	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105328.WMF	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\86.0.4240.111\86.0.4240.111_chrome_installer.exe	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue.css	aspnet_wp.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\WERE_MY _FILES.txt	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198025.WMF	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00608_.WMF	aspnet_wp.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\Genko_1.jtp	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0216588.WMF	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif	aspnet_wp.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\WERE_MY _FILES.txt	aspnet_wp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libvdummy_plugin.dll	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Status Report.fdt	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierUpArrow.jpg	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\StopIconMask.bmp	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21332_.GIF	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152622.WMF	aspnet_wp.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_av1_plugin.dll	aspnet_wp.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\WERE_MY _FILES.txt	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\tab_on.gif	aspnet_wp.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\WERE_MY _FILES.txt	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VeriSign_Class_3_Code_Signing_2001-4_CA.cer	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR23F.GIF	aspnet_wp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SlateBlue.css	aspnet_wp.exe

Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

1856 timeout.exe
936 timeout.exe
1776 timeout.exe
1652 timeout.exe
1448 timeout.exe
1264 timeout.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Photo-064-2021.jpg.scrswhost.exesmhost.exe

pid process

868 Photo-064-2021.jpg.scr
868 Photo-064-2021.jpg.scr
1636 swhost.exe
528 smhost.exe
528 smhost.exe
528 smhost.exe
1636 swhost.exe
1636 swhost.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

aspnet_wp.exe

pid process

1844 aspnet_wp.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Photo-064-2021.jpg.scrswhost.exesmhost.exe

description pid process

Token: SeDebugPrivilege 868 Photo-064-2021.jpg.scr
Token: SeDebugPrivilege 1636 swhost.exe
Token: SeDebugPrivilege 528 smhost.exe

pid	process
1856	timeout.exe
936	timeout.exe
1776	timeout.exe
1652	timeout.exe
1448	timeout.exe
1264	timeout.exe

pid	process
868	Photo-064-2021.jpg.scr
868	Photo-064-2021.jpg.scr
1636	swhost.exe
528	smhost.exe
528	smhost.exe
528	smhost.exe
1636	swhost.exe
1636	swhost.exe

pid	process
1844	aspnet_wp.exe

description	pid	process
Token: SeDebugPrivilege	868	Photo-064-2021.jpg.scr
Token: SeDebugPrivilege	1636	swhost.exe
Token: SeDebugPrivilege	528	smhost.exe

Suspicious use of WriteProcessMemory 73 IoCs

Processes:

