Overview
overview
10Static
static
10ฺฺฺ�...ฺฺ
windows10_x64
ฺฺฺ�...ฺฺ
windows10_x64
ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
7ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
9ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
5ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10Resubmissions
03-07-2024 22:59
240703-2yn7wszhlp 1003-07-2024 16:13
240703-tn93lsyglf 1003-07-2024 16:11
240703-tm84xsyfma 1010-05-2024 16:25
240510-tw1h5shh47 1024-08-2023 11:16
230824-nda8msdf8z 10Analysis
-
max time kernel
303s -
max time network
305s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-02-2021 11:43
Static task
static1
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral24
Sample
Endermanch@NavaShield(1).exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
General
-
Target
-
Size
2.4MB
-
MD5
02f471d1fefbdc07af5555dbfd6ea918
-
SHA1
2a8f93dd21628933de8bea4a9abc00dbb215df0b
-
SHA256
36619636d511fd4b77d3c1052067f5f2a514f7f31dfaa6b2e5677fbb61fd8cba
-
SHA512
287b57b5d318764b2e92ec387099e7e313ba404b73db64d21102ba8656636abbf52bb345328fe58084dc70414c9e2d8cd46abd5a463c6d771d9c3ba68759a559
Score
10/10
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Security Essentials 2011\\SE2010.exe\" /hide" SE2010.exe -
Executes dropped EXE 2 IoCs
pid Process 3872 SE2010.exe 3028 4DE.tmp -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\ApproveRedo.tiff rundll32.exe -
Deletes itself 1 IoCs
pid Process 3872 SE2010.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine [email protected] Key opened \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine SE2010.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SE2010.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\updatesst = "\"C:\\Users\\Admin\\AppData\\Roaming\\Security Essentials 2011\\SE2010.exe\"" SE2010.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 580 [email protected] 3872 SE2010.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\4DE.tmp rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 716 580 WerFault.exe 67 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4012 schtasks.exe 2124 schtasks.exe -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32 [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Classes\[email protected] [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Classes\[email protected]\Clsid [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32 SE2010.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SE2010.DocHostUIHandler SE2010.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SE2010.DocHostUIHandler\ = "Implements DocHostUIHandler" SE2010.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID SE2010.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\SECURI~1\\SE2010.exe" SE2010.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SE2010.DocHostUIHandler\Clsid SE2010.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} SE2010.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler" SE2010.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SE2010.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}" SE2010.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "SE2010.DocHostUIHandler" SE2010.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\[email protected]\ = "Implements DocHostUIHandler" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\[email protected]\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "[email protected]" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" [email protected] -
Suspicious behavior: EnumeratesProcesses 711 IoCs
pid Process 580 [email protected] 580 [email protected] 3872 SE2010.exe 3872 SE2010.exe 716 WerFault.exe 716 WerFault.exe 716 WerFault.exe 716 WerFault.exe 716 WerFault.exe 716 WerFault.exe 716 WerFault.exe 716 WerFault.exe 716 WerFault.exe 716 WerFault.exe 716 WerFault.exe 716 WerFault.exe 716 WerFault.exe 716 WerFault.exe 716 WerFault.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3432 rundll32.exe 3432 rundll32.exe 3432 rundll32.exe 3432 rundll32.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3028 4DE.tmp 3028 4DE.tmp 3028 4DE.tmp 3028 4DE.tmp 3028 4DE.tmp 3028 4DE.tmp 3432 rundll32.exe 3432 rundll32.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe 3872 SE2010.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeRestorePrivilege 716 WerFault.exe Token: SeBackupPrivilege 716 WerFault.exe Token: SeDebugPrivilege 716 WerFault.exe Token: 33 3752 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3752 AUDIODG.EXE Token: SeShutdownPrivilege 3432 rundll32.exe Token: SeDebugPrivilege 3432 rundll32.exe Token: SeTcbPrivilege 3432 rundll32.exe Token: SeDebugPrivilege 3028 4DE.tmp -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 580 [email protected] 580 [email protected] 3872 SE2010.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 580 [email protected] 580 [email protected] 3872 SE2010.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 580 [email protected] 580 [email protected] 3872 SE2010.exe 3872 SE2010.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 580 wrote to memory of 3872 580 [email protected] 75 PID 580 wrote to memory of 3872 580 [email protected] 75 PID 580 wrote to memory of 3872 580 [email protected] 75 PID 500 wrote to memory of 3432 500 rundll32.exe 86 PID 500 wrote to memory of 3432 500 rundll32.exe 86 PID 500 wrote to memory of 3432 500 rundll32.exe 86 PID 3432 wrote to memory of 3056 3432 rundll32.exe 87 PID 3432 wrote to memory of 3056 3432 rundll32.exe 87 PID 3432 wrote to memory of 3056 3432 rundll32.exe 87 PID 3056 wrote to memory of 1308 3056 cmd.exe 89 PID 3056 wrote to memory of 1308 3056 cmd.exe 89 PID 3056 wrote to memory of 1308 3056 cmd.exe 89 PID 3432 wrote to memory of 764 3432 rundll32.exe 90 PID 3432 wrote to memory of 764 3432 rundll32.exe 90 PID 3432 wrote to memory of 764 3432 rundll32.exe 90 PID 3432 wrote to memory of 1920 3432 rundll32.exe 93 PID 3432 wrote to memory of 1920 3432 rundll32.exe 93 PID 3432 wrote to memory of 1920 3432 rundll32.exe 93 PID 764 wrote to memory of 4012 764 cmd.exe 92 PID 764 wrote to memory of 4012 764 cmd.exe 92 PID 764 wrote to memory of 4012 764 cmd.exe 92 PID 3432 wrote to memory of 3028 3432 rundll32.exe 94 PID 3432 wrote to memory of 3028 3432 rundll32.exe 94 PID 1920 wrote to memory of 2124 1920 cmd.exe 97 PID 1920 wrote to memory of 2124 1920 cmd.exe 97 PID 1920 wrote to memory of 2124 1920 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Users\Admin\AppData\Roaming\Security Essentials 2011\SE2010.exe"C:\Users\Admin\AppData\Roaming\Security Essentials 2011\SE2010.exe" DELC:\Users\Admin\AppData\Local\Temp\[email protected]2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Deletes itself
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3872
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 20722⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:716
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3441⤵
- Suspicious use of AdjustPrivilegeToken
PID:3752
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\infpub.dat",#2 151⤵
- Suspicious use of WriteProcessMemory
PID:500 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Modifies extensions of user files
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:1308
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1887096183 && exit"3⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1887096183 && exit"4⤵
- Creates scheduled task(s)
PID:4012
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 13:01:003⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 13:01:004⤵
- Creates scheduled task(s)
PID:2124
-
-
-
C:\Windows\4DE.tmp"C:\Windows\4DE.tmp" \\.\pipe\{4071F97F-F301-4BEC-953A-E13B72C87D21}3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-