Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
05-05-2021 08:06
Behavioral task
behavioral1
Sample
c0ad70f9_by_Libranalysis.exe
Resource
win7v20210410
General
-
Target
c0ad70f9_by_Libranalysis.exe
-
Size
12.3MB
-
MD5
c0ad70f9c2b3620dd629c84220f06181
-
SHA1
74459e1ef6e7b892ac1a68a222e36263ebcd01db
-
SHA256
4b9afe0a9750dec2d7dc5191281107337cfd58514cc45c794f00827db79df003
-
SHA512
aa01d45f51000177d2bf6034c2ebaacc4309a858f2148845acb67fe4ba582c7adc48aac4cc89437cecb5b4d794304c30d3cdfdfe163743ce5c4cb6e38cad7f91
Malware Config
Signatures
-
XMRig Miner Payload 1 IoCs
Processes:
resource yara_rule C:\Windows\svchost.exe xmrig -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1484 svchost.exe -
Sets file execution options in registry 2 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c0ad70f9_by_Libranalysis.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c0ad70f9_by_Libranalysis.exe" c0ad70f9_by_Libranalysis.exe -
Processes:
c0ad70f9_by_Libranalysis.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c0ad70f9_by_Libranalysis.exe -
Drops file in System32 directory 64 IoCs
Processes:
c0ad70f9_by_Libranalysis.exedescription ioc process File created C:\Windows\SysWOW64\SyncHost.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\timeout.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\typeperf.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\regedit.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\at.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\certutil.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\odbcconf.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\rasphone.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\Mystify.scr c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\diskcomp.com c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\cliconfg.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\makecab.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\ocsetup.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\pcaui.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\xpsrchvw.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\dpnsvr.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\MuiUnattend.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\wevtutil.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\wowreg32.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\IME\IMEJP10\IMJPUEX.EXE c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\RMActivate_isv.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\sbunattend.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\tasklist.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\cmstp.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\control.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\ipconfig.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\nslookup.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\proquota.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\winrs.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\TSTheme.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\UserAccountControlSettings.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\wininit.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\bitsadmin.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\driverquery.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\mcbuilder.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\newdev.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\printui.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\dllhst3g.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\netbtugc.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\wecutil.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\com\comrepl.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\autochk.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\chcp.com c0ad70f9_by_Libranalysis.exe File created C:\Windows\System32\DriverStore\FileRepository\wvmic.inf_amd64_neutral_b94eb92e8150fa35\vmicsvc.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\AtBroker.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\auditpol.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\cmmon32.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\dnscacheugc.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\sdiagnhost.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\hdwwiz.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\ROUTE.EXE c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\unregmp2.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\SetIEInstalledDate.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\secinit.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\WerFaultSecure.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\cttune.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\extrac32.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\gpupdate.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\Magnify.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\PkgMgr.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\verifier.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\DevicePairingWizard.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\diskraid.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\ieUnatt.exe c0ad70f9_by_Libranalysis.exe -
Drops file in Program Files directory 64 IoCs
Processes:
c0ad70f9_by_Libranalysis.exedescription ioc process File created C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewFrame.html c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\7-Zip\7zG.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm c0ad70f9_by_Libranalysis.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.htm c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm.html c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jre7\Welcome.html c0ad70f9_by_Libranalysis.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files\Windows Media Player\wmprph.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files\Windows Media Player\wmpshare.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html c0ad70f9_by_Libranalysis.exe File created C:\Program Files (x86)\Windows Media Player\wmpenc.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files\Windows Journal\PDIALOG.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files (x86)\Internet Explorer\ielowutil.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html c0ad70f9_by_Libranalysis.exe File created C:\Program Files\Windows Mail\wab.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files\Windows Media Player\wmpenc.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html c0ad70f9_by_Libranalysis.exe File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\flyout.html c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsMacroTemplate.html c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile.html c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE c0ad70f9_by_Libranalysis.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\7-Zip\7z.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html c0ad70f9_by_Libranalysis.exe -
Drops file in Windows directory 64 IoCs
Processes:
c0ad70f9_by_Libranalysis.exedescription ioc process File created C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-9.htm c0ad70f9_by_Libranalysis.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\mcupdate\f30beba36940b5a2b55a32ea7f42d694\mcupdate.ni.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.16428_none_7b0d6f67c2d3f97a\iexplore.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..-odbc-administrator_31bf3856ad364e35_6.1.7600.16385_none_a044d905576812d4\odbcad32.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\wow64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7601.17514_none_df7c5af777ec4541\drvinst.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\x86_microsoft-windows-taskmgr_31bf3856ad364e35_6.1.7601.17514_none_16699919077609d2\taskmgr.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehrec_31bf3856ad364e35_6.1.7600.16385_none_a6e882bc6eb8ea53\ehrec.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_d911df4e81059b22\subst.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\Backup\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17727_none_6e30004a126a8db7_ntkrnlpa.exe_165c312a c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\wow64_microsoft-windows-sidebar_31bf3856ad364e35_6.1.7601.17514_none_37575b7e71a86712\sidebar.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\wow64_microsoft-windows-tzutil_31bf3856ad364e35_6.1.7601.17514_none_9cbe849a4e275c84\tzutil.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7fddcd6a1ab604da\clock.html c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\x86_microsoft-windows-makecab_31bf3856ad364e35_6.1.7600.16385_none_f0a5d809ca926e4f\makecab.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\x86_microsoft-windows-s..pertiescomputername_31bf3856ad364e35_6.1.7600.16385_none_304988749d91936f\SystemPropertiesComputerName.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_brmfcmf.inf_31bf3856ad364e35_6.1.7600.16385_none_6f8740b92fea8e01\BrmfRsmg.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-netcfg_31bf3856ad364e35_6.1.7600.16385_none_6c23cd5f6b2a8dbc\netcfg.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\tskill.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_6.1.7601.17514_none_288b7acec3a75696\wsmprovhost.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_netfx35linq-addinprocess_31bf3856ad364e35_6.1.7601.17514_none_8ebd3037635a8b2f\AddInProcess.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\x86_microsoft-windows-shutdown-event-tracker_31bf3856ad364e35_6.1.7600.16385_none_02aa6dd4294b8d5f\shutdown.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-security-secedit_31bf3856ad364e35_6.1.7600.16385_none_0adc1fc1cb6f944b\SecEdit.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_6.1.7600.16385_none_f5b8f3d6a353fa89\SnippingTool.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-wmi-snmp-provider_31bf3856ad364e35_6.1.7601.17514_none_08e183f8dd5f48b7\smi2smir.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\x86_microsoft-windows-bootconfig_31bf3856ad364e35_6.1.7600.16385_none_0becd32d7b9ba9e5\bootcfg.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\x86_microsoft-windows-diskraid_31bf3856ad364e35_6.1.7601.17514_none_67910dfbf63c4aae\diskraid.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-bits-bitsadmin_31bf3856ad364e35_6.1.7601.17514_none_ab379671230b963f\bitsadmin.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-diantz_31bf3856ad364e35_6.1.7600.16385_none_02bb0612dc529329\diantz.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-peertopeercollab_31bf3856ad364e35_6.1.7600.16385_none_f32a402a46d391f3\p2phost.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..opertiesperformance_31bf3856ad364e35_6.1.7600.16385_none_b6cb9ed71c8b43d5\SystemPropertiesPerformance.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-setupapi_31bf3856ad364e35_6.1.7601.17514_none_931b5f1fdcdd6496\wowreg32.