Photo-064-2021.jpg.scrswhost.exesmhost.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 868 wrote to memory of 1636	868	Photo-064-2021.jpg.scr	swhost.exe
PID 868 wrote to memory of 1636	868	Photo-064-2021.jpg.scr	swhost.exe
PID 868 wrote to memory of 1636	868	Photo-064-2021.jpg.scr	swhost.exe
PID 868 wrote to memory of 1636	868	Photo-064-2021.jpg.scr	swhost.exe
PID 868 wrote to memory of 528	868	Photo-064-2021.jpg.scr	smhost.exe
PID 868 wrote to memory of 528	868	Photo-064-2021.jpg.scr	smhost.exe
PID 868 wrote to memory of 528	868	Photo-064-2021.jpg.scr	smhost.exe
PID 868 wrote to memory of 528	868	Photo-064-2021.jpg.scr	smhost.exe
PID 1636 wrote to memory of 932	1636	swhost.exe	cmd.exe
PID 1636 wrote to memory of 932	1636	swhost.exe	cmd.exe
PID 1636 wrote to memory of 932	1636	swhost.exe	cmd.exe
PID 1636 wrote to memory of 932	1636	swhost.exe	cmd.exe
PID 528 wrote to memory of 572	528	smhost.exe	cmd.exe
PID 528 wrote to memory of 572	528	smhost.exe	cmd.exe
PID 528 wrote to memory of 572	528	smhost.exe	cmd.exe
PID 528 wrote to memory of 572	528	smhost.exe	cmd.exe
PID 572 wrote to memory of 936	572	cmd.exe	timeout.exe
PID 572 wrote to memory of 936	572	cmd.exe	timeout.exe
PID 572 wrote to memory of 936	572	cmd.exe	timeout.exe
PID 572 wrote to memory of 936	572	cmd.exe	timeout.exe
PID 932 wrote to memory of 1856	932	cmd.exe	timeout.exe
PID 932 wrote to memory of 1856	932	cmd.exe	timeout.exe
PID 932 wrote to memory of 1856	932	cmd.exe	timeout.exe
PID 932 wrote to memory of 1856	932	cmd.exe	timeout.exe
PID 1636 wrote to memory of 1008	1636	swhost.exe	cmd.exe
PID 1636 wrote to memory of 1008	1636	swhost.exe	cmd.exe
PID 1636 wrote to memory of 1008	1636	swhost.exe	cmd.exe
PID 1636 wrote to memory of 1008	1636	swhost.exe	cmd.exe
PID 528 wrote to memory of 1616	528	smhost.exe	cmd.exe
PID 528 wrote to memory of 1616	528	smhost.exe	cmd.exe
PID 528 wrote to memory of 1616	528	smhost.exe	cmd.exe
PID 528 wrote to memory of 1616	528	smhost.exe	cmd.exe
PID 1008 wrote to memory of 1776	1008	cmd.exe	timeout.exe
PID 1008 wrote to memory of 1776	1008	cmd.exe	timeout.exe
PID 1008 wrote to memory of 1776	1008	cmd.exe	timeout.exe
PID 1008 wrote to memory of 1776	1008	cmd.exe	timeout.exe
PID 1616 wrote to memory of 1652	1616	cmd.exe	timeout.exe
PID 1616 wrote to memory of 1652	1616	cmd.exe	timeout.exe
PID 1616 wrote to memory of 1652	1616	cmd.exe	timeout.exe
PID 1616 wrote to memory of 1652	1616	cmd.exe	timeout.exe
PID 1636 wrote to memory of 1048	1636	swhost.exe	cmd.exe
PID 1636 wrote to memory of 1048	1636	swhost.exe	cmd.exe
PID 1636 wrote to memory of 1048	1636	swhost.exe	cmd.exe
PID 1636 wrote to memory of 1048	1636	swhost.exe	cmd.exe
PID 528 wrote to memory of 1376	528	smhost.exe	cmd.exe
PID 528 wrote to memory of 1376	528	smhost.exe	cmd.exe
PID 528 wrote to memory of 1376	528	smhost.exe	cmd.exe
PID 528 wrote to memory of 1376	528	smhost.exe	cmd.exe
PID 1376 wrote to memory of 1448	1376	cmd.exe	timeout.exe
PID 1376 wrote to memory of 1448	1376	cmd.exe	timeout.exe
PID 1376 wrote to memory of 1448	1376	cmd.exe	timeout.exe
PID 1376 wrote to memory of 1448	1376	cmd.exe	timeout.exe
PID 1048 wrote to memory of 1264	1048	cmd.exe	timeout.exe
PID 1048 wrote to memory of 1264	1048	cmd.exe	timeout.exe
PID 1048 wrote to memory of 1264	1048	cmd.exe	timeout.exe
PID 1048 wrote to memory of 1264	1048	cmd.exe	timeout.exe
PID 528 wrote to memory of 1188	528	smhost.exe	aspnet_wp.exe
PID 528 wrote to memory of 1188	528	smhost.exe	aspnet_wp.exe
PID 528 wrote to memory of 1188	528	smhost.exe	aspnet_wp.exe
PID 528 wrote to memory of 1188	528	smhost.exe	aspnet_wp.exe
PID 528 wrote to memory of 1188	528	smhost.exe	aspnet_wp.exe
PID 528 wrote to memory of 1188	528	smhost.exe	aspnet_wp.exe
PID 528 wrote to memory of 1188	528	smhost.exe	aspnet_wp.exe
PID 528 wrote to memory of 1188	528	smhost.exe	aspnet_wp.exe

C:\Users\Admin\AppData\Local\Temp\Photo-064-2021.jpg.scr
"C:\Users\Admin\AppData\Local\Temp\Photo-064-2021.jpg.scr" /S
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Local\Temp\swhost.exe
"C:\Users\Admin\AppData\Local\Temp\swhost.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:1856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:1776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:1264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
3⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: RenamesItself
PID:1844

C:\Users\Admin\AppData\Local\Temp\smhost.exe
"C:\Users\Admin\AppData\Local\Temp\smhost.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:1652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:1448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
3⤵
PID:1188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\smhost.exe

MD5
654e98d30719de2b197311aadece41d2

SHA1
e2dc9f7a0256621e767fe2d0ce3b251ab2c037fd

SHA256
b624fba4e93efc188408233ae3b7b3c43f0461cfd728bdc7d7c70eeb680a5c26

SHA512
ca0d80526849a271925321717f8ba062892722f21ef08a197f208dedc31e34f078bacdfe6beef139ed278461a8ee7c2b4badde5a1c20f39d5d3097e90385ccf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\smhost.exe

MD5
654e98d30719de2b197311aadece41d2

SHA1
e2dc9f7a0256621e767fe2d0ce3b251ab2c037fd

SHA256
b624fba4e93efc188408233ae3b7b3c43f0461cfd728bdc7d7c70eeb680a5c26

SHA512
ca0d80526849a271925321717f8ba062892722f21ef08a197f208dedc31e34f078bacdfe6beef139ed278461a8ee7c2b4badde5a1c20f39d5d3097e90385ccf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\swhost.exe

