Analysis
-
max time kernel
57s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-02-2021 18:44
Static task
static1
Behavioral task
behavioral1
Sample
speedo.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
speedo.bin.exe
Resource
win10v20201028
General
-
Target
speedo.bin.exe
-
Size
50KB
-
MD5
e0870a190c5eaefdae56f9c8773e36cd
-
SHA1
a0d2ea755f3914354b76ed895e0024fe753808bc
-
SHA256
1b1172500c6e1e1607b0b0bce4ec74f8b65ffafcd492d8cd2886a7b7f20efaa4
-
SHA512
c68948866b06f2336b4be9ea6ec63daa3573d9a5a8185977e772bfd297a0b7cbf050fd5cc72cb782f53a4ba1bb7d46b683b7a3fcd69e047d0e30899e021efadd
Malware Config
Extracted
C:\Users\Admin\Desktop\info.hta
parasite@cock.li
para5ite@tutanota.com
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
gmndk54w.exe98561.exepid process 856 gmndk54w.exe 2852 98561.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
98561.exedescription ioc process File renamed C:\Users\Admin\Pictures\CloseConvertFrom.png => C:\Users\Admin\Pictures\CloseConvertFrom.png.paras1te 98561.exe File renamed C:\Users\Admin\Pictures\TestConvertTo.png => C:\Users\Admin\Pictures\TestConvertTo.png.paras1te 98561.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 1 IoCs
Processes:
98561.exedescription ioc process File created C:\Windows\SysWOW64\@AudioToastIcon.png 98561.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Drops file in Program Files directory 64 IoCs
Processes:
98561.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.GrayF.png 98561.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml 98561.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png 98561.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html 98561.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png 98561.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml 98561.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\dd_arrow_small2x.png 98561.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml 98561.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf 98561.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css 98561.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\digsig_icons_2x.png 98561.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png 98561.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast.png 98561.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_pattern_RHP.png 98561.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html 98561.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.png 98561.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity@4x.png 98561.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png 98561.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml 98561.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Candara.xml 98561.exe File opened for modification C:\Program Files\VideoLAN\VLC\COPYING.txt 98561.exe File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml 98561.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png 98561.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\bun.png 98561.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml 98561.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml 98561.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html 98561.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\hscroll-thumb.png 98561.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-100.png 98561.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\AddressBook.png 98561.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml 98561.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml 98561.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml 98561.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml 98561.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\edit_pdf_poster2x.jpg 98561.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HighBeamCardLogo.png 98561.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png 98561.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html 98561.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\large_trefoil.png 98561.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_Checkmark_White@1x.png 98561.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt 98561.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt 98561.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF@3x.png 98561.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 98561.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\core_icons.png 98561.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm 98561.