Analysis Overview
SHA256
2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7
Threat Level: Known bad
The file 2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7.exe was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Pony,Fareit
CrypVault
Deletes shadow copies
Modifies boot configuration data using bcdedit
Executes dropped EXE
UPX packed file
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Checks installed software on the system
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: EnumeratesProcesses
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Modifies Internet Explorer settings
Enumerates system info in registry
Checks processor information in registry
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-04-26 15:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-04-26 15:07
Reported
2021-04-26 15:09
Platform
win7v20210410
Max time kernel
100s
Max time network
25s
Command Line
Signatures
CrypVault
Pony,Fareit
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\cmd.exe |
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7za.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1552 set thread context of 1700 | N/A | C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe | C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Enumerates physical storage devices
Office loads VBA resources, possible macro or embedded object present
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7.exe
"C:\Users\Admin\AppData\Local\Temp\2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo 75BB576D00D3EF97
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\75BB57" 7za.exe
C:\Users\Admin\AppData\Local\Temp\7za.exe
"C:\Users\Admin\AppData\Local\Temp\7za.exe" e "C:\Users\Admin\AppData\Local\Temp\6D00D3EF97" -y -p6D00D3EF97
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.doc"
C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe
"C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe"
C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe
C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\VAULT.hta"
C:\Windows\SysWOW64\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | gruzdom.ru | udp |
| N/A | 92.53.96.146:80 | gruzdom.ru | tcp |
| N/A | 92.53.96.146:80 | gruzdom.ru | tcp |
| N/A | 92.53.96.146:80 | gruzdom.ru | tcp |
| N/A | 92.53.96.146:80 | gruzdom.ru | tcp |
Files
memory/1116-60-0x00000000767B1000-0x00000000767B3000-memory.dmp
memory/1928-61-0x0000000000000000-mapping.dmp
memory/1736-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\75BB57
| MD5 | 42badc1d2f03a8b1e4875740d3d49336 |
| SHA1 | cee178da1fb05f99af7a3547093122893bd1eb46 |
| SHA256 | c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf |
| SHA512 | 6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c |
\Users\Admin\AppData\Local\Temp\7za.exe
| MD5 | 42badc1d2f03a8b1e4875740d3d49336 |
| SHA1 | cee178da1fb05f99af7a3547093122893bd1eb46 |
| SHA256 | c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf |
| SHA512 | 6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c |
\Users\Admin\AppData\Local\Temp\7za.exe
| MD5 | 42badc1d2f03a8b1e4875740d3d49336 |
| SHA1 | cee178da1fb05f99af7a3547093122893bd1eb46 |
| SHA256 | c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf |
| SHA512 | 6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c |
memory/1840-66-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7za.exe
