Analysis
-
max time kernel
136s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
16-04-2021 12:52
Static task
static1
Behavioral task
behavioral1
Sample
033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
Resource
win10v20210410
General
-
Target
033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
-
Size
1020KB
-
MD5
c250e298e0a349e8d1faeb5ba6f4a853
-
SHA1
71b774aa592ba435eb8260d6f16e36b67c51babe
-
SHA256
033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b
-
SHA512
700a09e44e9d2fd092904886e882e8deb5a6d17d34be8575df6367ef729627a180ee62ea59df6457d965fccbe27809895ca83e1e3b8b7e888f752173eba1cbe1
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\ReadMeasure.tif => C:\Users\Admin\Pictures\ReadMeasure.tif.aBBAEeCaCd 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File renamed C:\Users\Admin\Pictures\ReceiveTest.tif => C:\Users\Admin\Pictures\ReceiveTest.tif.aBBAEeCaCd 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\CompareSend.tiff 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File renamed C:\Users\Admin\Pictures\CompareSend.tiff => C:\Users\Admin\Pictures\CompareSend.tiff.aBBAEeCaCd 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File renamed C:\Users\Admin\Pictures\ConfirmUndo.tiff => C:\Users\Admin\Pictures\ConfirmUndo.tiff.aBBAEeCaCd 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File renamed C:\Users\Admin\Pictures\EnterRegister.tiff => C:\Users\Admin\Pictures\EnterRegister.tiff.aBBAEeCaCd 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File renamed C:\Users\Admin\Pictures\LimitRead.png => C:\Users\Admin\Pictures\LimitRead.png.aBBAEeCaCd 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File renamed C:\Users\Admin\Pictures\NewUnregister.tif => C:\Users\Admin\Pictures\NewUnregister.tif.aBBAEeCaCd 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File renamed C:\Users\Admin\Pictures\SuspendInstall.crw => C:\Users\Admin\Pictures\SuspendInstall.crw.aBBAEeCaCd 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File renamed C:\Users\Admin\Pictures\CompareCheckpoint.tif => C:\Users\Admin\Pictures\CompareCheckpoint.tif.aBBAEeCaCd 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\ConfirmUndo.tiff 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\EnterRegister.tiff 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe -
Loads dropped DLL 3 IoCs
Processes:
helper.exepid process 4728 helper.exe 4728 helper.exe 4728 helper.exe -
Processes:
033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exedescription ioc process File opened (read-only) \??\T: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened (read-only) \??\V: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened (read-only) \??\Y: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened (read-only) \??\Z: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened (read-only) \??\H: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened (read-only) \??\I: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened (read-only) \??\J: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened (read-only) \??\M: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened (read-only) \??\S: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened (read-only) \??\U: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened (read-only) \??\X: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened (read-only) \??\F: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened (read-only) \??\B: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened (read-only) \??\E: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened (read-only) \??\K: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened (read-only) \??\N: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened (read-only) \??\P: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened (read-only) \??\Q: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened (read-only) \??\A: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened (read-only) \??\L: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened (read-only) \??\O: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened (read-only) \??\R: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened (read-only) \??\W: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe File opened (read-only) \??\G: 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SystemSettings.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID SystemSettings.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 3844 vssadmin.exe 3692 vssadmin.exe 3700 vssadmin.exe -
