Analysis
-
max time kernel
83s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12/02/2021, 08:41
Static task
static1
Behavioral task
behavioral1
Sample
___________.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
___________.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
___________.exe
-
Size
48KB
-
MD5
221f1b97cd8e9766bebd001960b31dc4
-
SHA1
4c3367638ffca90ae5eb5a644a9beaec1853f36c
-
SHA256
a5f47b1b2efcf8bd7e36a072941fb9ee0ce780e6f410d6c85c503ccea24d29e6
-
SHA512
7e86b0fc428b8fc97251eb0bf2639b2c780d7a45b730b475794107312e6edd963355aca59c8eee34380800006531a8dbeae152f3542291f0c3154c0d1fbb96d6
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\info.hta
Ransom Note
🔒 ALL YOUR DATA TURNED TO USELESS BINARY CODE 🔒
Your computer is infected with a virus.
Send an email [email protected] , specify in the subject your unique identifier MEPU7S61 and you will definitly be helped to recover.
NOTE:
You can send 2 files as proof that we can return all your data. If the provided email doesn't work, please contact us at [email protected] Algorithms used are AES and RSA.
IMPORTANT:
1. The infection was due to vulnerabilities in your software. 2. If you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 3. Only communication through our email can guarantee file recover for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 4. Please, do not try to rename encrypted files. 5. Our goal is to return your data, but if you don't contact us, we will not succeed.
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
pid Process 2248 24kzbgji.exe 1120 91.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\@AudioToastIcon.png 91.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close2x.png 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\sat_logo.png 91.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\HeartbeatConfig.xml.paralock 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] 91.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml 91.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt 91.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-attach.xml.paralock 91.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml.paralock 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\adc_logo.png.paralock 91.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README_en_GB.txt.paralock 91.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-mac.css 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\main-selector.css 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\bg_pattern_RHP.png 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-1x.png 91.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png.paralock 91.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml.paralock 91.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-180.png.paralock 91.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setEmbeddedCP.bat 91.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations_retina.png 91.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.png.paralock 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\sat_logo_2x.png.paralock 91.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\SearchEmail.png 91.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css.paralock 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\adobe_sign_tag.png.paralock 91.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml 91.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png 91.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\check-mark-2x.png 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\core_icons_retina.png.paralock 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf.paralock 91.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\close.png 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\CompleteCheckmark2x.png 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close_h.png 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions2x.png.paralock 91.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png 91.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml 91.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\VERSION.txt 91.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-100.png 91.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html 91.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c\AppxBlockMap.xml 91.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.paralock 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb_new.png.paralock 91.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\scan_poster.jpg.paralock 91.