| MD5 | 42badc1d2f03a8b1e4875740d3d49336 |
| SHA1 | cee178da1fb05f99af7a3547093122893bd1eb46 |
| SHA256 | c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf |
| SHA512 | 6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c |
C:\Users\Admin\AppData\Local\Temp\6D00D3EF97
| MD5 | a82e6e7bdd70c5dfee83d81cc058ff2f |
| SHA1 | bf8b01db4438f47496d3a0d7ece317010d6043db |
| SHA256 | d815ad574ddf564e04b4cce7033769151d5f6b81f18c7d05d948c2c312b87abb |
| SHA512 | ccfaa80d5621243e9367ffa23afaac11314c88e9f51e5bae98b67cdef0388e713ee40a9550af5347bbc9b17d41ba8471d17ed9748a167adf30d7dc325cad7620 |
memory/1656-69-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe
| MD5 | 2e884f5dbeadeed885ec040e239fb7b1 |
| SHA1 | 5ad96bbedd9260ed0d14b914713d58e7bfd09b97 |
| SHA256 | 4b366fbf4ab85d6007d9edee1a8a4ded620797599cf81c05638e221e21cc8cd4 |
| SHA512 | 2e22ef1d67aab58ec9159dbf56817ff989c53d3572ab229833f52b9fbf1a08f18671fdda8ff6064d80aa2d9a3f45717e42e71958bcb24d2ba6975317aa1420de |
\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe
| MD5 | 2e884f5dbeadeed885ec040e239fb7b1 |
| SHA1 | 5ad96bbedd9260ed0d14b914713d58e7bfd09b97 |
| SHA256 | 4b366fbf4ab85d6007d9edee1a8a4ded620797599cf81c05638e221e21cc8cd4 |
| SHA512 | 2e22ef1d67aab58ec9159dbf56817ff989c53d3572ab229833f52b9fbf1a08f18671fdda8ff6064d80aa2d9a3f45717e42e71958bcb24d2ba6975317aa1420de |
memory/1552-73-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe
| MD5 | 2e884f5dbeadeed885ec040e239fb7b1 |
| SHA1 | 5ad96bbedd9260ed0d14b914713d58e7bfd09b97 |
| SHA256 | 4b366fbf4ab85d6007d9edee1a8a4ded620797599cf81c05638e221e21cc8cd4 |
| SHA512 | 2e22ef1d67aab58ec9159dbf56817ff989c53d3572ab229833f52b9fbf1a08f18671fdda8ff6064d80aa2d9a3f45717e42e71958bcb24d2ba6975317aa1420de |
C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe
| MD5 | 2e884f5dbeadeed885ec040e239fb7b1 |
| SHA1 | 5ad96bbedd9260ed0d14b914713d58e7bfd09b97 |
| SHA256 | 4b366fbf4ab85d6007d9edee1a8a4ded620797599cf81c05638e221e21cc8cd4 |
| SHA512 | 2e22ef1d67aab58ec9159dbf56817ff989c53d3572ab229833f52b9fbf1a08f18671fdda8ff6064d80aa2d9a3f45717e42e71958bcb24d2ba6975317aa1420de |
memory/1656-75-0x0000000072D71000-0x0000000072D74000-memory.dmp
memory/1656-76-0x0000000070511000-0x0000000070513000-memory.dmp
\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe
| MD5 | 2e884f5dbeadeed885ec040e239fb7b1 |
| SHA1 | 5ad96bbedd9260ed0d14b914713d58e7bfd09b97 |
| SHA256 | 4b366fbf4ab85d6007d9edee1a8a4ded620797599cf81c05638e221e21cc8cd4 |
| SHA512 | 2e22ef1d67aab58ec9159dbf56817ff989c53d3572ab229833f52b9fbf1a08f18671fdda8ff6064d80aa2d9a3f45717e42e71958bcb24d2ba6975317aa1420de |
memory/1700-80-0x0000000000418820-mapping.dmp
memory/1700-79-0x0000000000400000-0x0000000000E28000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe
| MD5 | 2e884f5dbeadeed885ec040e239fb7b1 |
| SHA1 | 5ad96bbedd9260ed0d14b914713d58e7bfd09b97 |
| SHA256 | 4b366fbf4ab85d6007d9edee1a8a4ded620797599cf81c05638e221e21cc8cd4 |
| SHA512 | 2e22ef1d67aab58ec9159dbf56817ff989c53d3572ab229833f52b9fbf1a08f18671fdda8ff6064d80aa2d9a3f45717e42e71958bcb24d2ba6975317aa1420de |
memory/1552-83-0x0000000000360000-0x0000000000365000-memory.dmp
memory/1656-85-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1700-84-0x0000000000400000-0x000000000041A000-memory.dmp
C:\Documents and Settings\Admin\AppData\Local\Temp\6D00D3EF97.doc
| MD5 | efcd0a5ec6bb1d981333bf9dea7a72ee |
| SHA1 | b9ca0a20adcf6c69dd626e0de86468e4a5514fe3 |
| SHA256 | 718e07ae563bcf629616ac3f056930e804af88e38377b98629ba60257f666699 |
| SHA512 | dd41d489164891a5c8c2c582f77f6b8c8b54360849ec38b7af0fec4b28137172a4ef9cc2fe6eb10726431152751f3affbc1dd19671bff841742404d809180457 |
C:\Documents and Settings\Admin\Local Settings\Temp\~$00D3EF97.doc
| MD5 | 4e78ead0f1a8320989b5d6bd15148a15 |
| SHA1 | 4bed957b5a72e3c271b06861bedce157d08daac4 |
| SHA256 | 5fae62e4d098f94d0f19fbe8bd56aac8b61599d82401181ca5bd1b647acad754 |
| SHA512 | aa824417f6a4370b5ce2251f671e720aa3239bb837aa8d7273d7b4c3bc71e128d2bdb859180bf2eb7d7ee3175177cf1680c8686590f2e27336518257139ca33b |
memory/1168-88-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\VAULT.hta
| MD5 | 1cf60361078e1c2f1219d27c4b3e760c |
| SHA1 | 08d350d205da687672b13e22b253932dd1708e75 |
| SHA256 | c2d9c1bd8bb434dffd5ebbd0e8020ee73123f2e8134b19cbde4b6458f0d05a43 |
| SHA512 | 90f973c08c663dc7ca8575196ca2d6939bbeb9e1943268e8c8bae3b5cd895e85f654726924c86a0f1ffca4830f05c75ac6e80b44d4adeff345e9ff2cacaacccb |
memory/384-90-0x0000000000000000-mapping.dmp
memory/1840-91-0x0000000000000000-mapping.dmp
memory/2060-92-0x0000000000000000-mapping.dmp
memory/2072-93-0x0000000000000000-mapping.dmp
memory/2104-94-0x0000000000000000-mapping.dmp
memory/2104-95-0x000007FEFC301000-0x000007FEFC303000-memory.dmp
memory/1656-96-0x000000005FFF0000-0x0000000060000000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-04-26 15:07
Reported
2021-04-26 15:09
Platform
win10v20210408
Max time kernel
115s
Max time network
135s
Command Line
Signatures
CrypVault
Pony,Fareit
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\cmd.exe |
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7za.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 844 set thread context of 3428 | N/A | C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe | C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7.exe
"C:\Users\Admin\AppData\Local\Temp\2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo 75BB576D00D3EF97
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\75BB57" 7za.exe
C:\Users\Admin\AppData\Local\Temp\7za.exe
"C:\Users\Admin\AppData\Local\Temp\7za.exe" e "C:\Users\Admin\AppData\Local\Temp\6D00D3EF97" -y -p6D00D3EF97
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.doc" /o ""
C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe
"C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe"
C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe
C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\VAULT.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | gruzdom.ru | udp |
| N/A | 92.53.96.146:80 | gruzdom.ru | tcp |
| N/A | 92.53.96.146:80 | gruzdom.ru | tcp |
| N/A | 92.53.96.146:80 | gruzdom.ru | tcp |
| N/A | 92.53.96.146:80 | gruzdom.ru | tcp |
Files
memory/3220-114-0x0000000000000000-mapping.dmp
memory/1220-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\75BB57
| MD5 | 42badc1d2f03a8b1e4875740d3d49336 |
| SHA1 | cee178da1fb05f99af7a3547093122893bd1eb46 |
| SHA256 | c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf |
| SHA512 | 6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c |
memory/576-117-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7za.exe
| MD5 | 42badc1d2f03a8b1e4875740d3d49336 |
| SHA1 | cee178da1fb05f99af7a3547093122893bd1eb46 |
