65dff425f5dbf60186664a0d16508e2fe65fd4c4361a15c774ba600478d8f225

Analysis

max time kernel
57s
max time network
111s
platform
windows10_x64
resource
win10v20201028
submitted
09/02/2021, 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

speedo.bin.exe
Size

50KB
MD5

e0870a190c5eaefdae56f9c8773e36cd
SHA1

a0d2ea755f3914354b76ed895e0024fe753808bc
SHA256

1b1172500c6e1e1607b0b0bce4ec74f8b65ffafcd492d8cd2886a7b7f20efaa4
SHA512

c68948866b06f2336b4be9ea6ec63daa3573d9a5a8185977e772bfd297a0b7cbf050fd5cc72cb782f53a4ba1bb7d46b683b7a3fcd69e047d0e30899e021efadd

Score

10^/10

ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note

🔒 ALL YOUR DATA TURNED TO USELESS BINARY CODE 🔒 Your computer is infected with a virus. Send an email [email protected] , specify in the subject your unique identifier 4LP7M and you will definitly be helped to recover. NOTE: You can send 2 files as proof that we can return all your data. If the provided email doesn't work, please contact us at [email protected] Algorithms used are AES and RSA. IMPORTANT: 1. The infection was due to vulnerabilities in your software. 2. If you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 3. Only communication through our email can guarantee file recover for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 4. Please, do not try to rename encrypted files. 5. Our goal is to return your data, but if you don't contact us, we will not succeed.

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
856	gmndk54w.exe
2852	98561.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\CloseConvertFrom.png => C:\Users\Admin\Pictures\CloseConvertFrom.png.paras1te	98561.exe
File renamed	C:\Users\Admin\Pictures\TestConvertTo.png => C:\Users\Admin\Pictures\TestConvertTo.png.paras1te	98561.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\@AudioToastIcon.png	98561.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.GrayF.png	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png	98561.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html	98561.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png	98561.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\dd_arrow_small2x.png	98561.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\digsig_icons_2x.png	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast.png	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_pattern_RHP.png	98561.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.png	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png	98561.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Candara.xml	98561.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\COPYING.txt	98561.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\bun.png	98561.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml	98561.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\hscroll-thumb.png	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-100.png	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\AddressBook.png	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml	98561.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml	98561.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	98561.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\edit_pdf_poster2x.jpg	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HighBeamCardLogo.png	98561.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png	98561.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\large_trefoil.png	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	98561.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	98561.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\core_icons.png	98561.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-80.png	98561.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\bg_patterns_header.png	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml	98561.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\main.css	98561.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.874.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_patterns_header.png	98561.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Build.bat	98561.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	98561.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	98561.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.png	98561.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png	98561.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell ISE.lnk	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk	98561.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\AppxBlockMap.xml	98561.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\DefaultWsdlHelpGenerator.aspx	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk	98561.exe
File created	C:\Windows\WinSxS\migration.xml	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\default.aspx	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg	98561.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\EN\DropSqlPersistenceProviderLogic.sql	98561.exe
File created	C:\Windows\PLA\System\System Diagnostics.xml	98561.exe
File created	C:\Windows\Globalization\Time Zone\timezoneMapping.xml	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\home0.aspx	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\findUsers.aspx	98561.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RedistList\FrameworkList.xml	98561.exe
File created	C:\Windows\SystemResources\Windows.UI.Shell\Images\DefaultSystemNotification.contrast-black_scale-100.png	98561.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.WindowsMaps_2017.209.105.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File created	C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk	98561.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\AppxBlockMap.xml	98561.exe
File created	C:\Windows\Fonts\fms_metadata.xml	98561.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.ZuneMusic_2019.16112.11621.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk	98561.exe
File created	C:\Windows\Web\Wallpaper\Windows\img0.jpg	98561.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.WindowsCalculator_2017.131.1904.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\256x256.png	98561.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx	98561.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\EditAppSetting.aspx	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\addUser.aspx	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\manageUsers.aspx	98561.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	98561.exe
File created	C:\Windows\Help\en-US\credits.rtf	98561.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.WindowsSoundRecorder_2017.130.1208.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File created	C:\Windows\InfusedApps\Frameworks\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File created	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\10 - AppsAndFeatures.lnk	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\08 - PowerAndSleep.lnk	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\10 - AppsAndFeatures.lnk	98561.exe
File created	C:\Windows\SystemApps\EnvironmentsApp_cw5n1h2txyewy\appxblockmap.xml	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlStateTemplate.sql	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\home1.aspx	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk	98561.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DefineErrorPage.aspx	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\help.jpg	98561.exe
File created	C:\Windows\Web\Wallpaper\Theme1\img1.jpg	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\security.aspx	98561.exe
File created	C:\Windows\PLA\Templates\WDAC_Diagnostics.xml	98561.exe
File created	C:\Windows\SystemApps\DesktopLearning_cw5n1h2txyewy\appxblockmap.xml	98561.exe
File created	C:\Windows\SystemApps\DesktopView_cw5n1h2txyewy\appxblockmap.xml	98561.exe
File created	C:\Windows\HoloShell\appxblockmap.xml	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\security0.aspx	98561.exe