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png 91.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml.paralock 91.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml.paralock 91.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-100.png.paralock 91.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-180.png.paralock 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations_retina.png.paralock 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\icons.png.paralock 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_bow.png 91.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml 91.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png 91.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml.paralock 91.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml.paralock 91.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png 91.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\InfusedApps\Applications\microsoft.windowscommunicationsapps_2015.7906.42257.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 91.exe File created C:\Windows\PLA\Templates\WDAC_Diagnostics.xml 91.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnk.paralock 91.exe File created C:\Windows\InfusedApps\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Security.aspx 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx.paralock 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\en\SqlPersistenceService_Schema.sql.paralock 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlState.sql.paralock 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\home2.aspx.paralock 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\findUsers.aspx 91.exe File created C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\Advanced.Theme-Dark_Scale-100.png 91.exe File created C:\Windows\PrintDialog\appxblockmap.xml 91.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\01 - Command Prompt.lnk 91.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\09 - Mobility Center.lnk 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\ManageConsolidatedProviders.aspx.paralock 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\findUsers.aspx.paralock 91.exe File created C:\Windows\diagnostics\index\AeroDiagnostic.xml 91.exe File created C:\Windows\InfusedApps\Frameworks\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallWebEventSqlProvider.sql 91.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk.paralock 91.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk.paralock 91.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk.paralock 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlStateTemplate.sql 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\default.aspx 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\security0.aspx 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\DefaultWsdlHelpGenerator.aspx 91.exe File created C:\Windows\Provisioning\categories.xml 91.exe File created C:\Windows\InfusedApps\Applications\Microsoft.Microsoft3DViewer_1.1702.21039.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 91.exe File created C:\Windows\InfusedApps\Frameworks\Microsoft.VCLibs.140.00_14.0.24123.0_x86__8wekyb3d8bbwe\AppxBlockMap.xml 91.exe File created C:\Windows\InfusedApps\Packages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml 91.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell ISE (x86).lnk 91.exe File created C:\Windows\InfusedApps\Packages\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallSqlState.sql.paralock 91.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell ISE.lnk.paralock 91.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\5 - Task Manager.lnk 91.exe File created C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AppxBlockMap.xml 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\manageAllRoles.aspx 91.exe File created C:\Windows\PLA\Rules\Rules.System.Common.xml 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\ManageConsolidatedProviders.aspx 91.exe File created C:\Windows\SystemApps\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\AppxBlockMap.xml 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\home2.aspx.paralock 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallCommon.sql.paralock 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\setUpAuthentication.aspx.paralock 91.exe File created C:\Windows\InfusedApps\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\setUpAuthentication.aspx 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\en\SqlPersistenceService_Logic.sql 91.