| SHA256 | c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf |
| SHA512 | 6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c |
C:\Users\Admin\AppData\Local\Temp\6D00D3EF97
| MD5 | a82e6e7bdd70c5dfee83d81cc058ff2f |
| SHA1 | bf8b01db4438f47496d3a0d7ece317010d6043db |
| SHA256 | d815ad574ddf564e04b4cce7033769151d5f6b81f18c7d05d948c2c312b87abb |
| SHA512 | ccfaa80d5621243e9367ffa23afaac11314c88e9f51e5bae98b67cdef0388e713ee40a9550af5347bbc9b17d41ba8471d17ed9748a167adf30d7dc325cad7620 |
C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.doc
| MD5 | efcd0a5ec6bb1d981333bf9dea7a72ee |
| SHA1 | b9ca0a20adcf6c69dd626e0de86468e4a5514fe3 |
| SHA256 | 718e07ae563bcf629616ac3f056930e804af88e38377b98629ba60257f666699 |
| SHA512 | dd41d489164891a5c8c2c582f77f6b8c8b54360849ec38b7af0fec4b28137172a4ef9cc2fe6eb10726431152751f3affbc1dd19671bff841742404d809180457 |
memory/3168-121-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe
| MD5 | 2e884f5dbeadeed885ec040e239fb7b1 |
| SHA1 | 5ad96bbedd9260ed0d14b914713d58e7bfd09b97 |
| SHA256 | 4b366fbf4ab85d6007d9edee1a8a4ded620797599cf81c05638e221e21cc8cd4 |
| SHA512 | 2e22ef1d67aab58ec9159dbf56817ff989c53d3572ab229833f52b9fbf1a08f18671fdda8ff6064d80aa2d9a3f45717e42e71958bcb24d2ba6975317aa1420de |
memory/844-123-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe
| MD5 | 2e884f5dbeadeed885ec040e239fb7b1 |
| SHA1 | 5ad96bbedd9260ed0d14b914713d58e7bfd09b97 |
| SHA256 | 4b366fbf4ab85d6007d9edee1a8a4ded620797599cf81c05638e221e21cc8cd4 |
| SHA512 | 2e22ef1d67aab58ec9159dbf56817ff989c53d3572ab229833f52b9fbf1a08f18671fdda8ff6064d80aa2d9a3f45717e42e71958bcb24d2ba6975317aa1420de |
memory/3428-125-0x0000000000400000-0x0000000000E28000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe
| MD5 | 2e884f5dbeadeed885ec040e239fb7b1 |
| SHA1 | 5ad96bbedd9260ed0d14b914713d58e7bfd09b97 |
| SHA256 | 4b366fbf4ab85d6007d9edee1a8a4ded620797599cf81c05638e221e21cc8cd4 |
| SHA512 | 2e22ef1d67aab58ec9159dbf56817ff989c53d3572ab229833f52b9fbf1a08f18671fdda8ff6064d80aa2d9a3f45717e42e71958bcb24d2ba6975317aa1420de |
memory/3428-126-0x0000000000418820-mapping.dmp
memory/3428-129-0x0000000000400000-0x000000000041A000-memory.dmp
memory/844-128-0x00000000009E0000-0x00000000009E5000-memory.dmp
memory/3168-130-0x00007FF882460000-0x00007FF882470000-memory.dmp
memory/3168-131-0x00007FF882460000-0x00007FF882470000-memory.dmp
memory/3168-132-0x00007FF882460000-0x00007FF882470000-memory.dmp
memory/3168-133-0x00007FF882460000-0x00007FF882470000-memory.dmp
memory/3168-135-0x00007FF882460000-0x00007FF882470000-memory.dmp
memory/1128-136-0x0000000000000000-mapping.dmp
memory/1188-137-0x0000000000000000-mapping.dmp
memory/3168-134-0x00007FF8A3000000-0x00007FF8A5B23000-memory.dmp
C:\Users\Admin\Desktop\VAULT.hta
| MD5 | 1cf60361078e1c2f1219d27c4b3e760c |
| SHA1 | 08d350d205da687672b13e22b253932dd1708e75 |
| SHA256 | c2d9c1bd8bb434dffd5ebbd0e8020ee73123f2e8134b19cbde4b6458f0d05a43 |
| SHA512 | 90f973c08c663dc7ca8575196ca2d6939bbeb9e1943268e8c8bae3b5cd895e85f654726924c86a0f1ffca4830f05c75ac6e80b44d4adeff345e9ff2cacaacccb |
memory/1544-142-0x0000000000000000-mapping.dmp
memory/3168-141-0x00007FF89DD70000-0x00007FF89EE5E000-memory.dmp
memory/3168-143-0x00007FF89BB20000-0x00007FF89DA15000-memory.dmp
memory/3292-144-0x0000000000000000-mapping.dmp
memory/796-145-0x0000000000000000-mapping.dmp