Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
05-05-2021 08:06
Behavioral task
behavioral1
Sample
c0ad70f9_by_Libranalysis.exe
Resource
win7v20210410
General
-
Target
c0ad70f9_by_Libranalysis.exe
-
Size
12.3MB
-
MD5
c0ad70f9c2b3620dd629c84220f06181
-
SHA1
74459e1ef6e7b892ac1a68a222e36263ebcd01db
-
SHA256
4b9afe0a9750dec2d7dc5191281107337cfd58514cc45c794f00827db79df003
-
SHA512
aa01d45f51000177d2bf6034c2ebaacc4309a858f2148845acb67fe4ba582c7adc48aac4cc89437cecb5b4d794304c30d3cdfdfe163743ce5c4cb6e38cad7f91
Malware Config
Signatures
-
XMRig Miner Payload 1 IoCs
Processes:
resource yara_rule C:\Windows\svchost.exe xmrig -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 416 svchost.exe -
Sets file execution options in registry 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c0ad70f9_by_Libranalysis.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation c0ad70f9_by_Libranalysis.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c0ad70f9_by_Libranalysis.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c0ad70f9_by_Libranalysis.exe" c0ad70f9_by_Libranalysis.exe -
Processes:
c0ad70f9_by_Libranalysis.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c0ad70f9_by_Libranalysis.exe -
Drops file in System32 directory 64 IoCs
Processes:
c0ad70f9_by_Libranalysis.exedescription ioc process File created C:\Windows\SysWOW64\autochk.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\diskperf.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\logagent.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\Netplwiz.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\Utilman.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\Macromed\Flash\FlashUtil_ActiveX.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\AtBroker.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\EaseOfAccessDialog.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\fltMC.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\prevhost.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\IME\SHARED\IMEPADSV.EXE c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\clip.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\cmd.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\comp.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\SearchProtocolHost.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\WSManHTTPConfig.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\eventvwr.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\msdt.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\ReAgentc.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\resmon.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\setupugc.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\pcaui.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\NETSTAT.EXE c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\osk.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\regsvr32.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\extrac32.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\fsquirt.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\GamePanel.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\instnm.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\makecab.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\tzutil.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\wbem\WMIADAP.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\DpiScaling.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\sdbinst.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\tasklist.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\winrshost.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\diskraid.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\PING.EXE c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\runas.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\sdiagnhost.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\wbem\WinMgmt.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\BackgroundTransferHost.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\compact.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\PickerHost.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\SystemPropertiesHardware.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\unlodctr.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\auditpol.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\dcomcnfg.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\fsutil.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\subst.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\runonce.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\where.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\netiougc.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\certreq.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\cipher.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\cleanmgr.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\ctfmon.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\label.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\getmac.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\powercfg.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\raserver.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\SyncHost.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SysWOW64\UIMgrBroker.exe c0ad70f9_by_Libranalysis.exe -