MD5
9e96c9967287f92f1646c0c8a68f3a48

SHA1
53401dab53f27cab59e5e2f2e2d7d8bfa3699744

SHA256
b144cea70ef357f52b0b3fdcad315d0df095c563c2cbe535fb45354133db6a2b

SHA512
1acd812c5e93fff4686c3f93f503196660bfc44b9257f5af850b18fd19fd7d82c74c0fc878e79240b1250e6c5168a54bcae7a806f696d5f09b69c197ab8eb924

Download Submit
C:\Users\Admin\AppData\Local\Temp\swhost.exe

MD5
9e96c9967287f92f1646c0c8a68f3a48

SHA1
53401dab53f27cab59e5e2f2e2d7d8bfa3699744

SHA256
b144cea70ef357f52b0b3fdcad315d0df095c563c2cbe535fb45354133db6a2b

SHA512
1acd812c5e93fff4686c3f93f503196660bfc44b9257f5af850b18fd19fd7d82c74c0fc878e79240b1250e6c5168a54bcae7a806f696d5f09b69c197ab8eb924

Download Submit
\Users\Admin\AppData\Local\Temp\smhost.exe

MD5
654e98d30719de2b197311aadece41d2

SHA1
e2dc9f7a0256621e767fe2d0ce3b251ab2c037fd

SHA256
b624fba4e93efc188408233ae3b7b3c43f0461cfd728bdc7d7c70eeb680a5c26

SHA512
ca0d80526849a271925321717f8ba062892722f21ef08a197f208dedc31e34f078bacdfe6beef139ed278461a8ee7c2b4badde5a1c20f39d5d3097e90385ccf4

Download Submit
\Users\Admin\AppData\Local\Temp\smhost.exe

MD5
654e98d30719de2b197311aadece41d2

SHA1
e2dc9f7a0256621e767fe2d0ce3b251ab2c037fd

SHA256
b624fba4e93efc188408233ae3b7b3c43f0461cfd728bdc7d7c70eeb680a5c26

SHA512
ca0d80526849a271925321717f8ba062892722f21ef08a197f208dedc31e34f078bacdfe6beef139ed278461a8ee7c2b4badde5a1c20f39d5d3097e90385ccf4

Download Submit
\Users\Admin\AppData\Local\Temp\swhost.exe

MD5
9e96c9967287f92f1646c0c8a68f3a48

SHA1
53401dab53f27cab59e5e2f2e2d7d8bfa3699744

SHA256
b144cea70ef357f52b0b3fdcad315d0df095c563c2cbe535fb45354133db6a2b

SHA512
1acd812c5e93fff4686c3f93f503196660bfc44b9257f5af850b18fd19fd7d82c74c0fc878e79240b1250e6c5168a54bcae7a806f696d5f09b69c197ab8eb924

Download Submit
\Users\Admin\AppData\Local\Temp\swhost.exe

MD5
9e96c9967287f92f1646c0c8a68f3a48

SHA1
53401dab53f27cab59e5e2f2e2d7d8bfa3699744

SHA256
b144cea70ef357f52b0b3fdcad315d0df095c563c2cbe535fb45354133db6a2b

SHA512
1acd812c5e93fff4686c3f93f503196660bfc44b9257f5af850b18fd19fd7d82c74c0fc878e79240b1250e6c5168a54bcae7a806f696d5f09b69c197ab8eb924

Download Submit
memory/528-42-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/528-15-0x0000000000000000-mapping.dmp

Download
memory/528-22-0x00000000006C0000-0x00000000006E2000-memory.dmp

Filesize
136KB

Download
memory/528-18-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/528-19-0x0000000001380000-0x0000000001381000-memory.dmp

Filesize
4KB

Download
memory/572-24-0x0000000000000000-mapping.dmp

Download
memory/868-2-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/868-3-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/932-23-0x0000000000000000-mapping.dmp

Download
memory/936-25-0x0000000000000000-mapping.dmp

Download
memory/1008-27-0x0000000000000000-mapping.dmp

Download
memory/1048-31-0x0000000000000000-mapping.dmp

Download
memory/1188-38-0x000000000040801E-mapping.dmp

Download
memory/1188-35-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1188-41-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1188-40-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1264-34-0x0000000000000000-mapping.dmp

Download
memory/1376-32-0x0000000000000000-mapping.dmp

Download
memory/1448-33-0x0000000000000000-mapping.dmp

Download
memory/1616-28-0x0000000000000000-mapping.dmp

Download
memory/1636-10-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/1636-7-0x0000000000000000-mapping.dmp

Download
memory/1636-43-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1636-11-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/1636-21-0x0000000000370000-0x0000000000398000-memory.dmp

Filesize
160KB

Download
memory/1652-30-0x0000000000000000-mapping.dmp

Download
memory/1776-29-0x0000000000000000-mapping.dmp

Download
memory/1844-37-0x0000000000409F20-mapping.dmp

Download
memory/1844-39-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1844-36-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1856-26-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads