Resubmissions
21-04-2021 05:57
210421-6629fr1gja 1020-04-2021 23:42
210420-mt2kpcnwbx 1020-04-2021 23:39
210420-4kmcwg1k3a 10Analysis
-
max time kernel
127s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
20-04-2021 23:42
Static task
static1
Behavioral task
behavioral1
Sample
43064ebb9fccce989e8a8ebe2e8ee5df154b55f7b94d933e0cf7dba6ac765f00.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
43064ebb9fccce989e8a8ebe2e8ee5df154b55f7b94d933e0cf7dba6ac765f00.exe
Resource
win10v20210410
General
-
Target
43064ebb9fccce989e8a8ebe2e8ee5df154b55f7b94d933e0cf7dba6ac765f00.exe
-
Size
4.5MB
-
MD5
787d10a041bd8d2654b6f14467f123d7
-
SHA1
0dc98264957990391bd375a3e9ce9f0e047c1075
-
SHA256
43064ebb9fccce989e8a8ebe2e8ee5df154b55f7b94d933e0cf7dba6ac765f00
-
SHA512
dbb450db73b030531b57fb5809b22b60730e13445ff02a032be5abb3668285122564cc1792fc3f44520a434b48656de7a22e931cc35d762a0704078f7021686f
Malware Config
Extracted
C:\Users\Admin\Desktop\RecoveryManual.html
MartinMacDonald1996@protonmail.com
http://lhvqpdydwvtgy2ficsvamluobvonnitji5jgpfvc7c5pj6ci35gurjyd.onion/?cid=c7756a52c92cfb896c41800ac9bbe0c82ec8934d65d09c4b4780f215bbdd154f
Signatures
-
MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
Processes:
file.exepid process 1920 file.exe -
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
file.exedescription ioc process File renamed C:\Users\Admin\Pictures\UseConvertTo.crw => \??\c:\Users\Admin\Pictures\UseConvertTo.crw.ReadManual.5A595725 file.exe File renamed C:\Users\Admin\Pictures\EnableEnter.crw => \??\c:\Users\Admin\Pictures\EnableEnter.crw.ReadManual.5A595725 file.exe File renamed C:\Users\Admin\Pictures\MountSync.raw => \??\c:\Users\Admin\Pictures\MountSync.raw.ReadManual.5A595725 file.exe File renamed C:\Users\Admin\Pictures\RestartSave.raw => \??\c:\Users\Admin\Pictures\RestartSave.raw.ReadManual.5A595725 file.exe File renamed C:\Users\Admin\Pictures\SuspendShow.png => \??\c:\Users\Admin\Pictures\SuspendShow.png.ReadManual.5A595725 file.exe File renamed C:\Users\Admin\Pictures\ConvertFromReceive.crw => \??\c:\Users\Admin\Pictures\ConvertFromReceive.crw.ReadManual.5A595725 file.exe File renamed C:\Users\Admin\Pictures\HideAdd.tif => \??\c:\Users\Admin\Pictures\HideAdd.tif.ReadManual.5A595725 file.exe File renamed C:\Users\Admin\Pictures\PingMeasure.raw => \??\c:\Users\Admin\Pictures\PingMeasure.raw.ReadManual.5A595725 file.exe File renamed C:\Users\Admin\Pictures\SaveUpdate.raw => \??\c:\Users\Admin\Pictures\SaveUpdate.raw.ReadManual.5A595725 file.exe -
Drops desktop.ini file(s) 29 IoCs
Processes:
file.exedescription ioc process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI file.exe File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini file.exe File opened for modification \??\c:\Users\Public\Documents\desktop.ini file.exe File opened for modification \??\c:\Users\Public\Desktop\desktop.ini file.exe File opened for modification \??\c:\Users\Public\desktop.ini file.exe File opened for modification \??\c:\Users\Public\Recorded TV\desktop.ini file.exe File opened for modification \??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini file.exe File opened for modification \??\c:\Users\Public\Music\Sample Music\desktop.ini file.exe File opened for modification \??\c:\Users\Public\Pictures\desktop.ini file.exe File opened for modification \??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini file.exe File opened for modification \??\c:\Users\Admin\Contacts\desktop.ini file.exe File opened for modification \??\c:\Users\Admin\Desktop\desktop.ini file.exe File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini file.exe File opened for modification \??\c:\Users\Admin\Pictures\desktop.ini file.exe File opened for modification \??\c:\Users\Public\Downloads\desktop.ini file.exe File opened for modification \??\c:\Users\Public\Videos\Sample Videos\desktop.ini file.exe File opened for modification \??\c:\Users\Public\Videos\desktop.ini file.exe File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini file.exe File opened for modification \??\c:\Users\Admin\Music\desktop.ini file.exe File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini file.exe File opened for modification \??\c:\Users\Public\Libraries\desktop.ini file.exe File opened for modification \??\c:\Users\Public\Music\desktop.ini file.exe File opened for modification \??\c:\Program Files (x86)\desktop.ini file.exe File opened for modification \??\c:\Users\Admin\Links\desktop.ini file.exe File opened for modification \??\c:\Users\Admin\Favorites\Links for United States\desktop.ini file.exe File opened for modification \??\c:\Users\Admin\Videos\desktop.ini file.exe File opened for modification \??\c:\Users\Admin\Documents\desktop.ini file.exe File opened for modification \??\c:\Users\Admin\Searches\desktop.ini file.exe File opened for modification \??\c:\Program Files\desktop.ini file.exe -
Drops file in Program Files directory 64 IoCs
Processes:
file.exedescription ioc process File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CUPINST.WMF file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.HTM file.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml file.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01630_.WMF file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR31F.GIF file.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png file.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_On.png file.exe File opened for modification \??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03451_.WMF file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG.HXS file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RECS.ICO file.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html file.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\vlc.mo file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106208.WMF file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152878.WMF file.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Asia\Irkutsk file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18238_.WMF file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp file.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\redStateIcon.png file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0324694.WMF file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_K_COL.HXK file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGDOTS.DPV file.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau file.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker_1.1.200.v20131119-0908.jar file.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass_lrg.png file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341499.JPG file.exe File created \??\c:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\RecoveryManual.html file.exe File created \??\c:\Program Files\Java\jre7\lib\zi\America\North_Dakota\RecoveryManual.html file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107026.WMF file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00638_.WMF file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\RecoveryManual.html file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Groove.gif file.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Catamarca file.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css file.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-2.png file.exe File opened for modification \??\c:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.rll file.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qatar file.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter.png file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\TexturedBlue.css file.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\2.png file.exe File opened for modification \??\c:\Program Files\7-Zip\Lang\pt.txt file.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.RSA file.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf file.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_foggy.png file.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00369_.WMF file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01160_.WMF file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21311_.GIF file.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png file.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png file.exe File created \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\RecoveryManual.html file.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\RecoveryManual.html file.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\meta-index file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL093.XML file.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\LATIN1.SHP file.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\RecoveryManual.html file.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml file.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml file.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png file.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1072 vssadmin.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E05D02A1-A231-11EB-9FF3-FE3EDAA4A530} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe -
Modifies registry class 5 IoCs
Processes:
file.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.5A595725\shell\Open\command file.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.5A595725 file.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.5A595725\shell file.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.5A595725\shell\Open file.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.5A595725\shell\Open\command\ = "explorer.exe RecoveryManual.html" file.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepid process 744 powershell.exe 744 powershell.exe 744 powershell.exe 744 powershell.exe 744 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exevssvc.exefile.exedescription pid process Token: SeDebugPrivilege 744 powershell.exe Token: SeBackupPrivilege 808 vssvc.exe Token: SeRestorePrivilege 808 vssvc.exe Token: SeAuditPrivilege 808 vssvc.exe Token: SeTakeOwnershipPrivilege 1920 file.exe Token: SeRestorePrivilege 1920 file.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 268 iexplore.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
file.exeiexplore.exeIEXPLORE.EXEpid process 1920 file.exe 268 iexplore.exe 268 iexplore.exe 912 IEXPLORE.EXE 912 IEXPLORE.EXE 912 IEXPLORE.EXE 912 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
