Analysis
-
max time kernel
145s -
max time network
105s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-02-2021 18:44
Static task
static1
Behavioral task
behavioral1
Sample
speedo.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
speedo.bin.exe
Resource
win10v20201028
General
-
Target
speedo.bin.exe
-
Size
50KB
-
MD5
e0870a190c5eaefdae56f9c8773e36cd
-
SHA1
a0d2ea755f3914354b76ed895e0024fe753808bc
-
SHA256
1b1172500c6e1e1607b0b0bce4ec74f8b65ffafcd492d8cd2886a7b7f20efaa4
-
SHA512
c68948866b06f2336b4be9ea6ec63daa3573d9a5a8185977e772bfd297a0b7cbf050fd5cc72cb782f53a4ba1bb7d46b683b7a3fcd69e047d0e30899e021efadd
Malware Config
Extracted
C:\Users\Admin\Desktop\info.hta
parasite@cock.li
para5ite@tutanota.com
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
qmmxwrna.exe98561.exepid process 1800 qmmxwrna.exe 1900 98561.exe -
Loads dropped DLL 1 IoCs
Processes:
qmmxwrna.exepid process 1800 qmmxwrna.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 2 IoCs
Processes:
98561.exedescription ioc process File created C:\Windows\SysWOW64\locationnotificationsview.xml 98561.exe File opened for modification C:\Windows\SysWOW64\license.rtf 98561.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Drops file in Program Files directory 64 IoCs
Processes:
98561.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html 98561.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png 98561.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png 98561.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png 98561.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml 98561.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePageStyle.css 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SlateBlue.css 98561.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt 98561.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml 98561.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageSmall.jpg 98561.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Thatch.xml 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate.css 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp 98561.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt 98561.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html 98561.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png 98561.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24Images.jpg 98561.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png 98561.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml 98561.exe File opened for modification C:\Program Files\Java\jre7\Welcome.html 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Discussion.css 98561.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml 98561.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePageStyle.css 98561.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml 98561.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html 98561.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplateRTL.html 98561.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Clarity.xml 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewFrame.html 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImageMask.bmp 98561.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\LogoBeta.png 98561.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Aspect.xml 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html 98561.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html 98561.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImagesMask.bmp 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsMacroTemplate.html 98561.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml 98561.exe File created C:\Program Files (x86)\Internet Explorer\en-US\eula.rtf 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\EmptyDatabase.zip 98561.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat 98561.