Modifies registry class 2 IoCs
Processes:
firefox.exeSystemSettings.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings SystemSettings.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exepid process 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exevssvc.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 3728 wmic.exe Token: SeSecurityPrivilege 3728 wmic.exe Token: SeTakeOwnershipPrivilege 3728 wmic.exe Token: SeLoadDriverPrivilege 3728 wmic.exe Token: SeSystemProfilePrivilege 3728 wmic.exe Token: SeSystemtimePrivilege 3728 wmic.exe Token: SeProfSingleProcessPrivilege 3728 wmic.exe Token: SeIncBasePriorityPrivilege 3728 wmic.exe Token: SeCreatePagefilePrivilege 3728 wmic.exe Token: SeBackupPrivilege 3728 wmic.exe Token: SeRestorePrivilege 3728 wmic.exe Token: SeShutdownPrivilege 3728 wmic.exe Token: SeDebugPrivilege 3728 wmic.exe Token: SeSystemEnvironmentPrivilege 3728 wmic.exe Token: SeRemoteShutdownPrivilege 3728 wmic.exe Token: SeUndockPrivilege 3728 wmic.exe Token: SeManageVolumePrivilege 3728 wmic.exe Token: 33 3728 wmic.exe Token: 34 3728 wmic.exe Token: 35 3728 wmic.exe Token: 36 3728 wmic.exe Token: SeBackupPrivilege 744 vssvc.exe Token: SeRestorePrivilege 744 vssvc.exe Token: SeAuditPrivilege 744 vssvc.exe Token: SeIncreaseQuotaPrivilege 4000 wmic.exe Token: SeSecurityPrivilege 4000 wmic.exe Token: SeTakeOwnershipPrivilege 4000 wmic.exe Token: SeLoadDriverPrivilege 4000 wmic.exe Token: SeSystemProfilePrivilege 4000 wmic.exe Token: SeSystemtimePrivilege 4000 wmic.exe Token: SeProfSingleProcessPrivilege 4000 wmic.exe Token: SeIncBasePriorityPrivilege 4000 wmic.exe Token: SeCreatePagefilePrivilege 4000 wmic.exe Token: SeBackupPrivilege 4000 wmic.exe Token: SeRestorePrivilege 4000 wmic.exe Token: SeShutdownPrivilege 4000 wmic.exe Token: SeDebugPrivilege 4000 wmic.exe Token: SeSystemEnvironmentPrivilege 4000 wmic.exe Token: SeRemoteShutdownPrivilege 4000 wmic.exe Token: SeUndockPrivilege 4000 wmic.exe Token: SeManageVolumePrivilege 4000 wmic.exe Token: 33 4000 wmic.exe Token: 34 4000 wmic.exe Token: 35 4000 wmic.exe Token: 36 4000 wmic.exe Token: SeIncreaseQuotaPrivilege 2092 wmic.exe Token: SeSecurityPrivilege 2092 wmic.exe Token: SeTakeOwnershipPrivilege 2092 wmic.exe Token: SeLoadDriverPrivilege 2092 wmic.exe Token: SeSystemProfilePrivilege 2092 wmic.exe Token: SeSystemtimePrivilege 2092 wmic.exe Token: SeProfSingleProcessPrivilege 2092 wmic.exe Token: SeIncBasePriorityPrivilege 2092 wmic.exe Token: SeCreatePagefilePrivilege 2092 wmic.exe Token: SeBackupPrivilege 2092 wmic.exe Token: SeRestorePrivilege 2092 wmic.exe Token: SeShutdownPrivilege 2092 wmic.exe Token: SeDebugPrivilege 2092 wmic.exe Token: SeSystemEnvironmentPrivilege 2092 wmic.exe Token: SeRemoteShutdownPrivilege 2092 wmic.exe Token: SeUndockPrivilege 2092 wmic.exe Token: SeManageVolumePrivilege 2092 wmic.exe Token: 33 2092 wmic.exe Token: 34 2092 wmic.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
firefox.exepid process 3260 firefox.exe 3260 firefox.exe 3260 firefox.exe 3260 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 3260 firefox.exe 3260 firefox.exe 3260 firefox.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
firefox.exeSystemSettings.exepid process 3260 firefox.exe 4872 SystemSettings.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exefirefox.exefirefox.exedescription pid process target process PID 3016 wrote to memory of 3728 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe wmic.exe PID 3016 wrote to memory of 3728 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe wmic.exe PID 3016 wrote to memory of 3728 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe wmic.exe PID 3016 wrote to memory of 3700 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe vssadmin.exe PID 3016 wrote to memory of 3700 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe vssadmin.exe PID 3016 wrote to memory of 3700 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe vssadmin.exe PID 3016 wrote to memory of 4000 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe wmic.exe PID 3016 wrote to memory of 4000 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe wmic.exe PID 3016 wrote to memory of 4000 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe wmic.exe PID 3016 wrote to memory of 3844 