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-80.png 98561.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt 98561.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt 98561.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png 98561.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\bg_patterns_header.png 98561.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml 98561.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 98561.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable-dark@2x.png 98561.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\main.css 98561.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.874.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 98561.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_patterns_header.png 98561.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Build.bat 98561.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt 98561.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html 98561.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml 98561.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.png 98561.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml 98561.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png 98561.exe -
Drops file in Windows directory 64 IoCs
Processes:
98561.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell ISE.lnk 98561.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk 98561.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk 98561.exe File created C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\AppxBlockMap.xml 98561.exe File created C:\Windows\InfusedApps\Applications\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 98561.exe File created C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\DefaultWsdlHelpGenerator.aspx 98561.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk 98561.exe File created C:\Windows\WinSxS\migration.xml 98561.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\default.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg 98561.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\EN\DropSqlPersistenceProviderLogic.sql 98561.exe File created C:\Windows\PLA\System\System Diagnostics.xml 98561.exe File created C:\Windows\Globalization\Time Zone\timezoneMapping.xml 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\home0.aspx 98561.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\findUsers.aspx 98561.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RedistList\FrameworkList.xml 98561.exe File created C:\Windows\SystemResources\Windows.UI.Shell\Images\DefaultSystemNotification.contrast-black_scale-100.png 98561.exe File created C:\Windows\InfusedApps\Applications\Microsoft.WindowsMaps_2017.209.105.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 98561.exe File created C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\AppxBlockMap.xml 98561.exe File created C:\Windows\InfusedApps\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 98561.exe File created C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml 98561.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk 98561.exe File created C:\Windows\SystemApps\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\AppxBlockMap.xml 98561.exe File created C:\Windows\Fonts\fms_metadata.xml 98561.exe File created C:\Windows\InfusedApps\Applications\Microsoft.ZuneMusic_2019.16112.11621.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 98561.exe File created C:\Windows\InfusedApps\Packages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml 98561.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk 98561.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk 98561.exe File created C:\Windows\Web\Wallpaper\Windows\img0.jpg 98561.exe File created C:\Windows\InfusedApps\Applications\Microsoft.WindowsCalculator_2017.131.1904.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 98561.exe File created C:\Windows\InfusedApps\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\256x256.png 98561.exe File created C:\Windows\InfusedApps\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx 98561.exe File created C:\Windows\InfusedApps\Applications\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 98561.exe File created C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\EditAppSetting.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\addUser.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\manageUsers.aspx 98561.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml 98561.exe File created C:\Windows\Help\en-US\credits.rtf 98561.exe File created C:\Windows\InfusedApps\Applications\Microsoft.WindowsSoundRecorder_2017.130.1208.