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\x86_netfx-clrgc_b03f5f7f11d50a3a_6.1.7601.17514_none_f5276fe6b5adf276\clrgc.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\x86_microsoft-windows-runas_31bf3856ad364e35_6.1.7600.16385_none_5fbe9f67bec0f818\runas.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\d632b7434f821829827657e23ac98589\ComSvcConfig.ni.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_6.1.7601.17514_none_4b57445488ba33fd\IMJPUEX.EXE c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ie-iediag_31bf3856ad364e35_11.2.9600.16428_none_f937400aa65f97cc\iediagcmd.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-security-vault_31bf3856ad364e35_6.1.7600.16385_none_4d5e025e54ba15f8\VaultSysUi.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\query.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_42ee5aff60183c81\iscsicli.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\x86_microsoft-windows-ie-iecleanup_31bf3856ad364e35_11.2.9600.16428_none_441eccc2f13eab51\iecleanup.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-getmac_31bf3856ad364e35_6.1.7600.16385_none_67f38861bbac1910\getmac.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ieinstal_31bf3856ad364e35_11.2.9600.16428_none_caf2ec2ca6b08f27\ieinstal.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\wow64_microsoft-windows-gpowershell-exe_31bf3856ad364e35_6.1.7600.16385_none_9edabb9befc6e697\powershell_ise.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_698fc88e65b943d6\wmplayer.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-unattendedjoin_31bf3856ad364e35_6.1.7601.17514_none_113aea0e8374286d\djoin.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..ing-management-core_31bf3856ad364e35_6.1.7601.17514_none_2d3b8ff08901343f\DismHost.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d158ae10876efd6d\currency.html c0ad70f9_by_Libranalysis.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-eventcollector_31bf3856ad364e35_6.1.7601.22252_none_598fe67da49281af\wecutil.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_6.1.7601.17514_none_6e88c3faa2049408\WmiPrvSE.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\wow64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7600.16385_none_ce6f64032560fa6b\user.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17727_none_6e30004a126a8db7\ntkrnlpa.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\0b4d4e172e8054cb61d27f5ab9e0e445\SMSvcHost.ni.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\servicing\GC64\tzupd.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..devicescontrolpanel_31bf3856ad364e35_6.1.7600.16385_none_8094bd7b62d2b435\ImagingDevices.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_msbuild_b03f5f7f11d50a3a_3.5.7601.17514_none_ea8ca0c25e350957\MSBuild.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_73e472e09a1a05d1\wmpshare.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ehome-mcglidhost_31bf3856ad364e35_6.1.7600.16385_none_05a2b72417ec1c6a\mcGlidHost.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\Backup\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_6.1.7601.17514_none_c910d80f114e267a_vds.exe_cb461c29 c0ad70f9_by_Libranalysis.exe File created C:\Windows\winsxs\Temp\PendingRenames\f092b847da2dd701ee090000d8030809.amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_7.2.7601.16406_none_b884f02b3738aab4_winmgmt.exe_8f8eb7b1 c0ad70f9_by_Libranalysis.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
c0ad70f9_by_Libranalysis.exesvchost.exedescription pid process Token: SeDebugPrivilege 788 c0ad70f9_by_Libranalysis.exe Token: 33 788 c0ad70f9_by_Libranalysis.exe Token: SeIncBasePriorityPrivilege 788 c0ad70f9_by_Libranalysis.exe Token: SeIncBasePriorityPrivilege 1484 svchost.exe Token: SeLockMemoryPrivilege 1484 svchost.exe Token: SeLockMemoryPrivilege 1484 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
c0ad70f9_by_Libranalysis.exepid process 788 c0ad70f9_by_Libranalysis.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
c0ad70f9_by_Libranalysis.exedescription pid process target process PID 788 wrote to memory of 1484 788 c0ad70f9_by_Libranalysis.exe svchost.exe PID 788 wrote to memory of 1484 788 c0ad70f9_by_Libranalysis.exe svchost.exe PID 788 wrote to memory of 1484 788 c0ad70f9_by_Libranalysis.exe svchost.exe PID 788 wrote to memory of 1484 788 c0ad70f9_by_Libranalysis.exe svchost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
c0ad70f9_by_Libranalysis.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system c0ad70f9_by_Libranalysis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c0ad70f9_by_Libranalysis.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0ad70f9_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\c0ad70f9_by_Libranalysis.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\config.jsonMD5
88c5c5706d2e237422eda18490dc6a59
SHA1bb8d12375f6b995301e756de2ef4fa3a3f6efd39
SHA2564756a234ed3d61fe187d9b6140792e54e7b757545edff82df594a507e528ed8e
SHA512a417270a0d46de5bb06a621c0383c893042a506524713f89ba55567df6e5c3ac8b198bce5a0300ec6e716897bb53fd3e8289a51240157dc743004517673d4ab7
-
C:\Windows\svchost.exeMD5
4a87a4d6677558706db4afaeeeb58d20
SHA17738dc6a459f8415f0265d36c626b48202cd6764
SHA25608b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7
SHA512bedd8ed4975df3fcd4a0f575d6f38e3841e7a4b771baac4f72033102a070818b8539eb101c50563d89d4f3454899a1cedb33047b02e421256dedf9aaf258b594
-
memory/788-60-0x0000000075A71000-0x0000000075A73000-memory.dmpFilesize
8KB
-
memory/1484-61-0x0000000000000000-mapping.dmp