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml 98561.exe File opened for modification C:\Program Files\Java\jre7\bin\server\Xusage.txt 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewFrame.html 98561.exe File opened for modification C:\Program Files\SubmitJoin.docx 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Slipstream.xml 98561.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\EmbeddedView.jpg 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImages.jpg 98561.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay.css 98561.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp 98561.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\drag.png 98561.exe -
Drops file in Windows directory 64 IoCs
Processes:
98561.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\SqlPersistenceProviderLogic.sql 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\ManageAppSettings.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\home1.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\2070\LocalizedData.xml 98561.exe File created C:\Windows\Web\Wallpaper\Landscapes\img10.jpg 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallWebEventSqlProvider.sql 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\DropSqlPersistenceProviderLogic.sql 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Internals.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\UninstallPersonalization.sql 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceProviderLogic.sql 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\ManageProviders.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home0.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\manageUsers.aspx 98561.exe File opened for modification C:\Windows\Professional.xml 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\UninstallMembership.sql 98561.exe File opened for modification C:\Windows\Vss\Writers\System\0bada1de-01a9-4625-8278-69e735f39dd2.xml 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallRoles.sql 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallRoles.sql 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1038\eula.rtf 98561.exe File created C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\GB-wp1.jpg 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\findUsers.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Internals.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1049\eula.rtf 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Logic.sql 98561.exe File opened for modification C:\Windows\Panther\diagwrn.xml 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\SqlWorkflowInstanceStoreLogic.sql 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\en\SqlPersistenceService_Logic.sql 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx 98561.exe File created C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\CA-wp1.jpg 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallPersistSqlState.sql 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\setUpAuthentication.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\NetFx45_IIS_schema_update.xml 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1029\eula.rtf 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1041\eula.rtf 98561.exe File created C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\AU-wp1.jpg 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\error.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\manageAllRoles.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\DropSqlWorkflowInstanceStoreSchema.sql 98561.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml 98561.exe File opened for modification C:\Windows\Starter.xml 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\chooseProviderManagement.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1044\eula.rtf 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\EditAppSetting.