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 98561.exe File created C:\Windows\InfusedApps\Frameworks\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 98561.exe File created C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 98561.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\10 - AppsAndFeatures.lnk 98561.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\08 - PowerAndSleep.lnk 98561.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\10 - AppsAndFeatures.lnk 98561.exe File created C:\Windows\SystemApps\EnvironmentsApp_cw5n1h2txyewy\appxblockmap.xml 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlStateTemplate.sql 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\home1.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg 98561.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk 98561.exe File created C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxBlockMap.xml 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DefineErrorPage.aspx 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\help.jpg 98561.exe File created C:\Windows\Web\Wallpaper\Theme1\img1.jpg 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\security.aspx 98561.exe File created C:\Windows\PLA\Templates\WDAC_Diagnostics.xml 98561.exe File created C:\Windows\SystemApps\DesktopLearning_cw5n1h2txyewy\appxblockmap.xml 98561.exe File created C:\Windows\SystemApps\DesktopView_cw5n1h2txyewy\appxblockmap.xml 98561.exe File created C:\Windows\HoloShell\appxblockmap.xml 98561.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\security0.aspx 98561.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 2732 vssadmin.exe 1192 vssadmin.exe 668 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 632 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
98561.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings 98561.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
speedo.bin.exepid process 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe 880 speedo.bin.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
speedo.bin.exetaskkill.exegmndk54w.exe98561.exeWMIC.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 880 speedo.bin.exe Token: SeDebugPrivilege 632 taskkill.exe Token: SeDebugPrivilege 856 gmndk54w.exe Token: SeDebugPrivilege 2852 98561.exe Token: 33 2852 98561.exe Token: SeIncBasePriorityPrivilege 2852 98561.exe Token: SeIncreaseQuotaPrivilege 3992 WMIC.exe Token: SeSecurityPrivilege 3992 WMIC.exe Token: SeTakeOwnershipPrivilege 3992 WMIC.exe Token: SeLoadDriverPrivilege 3992 WMIC.exe Token: SeSystemProfilePrivilege 3992 WMIC.exe Token: SeSystemtimePrivilege 3992 WMIC.exe Token: SeProfSingleProcessPrivilege 3992 WMIC.exe Token: SeIncBasePriorityPrivilege 3992 WMIC.exe Token: SeCreatePagefilePrivilege 3992 WMIC.exe Token: SeBackupPrivilege 3992 WMIC.exe Token: SeRestorePrivilege 3992 WMIC.exe Token: SeShutdownPrivilege 3992 WMIC.exe Token: SeDebugPrivilege 3992 WMIC.exe Token: SeSystemEnvironmentPrivilege 3992 WMIC.exe Token: SeRemoteShutdownPrivilege 3992 WMIC.exe Token: SeUndockPrivilege 3992 WMIC.exe Token: SeManageVolumePrivilege 3992 WMIC.exe Token: 33 3992 WMIC.exe Token: 34 3992 WMIC.exe Token: 35 3992 WMIC.exe Token: 36 3992 WMIC.exe Token: SeBackupPrivilege 1912 vssvc.exe Token: SeRestorePrivilege 1912 vssvc.exe Token: SeAuditPrivilege 1912 vssvc.exe Token: SeIncreaseQuotaPrivilege 3992 WMIC.exe Token: SeSecurityPrivilege 3992 WMIC.exe Token: SeTakeOwnershipPrivilege 3992 WMIC.exe Token: SeLoadDriverPrivilege 3992 WMIC.exe Token: SeSystemProfilePrivilege 3992 WMIC.exe Token: SeSystemtimePrivilege 3992 WMIC.exe Token: SeProfSingleProcessPrivilege 3992 WMIC.exe Token: SeIncBasePriorityPrivilege 3992 WMIC.exe Token: SeCreatePagefilePrivilege 3992 WMIC.exe Token: SeBackupPrivilege 3992 WMIC.exe Token: SeRestorePrivilege 3992 WMIC.exe Token: SeShutdownPrivilege 3992 WMIC.exe Token: SeDebugPrivilege 3992 WMIC.exe Token: SeSystemEnvironmentPrivilege 3992 WMIC.exe Token: SeRemoteShutdownPrivilege 3992 WMIC.exe Token: SeUndockPrivilege 3992 WMIC.exe Token: SeManageVolumePrivilege 3992 WMIC.exe Token: 33 3992 WMIC.exe Token: 34 3992 WMIC.exe Token: 35 3992 WMIC.exe Token: 36 3992 WMIC.exe Token: SeIncreaseQuotaPrivilege 1092 WMIC.exe Token: SeSecurityPrivilege 1092 WMIC.exe Token: SeTakeOwnershipPrivilege 1092 WMIC.exe Token: SeLoadDriverPrivilege 1092 WMIC.exe Token: SeSystemProfilePrivilege 1092 WMIC.exe Token: SeSystemtimePrivilege 1092 WMIC.exe Token: SeProfSingleProcessPrivilege 1092 WMIC.exe Token: SeIncBasePriorityPrivilege 1092 WMIC.exe Token: SeCreatePagefilePrivilege 1092 WMIC.exe Token: SeBackupPrivilege 1092 WMIC.exe Token: SeRestorePrivilege 1092 WMIC.exe Token: SeShutdownPrivilege 1092 WMIC.exe Token: SeDebugPrivilege 1092 WMIC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