Drops file in Program Files directory 64 IoCs
Processes:
c0ad70f9_by_Libranalysis.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files (x86)\Windows Media Player\setup_wm.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files\Windows Defender\MSASCui.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\onenoteim.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\onenoteshare.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\89.0.4389.114_chrome_installer.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\Office16\OfficeHubWin32.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\WindowsCamera.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\3DViewer.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\GameBar.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\klist.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE c0ad70f9_by_Libranalysis.exe File created C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\AppxClickHandler.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\PurchaseApp.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files\Windows Media Player\wmpnscfg.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\XboxApp.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe c0ad70f9_by_Libranalysis.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe c0ad70f9_by_Libranalysis.exe -
Drops file in Windows directory 64 IoCs
Processes:
c0ad70f9_by_Libranalysis.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.15063.0_none_dd86505400f5b57f\AppVStreamingUX.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ing-management-core_31bf3856ad364e35_10.0.15063.0_none_3c47ff3e638dd49c\DismHost.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ls-adschemaanalyzer_31bf3856ad364e35_10.0.15063.0_none_e50cbdd46fa16ae3\ADSchemaAnalyzer.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..n-tools-command-ldp_31bf3856ad364e35_10.0.15063.0_none_605529e5390f9df7\ldp.exe c0ad70f9_by_Libranalysis.exe File opened for modification C:\Windows\svchost.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\onenoteim.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-e..-mdmdiagnosticstool_31bf3856ad364e35_10.0.15063.0_none_7014b59eabaac737\MdmDiagnosticsTool.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-iscsi_initiator_ui_31bf3856ad364e35_10.0.15063.0_none_e8ff03ea94e0988c\iscsicpl.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..ionsimulationdevice_31bf3856ad364e35_10.0.15063.0_none_8c91bbc89bdb0560\PerceptionSimulationDevice.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-cloudnotifications_31bf3856ad364e35_10.0.15063.0_none_a31b751aca0bb1d3\CloudNotifications.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-deployment_31bf3856ad364e35_10.0.15063.0_none_0d02d004261cbb8b\setupugc.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-f..temcompareutilities_31bf3856ad364e35_10.0.15063.0_none_11da7dbc6e2b0b82\fc.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-r..eak-diagnostic-core_31bf3856ad364e35_10.0.15063.0_none_6c257c3cb63101f8\rdrleakdiag.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-r..verycenter-platform_31bf3856ad364e35_10.0.15063.0_none_5452c60eca787254\SystemResetPlatform.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SystemApps\Microsoft.Windows.WindowPicker_cw5n1h2txyewy\WindowPicker.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_10.0.15063.0_none_e624dcf78588902b\sdbinst.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\InfusedApps\Packages\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\OneConnect.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-icm-ui_31bf3856ad364e35_10.0.15063.0_none_4b6c90a3d99e2006\colorcpl.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-international-unattend_31bf3856ad364e35_10.0.15063.0_none_d12d9b8e26686bfa\MuiUnattend.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-migrationengine_31bf3856ad364e35_10.0.15063.0_none_69bbb0ec140eb63c\mighost.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_10.0.15063.0_none_05428e9e14a75fff\regedt32.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\Boot\PCAT\memtest.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\HoloShell\HoloShellApp.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\InfusedApps\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\AppxClickHandler.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-com-runtimebroker_31bf3856ad364e35_10.0.15063.0_none_a76741ebe0e3bb6f\RuntimeBroker.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-eventcreate_31bf3856ad364e35_10.0.15063.0_none_e676a9dd78629564\eventcreate.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_10.0.15063.0_none_c5c1f5efcbd6de1e\nfsadmin.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-regini_31bf3856ad364e35_10.0.15063.0_none_1d6a15a7f29f9ce6\regini.