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe vssadmin.exe PID 3016 wrote to memory of 3844 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe vssadmin.exe PID 3016 wrote to memory of 3844 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe vssadmin.exe PID 3016 wrote to memory of 2092 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe wmic.exe PID 3016 wrote to memory of 2092 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe wmic.exe PID 3016 wrote to memory of 2092 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe wmic.exe PID 3016 wrote to memory of 3692 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe vssadmin.exe PID 3016 wrote to memory of 3692 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe vssadmin.exe PID 3016 wrote to memory of 3692 3016 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe vssadmin.exe PID 2208 wrote to memory of 3260 2208 firefox.exe firefox.exe PID 2208 wrote to memory of 3260 2208 firefox.exe firefox.exe PID 2208 wrote to memory of 3260 2208 firefox.exe firefox.exe PID 2208 wrote to memory of 3260 2208 firefox.exe firefox.exe PID 2208 wrote to memory of 3260 2208 firefox.exe firefox.exe PID 2208 wrote to memory of 3260 2208 firefox.exe firefox.exe PID 2208 wrote to memory of 3260 2208 firefox.exe firefox.exe PID 2208 wrote to memory of 3260 2208 firefox.exe firefox.exe PID 2208 wrote to memory of 3260 2208 firefox.exe firefox.exe PID 3260 wrote to memory of 3692 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3692 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe PID 3260 wrote to memory of 3776 3260 firefox.exe firefox.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\033f4aaa2ca181597644ae7d2f883e05c2d9eea669f71117a312cfd591303c4b.bin.sample.exe"1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3260.0.938960621\1284522765" -parentBuildID 20200403170909 -prefsHandle 1496 -prefMapHandle 1488 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3260 "\\.\pipe\gecko-crash-server-pipe.3260" 1580 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3260.3.609094933\1335136079" -childID 1 -isForBrowser -prefsHandle 2308 -prefMapHandle 2264 -prefsLen 122 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3260 "\\.\pipe\gecko-crash-server-pipe.3260" 1496 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3260.13.2100427919\244838590" -childID 2 -isForBrowser -prefsHandle 3472 -prefMapHandle 3468 -prefsLen 6979 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3260 "\\.\pipe\gecko-crash-server-pipe.3260" 3488 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3260.20.520111439\1851346064" -childID 3 -isForBrowser -prefsHandle 4664 -prefMapHandle 4276 -prefsLen 7750 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3260 "\\.\pipe\gecko-crash-server-pipe.3260" 2772 tab3⤵
-
C:\Program Files\Mozilla Firefox\uninstall\helper.exe"C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppUser3⤵
- Loads dropped DLL
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsn679A.tmp\CityHash.dllMD5
737379945745bb94f8a0dadcc18cad8d
SHA16a1f497b4dc007f5935b66ec83b00e5a394332c6
SHA256d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a
SHA512c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22
-
\Users\Admin\AppData\Local\Temp\nsn679A.tmp\CityHash.dllMD5
737379945745bb94f8a0dadcc18cad8d
SHA16a1f497b4dc007f5935b66ec83b00e5a394332c6
SHA256d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a
SHA512c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22
-
\Users\Admin\AppData\Local\Temp\nsn679A.tmp\System.dllMD5
17ed1c86bd67e78ade4712be48a7d2bd
SHA11cc9fe86d6d6030b4dae45ecddce5907991c01a0
SHA256bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
SHA5120cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5
-
memory/2092-118-0x0000000000000000-mapping.dmp
-
memory/3260-120-0x0000000000000000-mapping.dmp
-
memory/3692-119-0x0000000000000000-mapping.dmp
-
memory/3692-122-0x0000000000000000-mapping.dmp
-
memory/3700-115-0x0000000000000000-mapping.dmp
-
memory/3728-114-0x0000000000000000-mapping.dmp
-
memory/3776-127-0x0000000000000000-mapping.dmp
-
memory/3844-117-0x0000000000000000-mapping.dmp
-
memory/4000-116-0x0000000000000000-mapping.dmp
-
memory/4192-130-0x0000000000000000-mapping.dmp
-
memory/4632-132-0x0000000000000000-mapping.dmp
-
memory/4728-133-0x0000000000000000-mapping.dmp
-
memory/4728-137-0x00000000027E0000-0x00000000027EF000-memory.dmpFilesize
60KB