speedo.bin.exepid process 880 speedo.bin.exe 880 speedo.bin.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
speedo.bin.execmd.exegmndk54w.execmd.exe98561.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 880 wrote to memory of 3744 880 speedo.bin.exe cmstp.exe PID 880 wrote to memory of 3744 880 speedo.bin.exe cmstp.exe PID 2920 wrote to memory of 856 2920 cmd.exe gmndk54w.exe PID 2920 wrote to memory of 856 2920 cmd.exe gmndk54w.exe PID 2920 wrote to memory of 856 2920 cmd.exe gmndk54w.exe PID 856 wrote to memory of 2852 856 gmndk54w.exe 98561.exe PID 856 wrote to memory of 2852 856 gmndk54w.exe 98561.exe PID 856 wrote to memory of 2852 856 gmndk54w.exe 98561.exe PID 856 wrote to memory of 1628 856 gmndk54w.exe cmd.exe PID 856 wrote to memory of 1628 856 gmndk54w.exe cmd.exe PID 856 wrote to memory of 1628 856 gmndk54w.exe cmd.exe PID 1628 wrote to memory of 3860 1628 cmd.exe choice.exe PID 1628 wrote to memory of 3860 1628 cmd.exe choice.exe PID 1628 wrote to memory of 3860 1628 cmd.exe choice.exe PID 2852 wrote to memory of 2784 2852 98561.exe cmd.exe PID 2852 wrote to memory of 2784 2852 98561.exe cmd.exe PID 2852 wrote to memory of 2784 2852 98561.exe cmd.exe PID 2852 wrote to memory of 804 2852 98561.exe cmd.exe PID 2852 wrote to memory of 804 2852 98561.exe cmd.exe PID 2852 wrote to memory of 804 2852 98561.exe cmd.exe PID 2852 wrote to memory of 2084 2852 98561.exe cmd.exe PID 2852 wrote to memory of 2084 2852 98561.exe cmd.exe PID 2852 wrote to memory of 2084 2852 98561.exe cmd.exe PID 2784 wrote to memory of 1192 2784 cmd.exe vssadmin.exe PID 2784 wrote to memory of 1192 2784 cmd.exe vssadmin.exe PID 2784 wrote to memory of 1192 2784 cmd.exe vssadmin.exe PID 804 wrote to memory of 3992 804 cmd.exe WMIC.exe PID 804 wrote to memory of 3992 804 cmd.exe WMIC.exe PID 804 wrote to memory of 3992 804 cmd.exe WMIC.exe PID 2852 wrote to memory of 988 2852 98561.exe cmd.exe PID 2852 wrote to memory of 988 2852 98561.exe cmd.exe PID 2852 wrote to memory of 988 2852 98561.exe cmd.exe PID 2852 wrote to memory of 1768 2852 98561.exe cmd.exe PID 2852 wrote to memory of 1768 2852 98561.exe cmd.exe PID 2852 wrote to memory of 1768 2852 98561.exe cmd.exe PID 2852 wrote to memory of 4032 2852 98561.exe cmd.exe PID 2852 wrote to memory of 4032 2852 98561.exe cmd.exe PID 2852 wrote to memory of 4032 2852 98561.exe cmd.exe PID 1768 wrote to memory of 1092 1768 cmd.exe WMIC.exe PID 1768 wrote to memory of 1092 1768 cmd.exe WMIC.exe PID 1768 wrote to memory of 1092 1768 cmd.exe WMIC.exe PID 988 wrote to memory of 668 988 cmd.exe vssadmin.exe PID 988 wrote to memory of 668 988 cmd.exe vssadmin.exe PID 988 wrote to memory of 668 988 cmd.exe vssadmin.exe PID 2852 wrote to memory of 2928 2852 98561.exe cmd.exe PID 2852 wrote to memory of 2928 2852 98561.exe cmd.exe PID 2852 wrote to memory of 2928 2852 98561.exe cmd.exe PID 2852 wrote to memory of 3016 2852 98561.exe cmd.exe PID 2852 wrote to memory of 3016 2852 98561.exe cmd.exe PID 2852 wrote to memory of 3016 2852 98561.exe cmd.exe PID 2852 wrote to memory of 3940 2852 98561.exe cmd.exe PID 2852 wrote to memory of 3940 2852 98561.exe cmd.exe PID 2852 wrote to memory of 3940 2852 98561.exe cmd.exe PID 2928 wrote to memory of 2732 2928 cmd.exe vssadmin.exe PID 2928 wrote to memory of 2732 2928 cmd.exe vssadmin.exe PID 2928 wrote to memory of 2732 2928 cmd.exe vssadmin.exe PID 3016 wrote to memory of 1760 3016 cmd.exe WMIC.exe PID 3016 wrote to memory of 1760 3016 cmd.exe WMIC.exe PID 3016 wrote to memory of 1760 3016 cmd.exe WMIC.exe PID 2852 wrote to memory of 640 2852 98561.exe mshta.exe PID 2852 wrote to memory of 640 2852 98561.exe mshta.exe PID 2852 wrote to memory of 640 2852 98561.exe mshta.exe PID 2852 wrote to memory of 1196 2852 98561.exe cmd.exe PID 2852 wrote to memory of 1196 2852 98561.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\speedo.bin.exe"C:\Users\Admin\AppData\Local\Temp\speedo.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\p4ivb3aj.inf2⤵
-