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlStateTemplate.sql 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersistSqlState.sql 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home1.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\chooseProviderManagement.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\manageSingleRole.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\UninstallCommon.sql 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\UiInfo.xml 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1030\eula.rtf 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\DropSqlWorkflowInstanceStoreLogic.sql 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\header.bmp 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1037\LocalizedData.xml 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\manageAllRoles.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallWebEventSqlProvider.sql 98561.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1152 vssadmin.exe 1640 vssadmin.exe 1584 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1724 taskkill.exe -
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEmshta.exemshta.exeIEXPLORE.EXEmshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9A637521-6B06-11EB-8332-F65A7312C48E} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8D4BE521-6B06-11EB-8332-F65A7312C48E} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe -
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
qmmxwrna.exepid process 1800 qmmxwrna.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
speedo.bin.exepid process 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe 1740 speedo.bin.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rundll32.exepid process 1348 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
speedo.bin.exetaskkill.exeqmmxwrna.exe98561.exeWMIC.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1740 speedo.bin.exe Token: SeDebugPrivilege 1724 taskkill.exe Token: SeDebugPrivilege 1800 qmmxwrna.exe Token: SeDebugPrivilege 1900 98561.exe Token: 33 1900 98561.exe Token: SeIncBasePriorityPrivilege 1900 98561.exe Token: SeIncreaseQuotaPrivilege 904 WMIC.exe Token: SeSecurityPrivilege 904 WMIC.exe Token: SeTakeOwnershipPrivilege 904 WMIC.exe Token: SeLoadDriverPrivilege 904 WMIC.exe Token: SeSystemProfilePrivilege 904 WMIC.exe Token: SeSystemtimePrivilege 904 WMIC.exe Token: SeProfSingleProcessPrivilege 904 WMIC.exe Token: SeIncBasePriorityPrivilege 904 WMIC.exe Token: SeCreatePagefilePrivilege 904 WMIC.exe Token: SeBackupPrivilege 904 WMIC.exe Token: SeRestorePrivilege 904 WMIC.exe Token: SeShutdownPrivilege 904 WMIC.exe Token: SeDebugPrivilege 904 WMIC.exe Token: SeSystemEnvironmentPrivilege 904 WMIC.exe Token: SeRemoteShutdownPrivilege 904 WMIC.exe Token: SeUndockPrivilege 904 WMIC.exe Token: SeManageVolumePrivilege 904 WMIC.exe Token: 33 904 WMIC.exe Token: 34 904 WMIC.exe Token: 35 904 WMIC.exe Token: SeBackupPrivilege 1552 vssvc.exe Token: SeRestorePrivilege 1552 vssvc.exe Token: SeAuditPrivilege 1552 vssvc.exe Token: SeIncreaseQuotaPrivilege 904 WMIC.exe Token: SeSecurityPrivilege 904 WMIC.exe Token: SeTakeOwnershipPrivilege 904 WMIC.exe Token: SeLoadDriverPrivilege 904 WMIC.exe Token: SeSystemProfilePrivilege 904 WMIC.exe Token: SeSystemtimePrivilege 904 WMIC.exe Token: SeProfSingleProcessPrivilege 904 WMIC.exe Token: SeIncBasePriorityPrivilege 904 WMIC.exe Token: SeCreatePagefilePrivilege 904 WMIC.exe Token: SeBackupPrivilege 904 WMIC.exe Token: SeRestorePrivilege 904 WMIC.exe Token: SeShutdownPrivilege 904 WMIC.exe Token: SeDebugPrivilege 904 WMIC.exe Token: SeSystemEnvironmentPrivilege 904 WMIC.exe Token: SeRemoteShutdownPrivilege 904 WMIC.exe Token: SeUndockPrivilege 904 WMIC.exe Token: SeManageVolumePrivilege 904 WMIC.exe Token: 33 904 WMIC.exe Token: 34 904 WMIC.exe Token: 35 904 WMIC.exe Token: SeIncreaseQuotaPrivilege 1380 WMIC.exe Token: SeSecurityPrivilege 1380 WMIC.exe Token: SeTakeOwnershipPrivilege 1380 WMIC.exe Token: SeLoadDriverPrivilege 1380 WMIC.exe Token: SeSystemProfilePrivilege 1380 WMIC.exe Token: SeSystemtimePrivilege 1380 WMIC.exe Token: SeProfSingleProcessPrivilege 1380 WMIC.exe Token: SeIncBasePriorityPrivilege 1380 WMIC.exe Token: SeCreatePagefilePrivilege 1380 WMIC.exe Token: SeBackupPrivilege 1380 WMIC.exe Token: SeRestorePrivilege 1380 WMIC.exe Token: SeShutdownPrivilege 1380 WMIC.exe Token: SeDebugPrivilege 1380 WMIC.exe Token: SeSystemEnvironmentPrivilege 1380 WMIC.exe Token: SeRemoteShutdownPrivilege 1380 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exeiexplore.exepid process 1876 iexplore.exe 2120 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
speedo.bin.exeiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEpid process 1740 speedo.bin.exe 1740 speedo.bin.exe 1876 iexplore.exe 1876 iexplore.exe 768 IEXPLORE.EXE 768 IEXPLORE.EXE 2120 iexplore.exe 2120 iexplore.exe 2176 IEXPLORE.EXE 2176 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
speedo.bin.execmd.exeqmmxwrna.execmd.exe98561.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1740 wrote to memory of 1876 1740 speedo.bin.exe cmstp.exe PID 1740 wrote to memory of 1876 1740 speedo.bin.exe cmstp.exe PID 1740 wrote to memory of 1876 1740 speedo.bin.exe cmstp.exe PID 1552 wrote to memory of 1800 1552 cmd.exe qmmxwrna.exe PID 1552 wrote to memory of 1800 1552 cmd.exe qmmxwrna.exe PID 1552 wrote to memory of 1800 1552 cmd.exe qmmxwrna.exe PID 1552 wrote to memory of 1800 1552 cmd.exe qmmxwrna.exe PID 1800 wrote to memory of 1900 1800 qmmxwrna.exe 98561.exe PID 1800 wrote to memory of 1900 1800 qmmxwrna.exe 98561.exe PID 1800 wrote to memory of 1900 1800 qmmxwrna.exe 98561.exe PID 1800 wrote to memory of 1900 1800 qmmxwrna.exe 98561.exe PID 1800 wrote to memory of 1648 1800 qmmxwrna.exe cmd.exe PID 1800 wrote to memory of 1648 1800 qmmxwrna.exe cmd.exe PID 1800 wrote to memory of 1648 1800 qmmxwrna.exe cmd.exe PID 1800 wrote to memory of 1648 1800 qmmxwrna.exe cmd.exe PID 1648 wrote to memory of 1612 1648 cmd.exe choice.exe PID 1648 wrote to memory of 1612 1648 cmd.exe choice.exe PID 1648 wrote to memory of 1612 1648 cmd.exe choice.exe PID 1648 wrote to memory of 1612 1648 cmd.exe choice.exe PID 1900 wrote to memory of 1960 1900 98561.exe cmd.exe PID 1900 wrote to memory of 1960 1900 98561.exe cmd.exe PID 1900 wrote to memory of 1960 1900 98561.exe cmd.exe PID 1900 wrote to memory of 1960 1900 98561.exe cmd.exe PID 1900 wrote to memory of 1556 1900 98561.exe cmd.exe PID 1900 wrote to memory of 1556 1900 98561.exe cmd.exe PID 1900 wrote to memory of 1556 1900 98561.exe cmd.exe PID 1900 wrote to memory of 1556 1900 98561.exe cmd.exe PID 1900 wrote to memory of 1212 1900 98561.exe cmd.exe PID 1900 wrote to memory of 1212 1900 98561.exe cmd.exe PID 1900 wrote to memory of 1212 1900 98561.exe cmd.exe PID 1900 wrote to memory of 1212 1900 98561.exe cmd.exe PID 1960 wrote to memory of 1152 1960 cmd.exe vssadmin.exe PID 1960 wrote to memory of 1152 1960 cmd.exe vssadmin.exe PID 1960 wrote to memory of 1152 1960 cmd.exe vssadmin.exe PID 1960 wrote to memory of 1152 1960 cmd.exe vssadmin.exe PID 1556 wrote to memory of 904 1556 cmd.exe WMIC.exe PID 1556 wrote to memory of 904 1556 cmd.exe WMIC.exe PID 1556 wrote to memory of 904 1556 cmd.exe WMIC.exe PID 1556 wrote to memory of 904 1556 cmd.exe WMIC.exe PID 1900 wrote to memory of 1668 1900 98561.exe cmd.exe PID 1900 wrote to memory of 1668 1900 98561.exe cmd.exe PID 1900 wrote to memory of 1668 1900 98561.exe cmd.exe PID 1900 wrote to memory of 1668 1900 98561.exe cmd.exe PID 1900 wrote to memory of 1660 1900 98561.exe cmd.exe PID 1900 wrote to memory of 1660 1900 98561.exe cmd.exe PID 1900 wrote to memory of 1660 1900 98561.exe cmd.exe PID 1900 wrote to memory of 