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SystemApps\holoitemplayerapp_cw5n1h2txyewy\HoloItemPlayerApp.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_aspnet_regbrowsers_b03f5f7f11d50a3a_4.0.14917.0_none_7d238688e7b91815\aspnet_regbrowsers.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-e..taprotectioncleanup_31bf3856ad364e35_10.0.15063.0_none_e6c4eeedef70115b\EDPCleanup.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-ie-feedsbs_31bf3856ad364e35_11.0.15063.0_none_4153431b7e6a9b04\msfeedssync.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-mountvol_31bf3856ad364e35_10.0.15063.0_none_c36d52a68a42056a\mountvol.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-regsvr32_31bf3856ad364e35_10.0.15063.0_none_896af68a6852519a\regsvr32.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-client-li..pgrade-subscription_31bf3856ad364e35_10.0.15063.0_none_6282db77610a6450\ClipRenew.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-processmodel-cpt_31bf3856ad364e35_10.0.15063.0_none_bbe663b4ac5f809e\w3wp.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-r..pdate-oob-component_31bf3856ad364e35_10.0.15063.0_none_feaa67e4dd30b715\rdvgm.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..sktop.appxmain.root_31bf3856ad364e35_10.0.15063.0_none_ec24e4a0e74d86ea\RemindersServer.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..services-core-files_31bf3856ad364e35_10.0.15063.0_none_a0ff0be85fcae169\dsamain.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-holoshell.appxmain_31bf3856ad364e35_10.0.15063.0_none_34ae4307b90cabc4\HoloShellApp.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_10.0.15063.0_none_ad1d9764d9c2a978\resmon.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-printing-dialoghost3d_31bf3856ad364e35_10.0.15063.0_none_f84efaddd7ac3203\PrintDialogHost3D.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_adobe-flash-for-windows_31bf3856ad364e35_10.0.15063.0_none_3cb3bd3fa25e4d31\FlashUtil_ActiveX.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.15063.0_none_41652c9a9e54011f\hvloader.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-e..ortingcompatibility_31bf3856ad364e35_10.0.15063.0_none_0fb37e8e2e536acc\DWWIN.EXE c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_10.0.15063.0_none_8815846f65bab26d\drvinst.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-f..deploymentmgrclient_31bf3856ad364e35_10.0.15063.0_none_5ec1b3443bbde782\dmclient.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.15063.0_none_228a248d8977d11b\newdev.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_aspnet_regsql_b03f5f7f11d50a3a_4.0.15552.17062_none_177920c8cffd0a3a\aspnet_regsql.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_microsoft-client-li..ing-platform-client_31bf3856ad364e35_10.0.15063.0_none_1a79719cec9ecf66\licensingdiag.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\FileExplorer.exe c0ad70f9_by_Libranalysis.exe File created C:\Windows\WinSxS\amd64_aspnet_regsql_b03f5f7f11d50a3a_10.0.15063.0_none_c17d729c441d6e56\aspnet_regsql.exe c0ad70f9_by_Libranalysis.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
c0ad70f9_by_Libranalysis.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance c0ad70f9_by_Libranalysis.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
c0ad70f9_by_Libranalysis.exesvchost.exedescription pid process Token: SeDebugPrivilege 856 c0ad70f9_by_Libranalysis.exe Token: 33 856 c0ad70f9_by_Libranalysis.exe Token: SeIncBasePriorityPrivilege 856 c0ad70f9_by_Libranalysis.exe Token: SeIncBasePriorityPrivilege 416 svchost.exe Token: SeLockMemoryPrivilege 416 svchost.exe Token: SeLockMemoryPrivilege 416 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
c0ad70f9_by_Libranalysis.exepid process 856 c0ad70f9_by_Libranalysis.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
c0ad70f9_by_Libranalysis.exedescription pid process target process PID 856 wrote to memory of 416 856 c0ad70f9_by_Libranalysis.exe svchost.exe PID 856 wrote to memory of 416 856 c0ad70f9_by_Libranalysis.exe svchost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
c0ad70f9_by_Libranalysis.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system c0ad70f9_by_Libranalysis.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c0ad70f9_by_Libranalysis.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0ad70f9_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\c0ad70f9_by_Libranalysis.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\config.jsonMD5
88c5c5706d2e237422eda18490dc6a59
SHA1bb8d12375f6b995301e756de2ef4fa3a3f6efd39
SHA2564756a234ed3d61fe187d9b6140792e54e7b757545edff82df594a507e528ed8e
SHA512a417270a0d46de5bb06a621c0383c893042a506524713f89ba55567df6e5c3ac8b198bce5a0300ec6e716897bb53fd3e8289a51240157dc743004517673d4ab7
-
C:\Windows\svchost.exeMD5
4a87a4d6677558706db4afaeeeb58d20
SHA17738dc6a459f8415f0265d36c626b48202cd6764
SHA25608b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7
SHA512bedd8ed4975df3fcd4a0f575d6f38e3841e7a4b771baac4f72033102a070818b8539eb101c50563d89d4f3454899a1cedb33047b02e421256dedf9aaf258b594
-
memory/416-114-0x0000000000000000-mapping.dmp