C:\Windows\system32\cmd.execmd /c start C:\Windows\temp\gmndk54w.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\temp\gmndk54w.exeC:\Windows\temp\gmndk54w.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\98561.exe"C:\Users\Admin\AppData\Roaming\98561.exe"3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Roaming\98561.exe"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 15⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Windows\temp\gmndk54w.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 14⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\98561.exeMD5
7bd1af2bf9a6444ed8f835886b203495
SHA1a18ede85e2129bea96144a7165a8d49bfc29c3ed
SHA256fa741ee3922bcadce51c42f2ce03bda09cfc96cb7f079a2794f69c98d985ec36
SHA512c5a0c720ff6f90231bb4c376e7e4d2f33517566ddfa84f9dbe31cbac9d63b239babd1002e7fc00440c2182319c26a82f958b88fb59b087f4e2debef7fd9fbfe0
-
C:\Users\Admin\AppData\Roaming\98561.exeMD5
7bd1af2bf9a6444ed8f835886b203495
SHA1a18ede85e2129bea96144a7165a8d49bfc29c3ed
SHA256fa741ee3922bcadce51c42f2ce03bda09cfc96cb7f079a2794f69c98d985ec36
SHA512c5a0c720ff6f90231bb4c376e7e4d2f33517566ddfa84f9dbe31cbac9d63b239babd1002e7fc00440c2182319c26a82f958b88fb59b087f4e2debef7fd9fbfe0
-
C:\Users\Admin\Desktop\info.htaMD5
b4aff40fdf09c3dfb2032c691ccc44d1
SHA1c385515aa61ada509fad5b9f7a7ab9a84ab856e7
SHA256e4e875e65926d9343ff2f4d5490407e3ef9050728c92f5cfa56839eca2081109
SHA5123642499656d403faafdcd5d73a55e9472f2b38a8445bb13db395ce48680b7bd4908a4661c2706a4a8e288ed9617fb5c8045dc01034c70d8f5c233421ec0ff0aa
-
C:\Windows\Temp\gmndk54w.exeMD5
6612016ed61a65144813f238efe491a1
SHA13a77f98b94a92f482c194ef4d57df1ad05d446ad
SHA256affdb2f84b3ae8459618a81731f364775386cd8b39b6ec795c5ae80287fed7cc
SHA5128bffd0759b021b534ba1f7cec57ad7f714c0f189d77b20e363e7de6d77e6c3867dfd0ca1e6c6d8e245252332b5ffff5c49b7ebbc8beb8d5d6c071dafcccada5d
-
C:\Windows\temp\gmndk54w.exeMD5
6612016ed61a65144813f238efe491a1
SHA13a77f98b94a92f482c194ef4d57df1ad05d446ad
SHA256affdb2f84b3ae8459618a81731f364775386cd8b39b6ec795c5ae80287fed7cc
SHA5128bffd0759b021b534ba1f7cec57ad7f714c0f189d77b20e363e7de6d77e6c3867dfd0ca1e6c6d8e245252332b5ffff5c49b7ebbc8beb8d5d6c071dafcccada5d
-
C:\Windows\temp\p4ivb3aj.infMD5
f80666d0a8d2fafcfcfa118aee617fea
SHA10bdf32261cb2bb6b632b0406a4dbc874043f8fcd
SHA256f2ff776705d23c941a0f517dc0273a7b2b17a644e6cbb5caee7948c493a375fa
SHA512e00c450150f70fa102b496fd3ea9d7fbf3845affae82448570dc583f1f81387e0f9bf8ebdb754b928566358ff9543c4cb0a6d02a6f25fdb49f0893940b811ce8
-
memory/640-45-0x0000000000000000-mapping.dmp
-
memory/668-39-0x0000000000000000-mapping.dmp
-
memory/804-31-0x0000000000000000-mapping.dmp
-
memory/856-15-0x0000000073460000-0x0000000073B4E000-memory.dmpFilesize
6.9MB
-
memory/856-16-0x0000000000F00000-0x0000000000F01000-memory.dmpFilesize
4KB
-
memory/856-12-0x0000000000000000-mapping.dmp
-
memory/880-11-0x000000001ACD4000-0x000000001ACD6000-memory.dmpFilesize
8KB
-
memory/880-10-0x000000001ACD2000-0x000000001ACD4000-memory.dmpFilesize
8KB
-
memory/880-9-0x000000001ACD0000-0x000000001ACD2000-memory.dmpFilesize
8KB
-
memory/880-3-0x0000000000040000-0x0000000000041000-memory.dmpFilesize
4KB
-
memory/880-2-0x00007FF9448C0000-0x00007FF9452AC000-memory.dmpFilesize
9.9MB
-
memory/904-47-0x0000000000000000-mapping.dmp
-
memory/988-35-0x0000000000000000-mapping.dmp
-
memory/1092-38-0x0000000000000000-mapping.dmp
-
memory/1192-33-0x0000000000000000-mapping.dmp
-
memory/1196-46-0x0000000000000000-mapping.dmp
-
memory/1628-25-0x0000000000000000-mapping.dmp
-
memory/1760-44-0x0000000000000000-mapping.dmp
-
memory/1768-36-0x0000000000000000-mapping.dmp
-
memory/2084-32-0x0000000000000000-mapping.dmp
-
memory/2732-43-0x0000000000000000-mapping.dmp
-
memory/2784-30-0x0000000000000000-mapping.dmp
-
memory/2852-24-0x00000000057A0000-0x00000000057A1000-memory.dmpFilesize
4KB
-
memory/2852-29-0x00000000054C0000-0x00000000054C1000-memory.dmpFilesize
4KB
-
memory/2852-28-0x0000000005300000-0x0000000005301000-memory.dmpFilesize
4KB
-
memory/2852-22-0x0000000000B10000-0x0000000000B11000-memory.dmpFilesize
4KB
-
memory/2852-21-0x0000000073460000-0x0000000073B4E000-memory.dmpFilesize
6.9MB
-
memory/2852-18-0x0000000000000000-mapping.dmp
-
memory/2852-26-0x0000000005350000-0x0000000005351000-memory.dmpFilesize
4KB
-
memory/2928-40-0x0000000000000000-mapping.dmp
-
memory/3016-41-0x0000000000000000-mapping.dmp
-
memory/3744-8-0x00000241DBF10000-0x00000241DC011000-memory.dmpFilesize
1.0MB
-
memory/3744-7-0x00000241DBF10000-0x00000241DBF11000-memory.dmpFilesize
4KB
-
memory/3744-5-0x0000000000000000-mapping.dmp
-
memory/3860-27-0x0000000000000000-mapping.dmp
-
memory/3940-42-0x0000000000000000-mapping.dmp
-
memory/3992-34-0x0000000000000000-mapping.dmp
-
memory/4032-37-0x0000000000000000-mapping.dmp