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk.paralock 91.exe File created C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 91.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\3 - Windows Explorer.lnk 91.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk 91.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk.paralock 91.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk.paralock 91.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell ISE (x86).lnk 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DefineErrorPage.aspx.paralock 91.exe File opened for modification C:\Windows\Panther\diagwrn.xml.paralock 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\default.aspx 91.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk 91.exe File created C:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\AppxBlockMap.xml 91.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\setUpAuthentication.aspx 91.exe File opened for modification C:\Windows\Vss\Writers\System\D61D61C8-D73A-4EEE-8CDD-F6F9786B7124.xml.paralock 91.exe File created C:\Windows\InfusedApps\Applications\Microsoft.WindowsStore_11701.1001.874.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 91.exe File created C:\Windows\InfusedApps\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 91.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1356 vssadmin.exe 4108 vssadmin.exe 1460 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 3164 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings 91.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe 4696 ___________.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4696 ___________.exe Token: SeDebugPrivilege 3164 taskkill.exe Token: SeDebugPrivilege 2248 24kzbgji.exe Token: SeDebugPrivilege 1120 91.exe Token: 33 1120 91.exe Token: SeIncBasePriorityPrivilege 1120 91.exe Token: SeIncreaseQuotaPrivilege 3036 WMIC.exe Token: SeSecurityPrivilege 3036 WMIC.exe Token: SeTakeOwnershipPrivilege 3036 WMIC.exe Token: SeLoadDriverPrivilege 3036 WMIC.exe Token: SeSystemProfilePrivilege 3036 WMIC.exe Token: SeSystemtimePrivilege 3036 WMIC.exe Token: SeProfSingleProcessPrivilege 3036 WMIC.exe Token: SeIncBasePriorityPrivilege 3036 WMIC.exe Token: SeCreatePagefilePrivilege 3036 WMIC.exe Token: SeBackupPrivilege 3036 WMIC.exe Token: SeRestorePrivilege 3036 WMIC.exe Token: SeShutdownPrivilege 3036 WMIC.exe Token: SeDebugPrivilege 3036 WMIC.exe Token: SeSystemEnvironmentPrivilege 3036 WMIC.exe Token: SeRemoteShutdownPrivilege 3036 WMIC.exe Token: SeUndockPrivilege 3036 WMIC.exe Token: SeManageVolumePrivilege 3036 WMIC.exe Token: 33 3036 WMIC.exe Token: 34 3036 WMIC.exe Token: 35 3036 WMIC.exe Token: 36 3036 WMIC.exe Token: SeBackupPrivilege 2056 vssvc.exe Token: SeRestorePrivilege 2056 vssvc.exe Token: SeAuditPrivilege 2056 vssvc.exe Token: SeIncreaseQuotaPrivilege 3036 WMIC.exe Token: SeSecurityPrivilege 3036 WMIC.exe Token: SeTakeOwnershipPrivilege 3036 WMIC.exe Token: SeLoadDriverPrivilege 3036 WMIC.exe Token: SeSystemProfilePrivilege 3036 WMIC.exe Token: SeSystemtimePrivilege 3036 WMIC.exe Token: SeProfSingleProcessPrivilege 3036 WMIC.exe Token: SeIncBasePriorityPrivilege 3036 WMIC.exe Token: SeCreatePagefilePrivilege 3036 WMIC.exe Token: SeBackupPrivilege 3036 WMIC.exe Token: SeRestorePrivilege 3036 WMIC.exe Token: SeShutdownPrivilege 3036 WMIC.exe Token: SeDebugPrivilege 3036 WMIC.exe Token: SeSystemEnvironmentPrivilege 3036 WMIC.exe Token: SeRemoteShutdownPrivilege 3036 WMIC.exe Token: SeUndockPrivilege 3036 WMIC.exe Token: SeManageVolumePrivilege 3036 WMIC.exe Token: 33 3036 WMIC.exe Token: 34 3036 WMIC.exe Token: 35 3036 WMIC.exe Token: 36 3036 WMIC.exe Token: SeIncreaseQuotaPrivilege 5012 WMIC.exe Token: SeSecurityPrivilege 5012 WMIC.exe Token: SeTakeOwnershipPrivilege 5012 WMIC.exe Token: SeLoadDriverPrivilege 5012 WMIC.exe Token: SeSystemProfilePrivilege 5012 WMIC.exe Token: SeSystemtimePrivilege 5012 WMIC.exe Token: SeProfSingleProcessPrivilege 5012 WMIC.exe Token: SeIncBasePriorityPrivilege 5012 WMIC.exe Token: SeCreatePagefilePrivilege 5012 WMIC.exe Token: SeBackupPrivilege 5012 WMIC.exe Token: SeRestorePrivilege 5012 WMIC.exe Token: SeShutdownPrivilege 5012 WMIC.exe Token: SeDebugPrivilege 5012 WMIC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4696 ___________.exe 4696 ___________.