1660 1900 98561.exe cmd.exe PID 1900 wrote to memory of 396 1900 98561.exe cmd.exe PID 1900 wrote to memory of 396 1900 98561.exe cmd.exe PID 1900 wrote to memory of 396 1900 98561.exe cmd.exe PID 1900 wrote to memory of 396 1900 98561.exe cmd.exe PID 1668 wrote to memory of 1640 1668 cmd.exe vssadmin.exe PID 1668 wrote to memory of 1640 1668 cmd.exe vssadmin.exe PID 1668 wrote to memory of 1640 1668 cmd.exe vssadmin.exe PID 1668 wrote to memory of 1640 1668 cmd.exe vssadmin.exe PID 1660 wrote to memory of 1380 1660 cmd.exe WMIC.exe PID 1660 wrote to memory of 1380 1660 cmd.exe WMIC.exe PID 1660 wrote to memory of 1380 1660 cmd.exe WMIC.exe PID 1660 wrote to memory of 1380 1660 cmd.exe WMIC.exe PID 1900 wrote to memory of 1152 1900 98561.exe cmd.exe PID 1900 wrote to memory of 1152 1900 98561.exe cmd.exe PID 1900 wrote to memory of 1152 1900 98561.exe cmd.exe PID 1900 wrote to memory of 1152 1900 98561.exe cmd.exe PID 1900 wrote to memory of 1800 1900 98561.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\speedo.bin.exe"C:\Users\Admin\AppData\Local\Temp\speedo.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\g42dqzwq.inf2⤵
-
C:\Windows\system32\cmd.execmd /c start C:\Windows\temp\qmmxwrna.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\temp\qmmxwrna.exeC:\Windows\temp\qmmxwrna.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\98561.exe"C:\Users\Admin\AppData\Roaming\98561.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet4⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"4⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Roaming\98561.exe"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 15⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Windows\temp\qmmxwrna.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 14⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Documents\info.hta"1⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\info.hta1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Documents\info.hta2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1876 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\info.hta1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2120 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe -Embedding1⤵
- Modifies Internet Explorer settings
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\98561.exeMD5
7bd1af2bf9a6444ed8f835886b203495
SHA1a18ede85e2129bea96144a7165a8d49bfc29c3ed
SHA256fa741ee3922bcadce51c42f2ce03bda09cfc96cb7f079a2794f69c98d985ec36
SHA512c5a0c720ff6f90231bb4c376e7e4d2f33517566ddfa84f9dbe31cbac9d63b239babd1002e7fc00440c2182319c26a82f958b88fb59b087f4e2debef7fd9fbfe0
-
C:\Users\Admin\AppData\Roaming\98561.exeMD5
7bd1af2bf9a6444ed8f835886b203495
SHA1a18ede85e2129bea96144a7165a8d49bfc29c3ed
SHA256fa741ee3922bcadce51c42f2ce03bda09cfc96cb7f079a2794f69c98d985ec36
SHA512c5a0c720ff6f90231bb4c376e7e4d2f33517566ddfa84f9dbe31cbac9d63b239babd1002e7fc00440c2182319c26a82f958b88fb59b087f4e2debef7fd9fbfe0
-
C:\Users\Admin\Desktop\info.htaMD5
487dc592df1c0a0f152147491cdc7b48
SHA14bba5387917cb3d764442ac2bcd05cd5ac1b104d
SHA2569c63c7c53c7eb49e245451e2da4c586fc2e38d7bcc34324015d3588c245c374b
SHA51296944585e24e77edf36f43717a66f2a68ee89474d630df4245bcb34d8c2a703d9c72498e441a2539af675605061b9585c1a902c4a8f4fd394c965b59c8473583
-
C:\Users\Admin\Documents\info.htaMD5
487dc592df1c0a0f152147491cdc7b48
SHA14bba5387917cb3d764442ac2bcd05cd5ac1b104d
SHA2569c63c7c53c7eb49e245451e2da4c586fc2e38d7bcc34324015d3588c245c374b
SHA51296944585e24e77edf36f43717a66f2a68ee89474d630df4245bcb34d8c2a703d9c72498e441a2539af675605061b9585c1a902c4a8f4fd394c965b59c8473583
-
C:\Windows\Temp\qmmxwrna.exeMD5
6612016ed61a65144813f238efe491a1
SHA13a77f98b94a92f482c194ef4d57df1ad05d446ad
SHA256affdb2f84b3ae8459618a81731f364775386cd8b39b6ec795c5ae80287fed7cc
SHA5128bffd0759b021b534ba1f7cec57ad7f714c0f189d77b20e363e7de6d77e6c3867dfd0ca1e6c6d8e245252332b5ffff5c49b7ebbc8beb8d5d6c071dafcccada5d