43064ebb9fccce989e8a8ebe2e8ee5df154b55f7b94d933e0cf7dba6ac765f00.exefile.exepowershell.execmd.exeiexplore.exedescription pid process target process PID 1088 wrote to memory of 1920 1088 43064ebb9fccce989e8a8ebe2e8ee5df154b55f7b94d933e0cf7dba6ac765f00.exe file.exe PID 1088 wrote to memory of 1920 1088 43064ebb9fccce989e8a8ebe2e8ee5df154b55f7b94d933e0cf7dba6ac765f00.exe file.exe PID 1088 wrote to memory of 1920 1088 43064ebb9fccce989e8a8ebe2e8ee5df154b55f7b94d933e0cf7dba6ac765f00.exe file.exe PID 1088 wrote to memory of 1920 1088 43064ebb9fccce989e8a8ebe2e8ee5df154b55f7b94d933e0cf7dba6ac765f00.exe file.exe PID 1920 wrote to memory of 2004 1920 file.exe splwow64.exe PID 1920 wrote to memory of 2004 1920 file.exe splwow64.exe PID 1920 wrote to memory of 2004 1920 file.exe splwow64.exe PID 1920 wrote to memory of 2004 1920 file.exe splwow64.exe PID 1920 wrote to memory of 744 1920 file.exe powershell.exe PID 1920 wrote to memory of 744 1920 file.exe powershell.exe PID 1920 wrote to memory of 744 1920 file.exe powershell.exe PID 1920 wrote to memory of 744 1920 file.exe powershell.exe PID 744 wrote to memory of 1072 744 powershell.exe vssadmin.exe PID 744 wrote to memory of 1072 744 powershell.exe vssadmin.exe PID 744 wrote to memory of 1072 744 powershell.exe vssadmin.exe PID 744 wrote to memory of 1072 744 powershell.exe vssadmin.exe PID 1920 wrote to memory of 592 1920 file.exe cmd.exe PID 1920 wrote to memory of 592 1920 file.exe cmd.exe PID 1920 wrote to memory of 592 1920 file.exe cmd.exe PID 1920 wrote to memory of 592 1920 file.exe cmd.exe PID 592 wrote to memory of 1196 592 cmd.exe attrib.exe PID 592 wrote to memory of 1196 592 cmd.exe attrib.exe PID 592 wrote to memory of 1196 592 cmd.exe attrib.exe PID 592 wrote to memory of 1196 592 cmd.exe attrib.exe PID 268 wrote to memory of 912 268 iexplore.exe IEXPLORE.EXE PID 268 wrote to memory of 912 268 iexplore.exe IEXPLORE.EXE PID 268 wrote to memory of 912 268 iexplore.exe IEXPLORE.EXE PID 268 wrote to memory of 912 268 iexplore.exe IEXPLORE.EXE -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\43064ebb9fccce989e8a8ebe2e8ee5df154b55f7b94d933e0cf7dba6ac765f00.exe"C:\Users\Admin\AppData\Local\Temp\43064ebb9fccce989e8a8ebe2e8ee5df154b55f7b94d933e0cf7dba6ac765f00.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file.exe"file.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden -c $mypid='1920';[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\~259275564.tmp')|iex3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F7584AA.bat" "C:\Users\Admin\AppData\Local\Temp\file.exe""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\file.exe"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RecoveryManual.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:268 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0F7584AA.batMD5
348cae913e496198548854f5ff2f6d1e
SHA1a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
76f547c793b5478b970c64caf04d01d4
SHA1f9eb40f6d3d4c83852e3781886db762bef8564e0
SHA256e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037
SHA51291e91a8b693cb253f281411260611a221a113b342eaa642a9d6597aaf86c138ee2aa28ade10218a814ae34016e6d70824e36786497476ab704defddf60e33e17
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
76f547c793b5478b970c64caf04d01d4
SHA1f9eb40f6d3d4c83852e3781886db762bef8564e0
SHA256e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037
SHA51291e91a8b693cb253f281411260611a221a113b342eaa642a9d6597aaf86c138ee2aa28ade10218a814ae34016e6d70824e36786497476ab704defddf60e33e17
-
C:\Users\Admin\AppData\Local\Temp\~259275564.tmpMD5
4e1a1e3e715c291c71950d2fdc79e2be
SHA1dc2b3d20a9ec88e0d8d75c5097154687acc42983
SHA256acf88b9224ae067d92882d1c8ec1461a663e83f02848488ce125dc0538d87a39
SHA512d1be9f6459c248a93c95cc40a68e60ca2fe8068ff4ed5d442437a72bcc09ebf8568e3338d39abebbf3fe8e9e4e3a21a58e1ed6bdbcdd0a3b2ca46b6a81597d80
-
C:\Users\Admin\Desktop\RecoveryManual.htmlMD5
32ae5ebcacf924c82f13a7f61322360c
SHA13f95b7a6a368fdfbe5a03ac72b11c526567cdbae
SHA2569f72c718ef207dc0e99998bc84c02ab8c15ff66ac30bf6426f022d13daa02e05
SHA51286ce9917667843576e470d6cb662a19a3467f4c91260ce101cfc74438cc0b6ab7ea686f02b889d63770be11cb4c04976ce469a7808f7afcb9ffaf05579abb7c2
-
memory/268-102-0x00000000004F0000-0x0000000000500000-memory.dmpFilesize
64KB
-
memory/592-97-0x0000000000000000-mapping.dmp
-
memory/744-70-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/744-86-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/744-72-0x00000000047C0000-0x00000000047C1000-memory.dmpFilesize
4KB
-
memory/744-73-0x0000000002450000-0x0000000002451000-memory.dmpFilesize
4KB
-
memory/744-75-0x0000000000802000-0x0000000000803000-memory.dmpFilesize
4KB
-
memory/744-74-0x0000000000800000-0x0000000000801000-memory.dmpFilesize
4KB
-
memory/744-76-0x0000000005260000-0x0000000005261000-memory.dmpFilesize
4KB
-
memory/744-69-0x0000000000000000-mapping.dmp
-
memory/744-80-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/744-85-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/744-87-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/744-71-0x0000000001DF0000-0x0000000001DF1000-memory.dmpFilesize
4KB
-
memory/744-94-0x00000000062E0000-0x00000000062E1000-memory.dmpFilesize
4KB
-
memory/744-95-0x0000000006300000-0x0000000006301000-memory.dmpFilesize
4KB
-
memory/912-103-0x0000000000000000-mapping.dmp
-
memory/1072-96-0x0000000000000000-mapping.dmp
-
memory/1196-99-0x0000000000000000-mapping.dmp
-
memory/1920-59-0x0000000000000000-mapping.dmp
-
memory/1920-68-0x0000000000250000-0x0000000000252000-memory.dmpFilesize
8KB
-
memory/1920-65-0x0000000000260000-0x000000000026F000-memory.dmpFilesize
60KB
-
memory/2004-64-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmpFilesize
8KB
-
memory/2004-63-0x0000000000000000-mapping.dmp