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4696 wrote to memory of 4980 4696 ___________.exe 73 PID 4696 wrote to memory of 4980 4696 ___________.exe 73 PID 4180 wrote to memory of 2248 4180 cmd.exe 79 PID 4180 wrote to memory of 2248 4180 cmd.exe 79 PID 4180 wrote to memory of 2248 4180 cmd.exe 79 PID 2248 wrote to memory of 1120 2248 24kzbgji.exe 83 PID 2248 wrote to memory of 1120 2248 24kzbgji.exe 83 PID 2248 wrote to memory of 1120 2248 24kzbgji.exe 83 PID 2248 wrote to memory of 1416 2248 24kzbgji.exe 84 PID 2248 wrote to memory of 1416 2248 24kzbgji.exe 84 PID 2248 wrote to memory of 1416 2248 24kzbgji.exe 84 PID 1416 wrote to memory of 1684 1416 cmd.exe 86 PID 1416 wrote to memory of 1684 1416 cmd.exe 86 PID 1416 wrote to memory of 1684 1416 cmd.exe 86 PID 1120 wrote to memory of 4620 1120 91.exe 94 PID 1120 wrote to memory of 4620 1120 91.exe 94 PID 1120 wrote to memory of 4620 1120 91.exe 94 PID 1120 wrote to memory of 4608 1120 91.exe 98 PID 1120 wrote to memory of 4608 1120 91.exe 98 PID 1120 wrote to memory of 4608 1120 91.exe 98 PID 1120 wrote to memory of 200 1120 91.exe 96 PID 1120 wrote to memory of 200 1120 91.exe 96 PID 1120 wrote to memory of 200 1120 91.exe 96 PID 4620 wrote to memory of 1356 4620 cmd.exe 100 PID 4620 wrote to memory of 1356 4620 cmd.exe 100 PID 4620 wrote to memory of 1356 4620 cmd.exe 100 PID 4608 wrote to memory of 3036 4608 cmd.exe 101 PID 4608 wrote to memory of 3036 4608 cmd.exe 101 PID 4608 wrote to memory of 3036 4608 cmd.exe 101 PID 1120 wrote to memory of 3744 1120 91.exe 104 PID 1120 wrote to memory of 3744 1120 91.exe 104 PID 1120 wrote to memory of 3744 1120 91.exe 104 PID 1120 wrote to memory of 3436 1120 91.exe 105 PID 1120 wrote to memory of 3436 1120 91.exe 105 PID 1120 wrote to memory of 3436 1120 91.exe 105 PID 1120 wrote to memory of 4728 1120 91.exe 108 PID 1120 wrote to memory of 4728 1120 91.exe 108 PID 1120 wrote to memory of 4728 1120 91.exe 108 PID 3744 wrote to memory of 4108 3744 cmd.exe 110 PID 3744 wrote to memory of 4108 3744 cmd.exe 110 PID 3744 wrote to memory of 4108 3744 cmd.exe 110 PID 3436 wrote to memory of 5012 3436 cmd.exe 111 PID 3436 wrote to memory of 5012 3436 cmd.exe 111 PID 3436 wrote to memory of 5012 3436 cmd.exe 111 PID 1120 wrote to memory of 68 1120 91.exe 112 PID 1120 wrote to memory of 68 1120 91.exe 112 PID 1120 wrote to memory of 68 1120 91.exe 112 PID 1120 wrote to memory of 3164 1120 91.exe 113 PID 1120 wrote to memory of 3164 1120 91.exe 113 PID 1120 wrote to memory of 3164 1120 91.exe 113 PID 1120 wrote to memory of 3136 1120 91.exe 116 PID 1120 wrote to memory of 3136 1120 91.exe 116 PID 1120 wrote to memory of 3136 1120 91.exe 116 PID 68 wrote to memory of 1460 68 cmd.exe 118 PID 68 wrote to memory of 1460 68 cmd.exe 118 PID 68 wrote to memory of 1460 68 cmd.exe 118 PID 3164 wrote to memory of 2476 3164 cmd.exe 119 PID 3164 wrote to memory of 2476 3164 cmd.exe 119 PID 3164 wrote to memory of 2476 3164 cmd.exe 119 PID 1120 wrote to memory of 732 1120 91.exe 120 PID 1120 wrote to memory of 732 1120 91.exe 120 PID 1120 wrote to memory of 732 1120 91.exe 120 PID 1120 wrote to memory of 1772 1120 91.exe 121 PID 1120 wrote to memory of 1772 1120 91.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\___________.exe"C:\Users\Admin\AppData\Local\Temp\___________.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\windows\system32\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\1i1ug1lr.inf2⤵PID:4980
-
-
C:\Windows\system32\cmd.execmd /c start C:\Windows\temp\24kzbgji.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\temp\24kzbgji.exeC:\Windows\temp\24kzbgji.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Roaming\91.exe"C:\Users\Admin\AppData\Roaming\91.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:1356
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet4⤵PID:200
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete4⤵
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:4108
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete4⤵
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet4⤵PID:4728
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
PID:68 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:1460
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete4⤵
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵PID:2476
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet4⤵PID:3136
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}4⤵PID:732
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Roaming\91.exe"4⤵PID:1772
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 15⤵PID:4144
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Windows\temp\24kzbgji.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 14⤵PID:1684
-
-
-
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2056