Analysis
-
max time kernel
154s -
max time network
157s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-05-2021 20:38
Behavioral task
behavioral1
Sample
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe
Resource
win7v20210408
General
-
Target
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe
-
Size
13.9MB
-
MD5
ec2c59967ea1ba9fdbeaa79e41ee0c94
-
SHA1
9ff11413e265839c6994d473146ae5cf1c3cf256
-
SHA256
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479
-
SHA512
3bf9d5e84d71f3f00425dd4a47e3a1838866d2d887490484610322a562849120d90e173051de6fbe0f8c72062232a42038ded2d28922cb804c654a00c5fbbe94
Malware Config
Signatures
-
XMRig Miner Payload 1 IoCs
Processes:
resource yara_rule C:\Windows\svchost.exe xmrig -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 3920 svchost.exe -
Sets file execution options in registry 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe" 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe -
Processes:
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe -
Drops file in System32 directory 64 IoCs
Processes:
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exedescription ioc process File created C:\Windows\SysWOW64\bootcfg.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\eudcedit.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\RpcPing.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\WerFault.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\diskpart.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\ipconfig.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\mmc.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\RmClient.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\setx.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\Macromed\Flash\FlashUtil_ActiveX.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\wbem\WmiPrvSE.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\SystemPropertiesProtection.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\wlanext.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\SearchProtocolHost.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\attrib.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\auditpol.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\dvdplay.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\ktmutil.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\MRINFO.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\mtstocom.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\netiougc.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\SyncHost.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\tcmsetup.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\userinit.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\autochk.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\cmd.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\dpapimig.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\EhStorAuthn.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\mshta.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\wiaacmgr.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\icsunattend.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\mcbuilder.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\Netplwiz.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\RMActivate_ssp_isv.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\typeperf.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\pcaui.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\wecutil.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\WSManHTTPConfig.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\IME\IMETC\IMTCLNWZ.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\wbem\WMIADAP.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\upnpcont.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\ARP.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\BackgroundTransferHost.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\netsh.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\PickerHost.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\poqexec.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\rekeywiz.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\SearchIndexer.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\InstallShield\setup.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\InstallShield\_isdel.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\wbem\WinMgmt.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\iscsicli.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\msfeedssync.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\Com\comrepl.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\F12\F12Chooser.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\backgroundTaskHost.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\fixmapi.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\gpresult.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\lodctr.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\netbtugc.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\wextract.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\CloudStorageWizard.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SysWOW64\dialer.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe -
Drops file in Program Files directory 64 IoCs
Processes:
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\SoundRec.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files\Windows Media Player\wmprph.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\7-Zip\7z.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files (x86)\Windows Media Player\wmprph.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\pipanel.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files (x86)\Windows Mail\WinMail.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\PilotshubApp.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\WindowsCamera.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files\Windows Defender\MpUXSrv.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files (x86)\Internet Explorer\ExtExport.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files (x86)\Internet Explorer\iexplore.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\XboxIdp.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Video.UI.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\89.0.4389.114_chrome_installer.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msotd.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Program Files\Windows Defender\NisSrv.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe -
Drops file in Windows directory 64 IoCs
Processes:
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exedescription ioc process File created C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxTsr.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\HelpPane.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\InfusedApps\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\PurchaseApp.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\InfusedApps\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\PilotshubApp.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SystemApps\holoitemplayerapp_cw5n1h2txyewy\HoloItemPlayerApp.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AssignedAccessLockApp.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\WinSxS\amd64_addinprocess32_b77a5c561934e089_4.0.14917.0_none_13a4abe5aa8f2be0\AddInProcess32.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\WinSxS\amd64_aspnet_regsql_b03f5f7f11d50a3a_4.0.14917.0_none_c395980f8adad126\aspnet_regsql.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Boot\PCAT\memtest.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\InfusedApps\Packages\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\XboxIdp.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\XBox.TCUI.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SystemApps\DesktopView_cw5n1h2txyewy\DesktopView.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\MiracastView\MiracastView.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\WinSxS\amd64_adobe-flash-for-windows_31bf3856ad364e35_10.0.15063.0_none_3cb3bd3fa25e4d31\FlashUtil_ActiveX.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\WinSxS\amd64_aspnet_regbrowsers_b03f5f7f11d50a3a_10.0.15063.0_none_7b0b6115a0fbb545\aspnet_regbrowsers.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\hh.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\BioEnrollmentHost.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\WinSxS\amd64_caspol_b03f5f7f11d50a3a_4.0.15552.17062_none_3375b59003a7ec42\CasPol.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SystemApps\holocamera_cw5n1h2txyewy\HoloCameraApp.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\WinSxS\amd64_aspnet_regbrowsers_b03f5f7f11d50a3a_4.0.15552.17062_none_d1070f422cdb5129\aspnet_regbrowsers.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\WinSxS\amd64_environmentsapp.appxmain_31bf3856ad364e35_10.0.15063.0_none_9e40f7707cfe3e0a\EnvironmentsApp.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\WinSxS\amd64_caspol_b03f5f7f11d50a3a_4.0.14917.0_none_df922cd6be85b32e\CasPol.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\SystemApps\Microsoft.PPIProjection_cw5n1h2txyewy\Receiver.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\InfusedApps\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Builder3D.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\InfusedApps\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\GameBar.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\servicing\TrustedInstaller.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exesvchost.exedescription pid process Token: SeDebugPrivilege 664 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe Token: 33 664 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe Token: SeIncBasePriorityPrivilege 664 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe Token: SeIncBasePriorityPrivilege 3920 svchost.exe Token: SeLockMemoryPrivilege 3920 svchost.exe Token: SeLockMemoryPrivilege 3920 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exepid process 664 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exedescription pid process target process PID 664 wrote to memory of 3920 664 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe svchost.exe PID 664 wrote to memory of 3920 664 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe svchost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe"C:\Users\Admin\AppData\Local\Temp\5bdb6537aeb8f84e02475e8c55ef2bc1749bd89537e53339e30bd548d68e0479.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\config.jsonMD5
88c5c5706d2e237422eda18490dc6a59
SHA1bb8d12375f6b995301e756de2ef4fa3a3f6efd39
SHA2564756a234ed3d61fe187d9b6140792e54e7b757545edff82df594a507e528ed8e
SHA512a417270a0d46de5bb06a621c0383c893042a506524713f89ba55567df6e5c3ac8b198bce5a0300ec6e716897bb53fd3e8289a51240157dc743004517673d4ab7
-
C:\Windows\svchost.exeMD5
4a87a4d6677558706db4afaeeeb58d20
SHA17738dc6a459f8415f0265d36c626b48202cd6764
SHA25608b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7
SHA512bedd8ed4975df3fcd4a0f575d6f38e3841e7a4b771baac4f72033102a070818b8539eb101c50563d89d4f3454899a1cedb33047b02e421256dedf9aaf258b594
-
memory/3920-114-0x0000000000000000-mapping.dmp