-
C:\Windows\temp\g42dqzwq.infMD5
e90fddc40f00adbffb6c46b8f55f6bbd
SHA1635adc423df540015edee5b43057edb6673cd4e0
SHA256756e9b82214619b4017d987cc4e74b2e0cd87466b851c357273d537bbb3ea066
SHA512c828a5c8f9b48098dacb3db4417a9a0107d72b4f2dddfb2fccc035af1d637a2ee532db9a39a5fe5273fb0bd3033d9dbb2044d3803270a9cd0fd751e6acbb2062
-
C:\Windows\temp\qmmxwrna.exeMD5
6612016ed61a65144813f238efe491a1
SHA13a77f98b94a92f482c194ef4d57df1ad05d446ad
SHA256affdb2f84b3ae8459618a81731f364775386cd8b39b6ec795c5ae80287fed7cc
SHA5128bffd0759b021b534ba1f7cec57ad7f714c0f189d77b20e363e7de6d77e6c3867dfd0ca1e6c6d8e245252332b5ffff5c49b7ebbc8beb8d5d6c071dafcccada5d
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Roaming\98561.exeMD5
7bd1af2bf9a6444ed8f835886b203495
SHA1a18ede85e2129bea96144a7165a8d49bfc29c3ed
SHA256fa741ee3922bcadce51c42f2ce03bda09cfc96cb7f079a2794f69c98d985ec36
SHA512c5a0c720ff6f90231bb4c376e7e4d2f33517566ddfa84f9dbe31cbac9d63b239babd1002e7fc00440c2182319c26a82f958b88fb59b087f4e2debef7fd9fbfe0
-
memory/272-48-0x0000000000000000-mapping.dmp
-
memory/316-46-0x0000000000000000-mapping.dmp
-
memory/396-41-0x0000000000000000-mapping.dmp
-
memory/768-58-0x0000000000000000-mapping.dmp
-
memory/904-38-0x0000000000000000-mapping.dmp
-
memory/1152-37-0x0000000000000000-mapping.dmp
-
memory/1152-44-0x0000000000000000-mapping.dmp
-
memory/1212-36-0x0000000000000000-mapping.dmp
-
memory/1300-51-0x0000000000000000-mapping.dmp
-
memory/1380-43-0x0000000000000000-mapping.dmp
-
memory/1536-49-0x0000000000000000-mapping.dmp
-
memory/1556-35-0x0000000000000000-mapping.dmp
-
memory/1584-47-0x0000000000000000-mapping.dmp
-
memory/1612-32-0x0000000000000000-mapping.dmp
-
memory/1636-50-0x0000000000000000-mapping.dmp
-
memory/1640-53-0x000007FEF63D0000-0x000007FEF664A000-memory.dmpFilesize
2.5MB
-
memory/1640-42-0x0000000000000000-mapping.dmp
-
memory/1648-29-0x0000000000000000-mapping.dmp
-
memory/1660-40-0x0000000000000000-mapping.dmp
-
memory/1668-39-0x0000000000000000-mapping.dmp
-
memory/1740-8-0x000000001AEC0000-0x000000001AEC2000-memory.dmpFilesize
8KB
-
memory/1740-9-0x000000001AEC6000-0x000000001AEE5000-memory.dmpFilesize
124KB
-
memory/1740-3-0x0000000000BD0000-0x0000000000BD1000-memory.dmpFilesize
4KB
-
memory/1740-15-0x000000001AEE9000-0x000000001AEEA000-memory.dmpFilesize
4KB
-
memory/1740-10-0x000000001AEE5000-0x000000001AEE6000-memory.dmpFilesize
4KB
-
memory/1740-2-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmpFilesize
9.9MB
-
memory/1740-11-0x000000001AEE6000-0x000000001AEE7000-memory.dmpFilesize
4KB
-
memory/1740-14-0x000000001AEE8000-0x000000001AEE9000-memory.dmpFilesize
4KB
-
memory/1740-13-0x000000001AEE7000-0x000000001AEE8000-memory.dmpFilesize
4KB
-
memory/1740-12-0x000000001AEEA000-0x000000001AEEB000-memory.dmpFilesize
4KB
-
memory/1800-18-0x0000000000000000-mapping.dmp
-
memory/1800-23-0x00000000766F1000-0x00000000766F3000-memory.dmpFilesize
8KB
-
memory/1800-20-0x00000000741A0000-0x000000007488E000-memory.dmpFilesize
6.9MB
-
memory/1800-45-0x0000000000000000-mapping.dmp
-
memory/1800-21-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/1876-57-0x0000000000000000-mapping.dmp
-
memory/1876-7-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmpFilesize
8KB
-
memory/1876-60-0x00000000048E0000-0x00000000048E1000-memory.dmpFilesize
4KB
-
memory/1876-5-0x0000000000000000-mapping.dmp
-
memory/1900-25-0x0000000000000000-mapping.dmp
-
memory/1900-30-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/1900-33-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/1900-28-0x00000000741A0000-0x000000007488E000-memory.dmpFilesize
6.9MB
-
memory/1960-34-0x0000000000000000-mapping.dmp
-
memory/2120-63-0x00000000040F0000-0x00000000040F1000-memory.dmpFilesize
4KB
-
memory/2176-61-0x0000000000000000-mapping.dmp
-
memory/2244-64-0x0000000000BE0000-0x0000000000BE2000-memory.dmpFilesize
8KB