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2732	vssadmin.exe
1192	vssadmin.exe
668	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
632	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	98561.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	880	speedo.bin.exe
Token: SeDebugPrivilege	632	taskkill.exe
Token: SeDebugPrivilege	856	gmndk54w.exe
Token: SeDebugPrivilege	2852	98561.exe
Token: 33	2852	98561.exe
Token: SeIncBasePriorityPrivilege	2852	98561.exe
Token: SeIncreaseQuotaPrivilege	3992	WMIC.exe
Token: SeSecurityPrivilege	3992	WMIC.exe
Token: SeTakeOwnershipPrivilege	3992	WMIC.exe
Token: SeLoadDriverPrivilege	3992	WMIC.exe
Token: SeSystemProfilePrivilege	3992	WMIC.exe
Token: SeSystemtimePrivilege	3992	WMIC.exe
Token: SeProfSingleProcessPrivilege	3992	WMIC.exe
Token: SeIncBasePriorityPrivilege	3992	WMIC.exe
Token: SeCreatePagefilePrivilege	3992	WMIC.exe
Token: SeBackupPrivilege	3992	WMIC.exe
Token: SeRestorePrivilege	3992	WMIC.exe
Token: SeShutdownPrivilege	3992	WMIC.exe
Token: SeDebugPrivilege	3992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3992	WMIC.exe
Token: SeRemoteShutdownPrivilege	3992	WMIC.exe
Token: SeUndockPrivilege	3992	WMIC.exe
Token: SeManageVolumePrivilege	3992	WMIC.exe
Token: 33	3992	WMIC.exe
Token: 34	3992	WMIC.exe
Token: 35	3992	WMIC.exe
Token: 36	3992	WMIC.exe
Token: SeBackupPrivilege	1912	vssvc.exe
Token: SeRestorePrivilege	1912	vssvc.exe
Token: SeAuditPrivilege	1912	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3992	WMIC.exe
Token: SeSecurityPrivilege	3992	WMIC.exe
Token: SeTakeOwnershipPrivilege	3992	WMIC.exe
Token: SeLoadDriverPrivilege	3992	WMIC.exe
Token: SeSystemProfilePrivilege	3992	WMIC.exe
Token: SeSystemtimePrivilege	3992	WMIC.exe
Token: SeProfSingleProcessPrivilege	3992	WMIC.exe
Token: SeIncBasePriorityPrivilege	3992	WMIC.exe
Token: SeCreatePagefilePrivilege	3992	WMIC.exe
Token: SeBackupPrivilege	3992	WMIC.exe
Token: SeRestorePrivilege	3992	WMIC.exe
Token: SeShutdownPrivilege	3992	WMIC.exe
Token: SeDebugPrivilege	3992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3992	WMIC.exe
Token: SeRemoteShutdownPrivilege	3992	WMIC.exe
Token: SeUndockPrivilege	3992	WMIC.exe
Token: SeManageVolumePrivilege	3992	WMIC.exe
Token: 33	3992	WMIC.exe
Token: 34	3992	WMIC.exe
Token: 35	3992	WMIC.exe
Token: 36	3992	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1092	WMIC.exe
Token: SeSecurityPrivilege	1092	WMIC.exe
Token: SeTakeOwnershipPrivilege	1092	WMIC.exe
Token: SeLoadDriverPrivilege	1092	WMIC.exe
Token: SeSystemProfilePrivilege	1092	WMIC.exe
Token: SeSystemtimePrivilege	1092	WMIC.exe
Token: SeProfSingleProcessPrivilege	1092	WMIC.exe
Token: SeIncBasePriorityPrivilege	1092	WMIC.exe
Token: SeCreatePagefilePrivilege	1092	WMIC.exe
Token: SeBackupPrivilege	1092	WMIC.exe
Token: SeRestorePrivilege	1092	WMIC.exe
Token: SeShutdownPrivilege	1092	WMIC.exe
Token: SeDebugPrivilege	1092	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
880	speedo.bin.exe
880	speedo.bin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 3744	880	speedo.bin.exe	74
PID 880 wrote to memory of 3744	880	speedo.bin.exe	74
PID 2920 wrote to memory of 856	2920	cmd.exe	80
PID 2920 wrote to memory of 856	2920	cmd.exe	80
PID 2920 wrote to memory of 856	2920	cmd.exe	80
PID 856 wrote to memory of 2852	856	gmndk54w.exe	84
PID 856 wrote to memory of 2852	856	gmndk54w.exe	84
PID 856 wrote to memory of 2852	856	gmndk54w.exe	84
PID 856 wrote to memory of 1628	856	gmndk54w.exe	85
PID 856 wrote to memory of 1628	856	gmndk54w.exe	85
PID 856 wrote to memory of 1628	856	gmndk54w.exe	85
PID 1628 wrote to memory of 3860	1628	cmd.exe	87
PID 1628 wrote to memory of 3860	1628	cmd.exe	87
PID 1628 wrote to memory of 3860	1628	cmd.exe	87
PID 2852 wrote to memory of 2784	2852	98561.exe	93
PID 2852 wrote to memory of 2784	2852	98561.exe	93
PID 2852 wrote to memory of 2784	2852	98561.exe	93
PID 2852 wrote to memory of 804	2852	98561.exe	95
PID 2852 wrote to memory of 804	2852	98561.exe	95
PID 2852 wrote to memory of 804	2852	98561.exe	95
PID 2852 wrote to memory of 2084	2852	98561.exe	97
PID 2852 wrote to memory of 2084	2852	98561.exe	97
PID 2852 wrote to memory of 2084	2852	98561.exe	97
PID 2784 wrote to memory of 1192	2784	cmd.exe	99
PID 2784 wrote to memory of 1192	2784	cmd.exe	99
PID 2784 wrote to memory of 1192	2784	cmd.exe	99
PID 804 wrote to memory of 3992	804	cmd.exe	100
PID 804 wrote to memory of 3992	804	cmd.exe	100
PID 804 wrote to memory of 3992	804	cmd.exe	100
PID 2852 wrote to memory of 988	2852	98561.exe	103
PID 2852 wrote to memory of 988	2852	98561.exe	103
PID 2852 wrote to memory of 988	2852	98561.exe	103
PID 2852 wrote to memory of 1768	2852	98561.exe	105
PID 2852 wrote to memory of 1768	2852	98561.exe	105
PID 2852 wrote to memory of 1768	2852	98561.exe	105
PID 2852 wrote to memory of 4032	2852	98561.exe	106
PID 2852 wrote to memory of 4032	2852	98561.exe	106
PID 2852 wrote to memory of 4032	2852	98561.exe	106
PID 1768 wrote to memory of 1092	1768	cmd.exe	109
PID 1768 wrote to memory of 1092	1768	cmd.exe	109
PID 1768 wrote to memory of 1092	1768	cmd.exe	109
PID 988 wrote to memory of 668	988	cmd.exe	110
PID 988 wrote to memory of 668	988	cmd.exe	110
PID 988 wrote to memory of 668	988	cmd.exe	110
PID 2852 wrote to memory of 2928	2852	98561.exe	111
PID 2852 wrote to memory of 2928	2852	98561.exe	111
PID 2852 wrote to memory of 2928	2852	98561.exe	111
PID 2852 wrote to memory of 3016	2852	98561.exe	116
PID 2852 wrote to memory of 3016	2852	98561.exe	116
PID 2852 wrote to memory of 3016	2852	98561.exe	116
PID 2852 wrote to memory of 3940	2852	98561.exe	113
PID 2852 wrote to memory of 3940	2852	98561.exe	113
PID 2852 wrote to memory of 3940	2852	98561.exe	113
PID 2928 wrote to memory of 2732	2928	cmd.exe	117
PID 2928 wrote to memory of 2732	2928	cmd.exe	117
PID 2928 wrote to memory of 2732	2928	cmd.exe	117
PID 3016 wrote to memory of 1760	3016	cmd.exe	119
PID 3016 wrote to memory of 1760	3016	cmd.exe	119
PID 3016 wrote to memory of 1760	3016	cmd.exe	119
PID 2852 wrote to memory of 640	2852	98561.exe	118
PID 2852 wrote to memory of 640	2852	98561.exe	118
PID 2852 wrote to memory of 640	2852	98561.exe	118
PID 2852 wrote to memory of 1196	2852	98561.exe	120
PID 2852 wrote to memory of 1196	2852	98561.exe	120

C:\Users\Admin\AppData\Local\Temp\speedo.bin.exe
"C:\Users\Admin\AppData\Local\Temp\speedo.bin.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880
- \??\c:\windows\system32\cmstp.exe
  "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\p4ivb3aj.inf
  2⤵
  PID:3744

C:\Windows\system32\cmd.exe
cmd /c start C:\Windows\temp\gmndk54w.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\temp\gmndk54w.exe
  C:\Windows\temp\gmndk54w.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Users\Admin\AppData\Roaming\98561.exe
    "C:\Users\Admin\AppData\Roaming\98561.exe"
    3⤵
    - Executes dropped EXE
    - Modifies extensions of user files
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin.exe delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:1192
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
      4⤵
      Suspicious use of WriteProcessMemory
      PID:804
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
      4⤵
      PID:2084
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:988
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin.exe delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:668
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1768
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
      4⤵
      PID:4032
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin.exe delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2732
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
      4⤵
      PID:3940
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        
        PID:1760
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      4⤵
      PID:640
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Roaming\98561.exe"
      4⤵
      PID:1196
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 1
        5⤵
        
        PID:904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Windows\temp\gmndk54w.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 1
      4⤵
      PID:3860

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/856-15-0x0000000073460000-0x0000000073B4E000-memory.dmp

Filesize
6.9MB

Download
memory/856-16-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/880-11-0x000000001ACD4000-0x000000001ACD6000-memory.dmp

Filesize
8KB

Download
memory/880-10-0x000000001ACD2000-0x000000001ACD4000-memory.dmp

Filesize
8KB

Download
memory/880-9-0x000000001ACD0000-0x000000001ACD2000-memory.dmp

Filesize
8KB

Download
memory/880-3-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/880-2-0x00007FF9448C0000-0x00007FF9452AC000-memory.dmp

Filesize
9.9MB

Download
memory/2852-24-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/2852-29-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/2852-28-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/2852-22-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/2852-21-0x0000000073460000-0x0000000073B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2852-26-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/3744-8-0x00000241DBF10000-0x00000241DC011000-memory.dmp

Filesize
1.0MB

Download
memory/3744-7-0x00000241DBF10000-0x00000241DBF11000-memory.dmp

Filesize
4KB

Download