Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
29-06-2021 08:46
Static task
static1
Behavioral task
behavioral1
Sample
c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe
Resource
win10v20210410
General
-
Target
c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe
-
Size
122KB
-
MD5
8a7deb28bf1fc0925142ef2f9bac9883
-
SHA1
6e9d34c13f303ba3f4e5edec702383e3b293432a
-
SHA256
c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd
-
SHA512
3f9298131593033c439d99107290461370c675925213f39ba9ffffc626b9cad6e6e4f6efcd4c1d4761eddb7796fa6e36e1a519617176d53d10e551452ef00dea
Malware Config
Extracted
C:\5e4p9xj2s4-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0908DB892CC11ABE
http://decoder.re/0908DB892CC11ABE
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies Installed Components in the registry 2 TTPs
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertFromClear.raw => \??\c:\users\admin\pictures\ConvertFromClear.raw.5e4p9xj2s4 c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File renamed C:\Users\Admin\Pictures\PingInstall.crw => \??\c:\users\admin\pictures\PingInstall.crw.5e4p9xj2s4 c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File renamed C:\Users\Admin\Pictures\PublishUnpublish.raw => \??\c:\users\admin\pictures\PublishUnpublish.raw.5e4p9xj2s4 c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File renamed C:\Users\Admin\Pictures\UsePing.crw => \??\c:\users\admin\pictures\UsePing.crw.5e4p9xj2s4 c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe -
Drops startup file 5 IoCs
Processes:
c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\5e4p9xj2s4-readme.txt c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\tmp c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\5e4p9xj2s4-readme.txt c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\tmp c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\t32mMaunsR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe" c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exedescription ioc process File opened for modification \??\c:\users\default\appdata\roaming\microsoft\windows\sendto\Desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\desktop\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\documents\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\programdata\microsoft\windows\start menu\programs\accessories\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\appdata\local\microsoft\windows\burn\burn\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\appdata\local\microsoft\windows\winx\group3\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\default\appdata\local\microsoft\windows\winx\group2\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\downloads\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\favorites\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\public\accountpictures\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\public\downloads\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\programdata\microsoft\windows\start menu\programs\maintenance\Desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\accountpictures\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\public\documents\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\public\music\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\favorites\links\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\programdata\microsoft\windows\start menu\programs\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\maintenance\Desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\music\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\public\desktop\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\appdata\local\microsoft\windows\application shortcuts\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\recent\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\Desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\programdata\microsoft\windows\start menu\programs\accessibility\Desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\programdata\microsoft\windows\start menu\programs\system tools\Desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\libraries\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\sendto\Desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\onedrive\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\pictures\saved pictures\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\programdata\microsoft\windows\start menu\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\default\appdata\local\microsoft\windows\winx\group1\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\administrative tools\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\maintenance\Desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\system tools\Desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\contacts\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\public\videos\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\public\pictures\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\appdata\local\microsoft\windows\history\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\default\appdata\local\microsoft\windows\winx\group3\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\public\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\links\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\programdata\microsoft\windows\start menu\programs\startup\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\appdata\local\microsoft\windows\winx\group1\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\windows powershell\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\$recycle.bin\s-1-5-21-3686645723-710336880-414668232-1000\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\windows powershell\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\accessibility\Desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\videos\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\programdata\microsoft\windows\start menu\programs\administrative tools\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\searches\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\public\libraries\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\programdata\microsoft\windows\start menu places\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\pictures\camera roll\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\system tools\Desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\pictures\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\accessories\Desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files (x86)\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\programdata\microsoft\windows\start menu\programs\accessories\system tools\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exedescription ioc process File opened (read-only) \??\B: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\K: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\L: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\N: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\V: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\W: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\D: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\A: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\F: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\J: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\O: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\P: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\Q: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\U: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\Y: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\G: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\T: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\X: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\Z: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\E: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\H: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\I: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\M: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\R: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened (read-only) \??\S: c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\i42kl.bmp" c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe -
Drops file in Program Files directory 45 IoCs
Processes:
c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exedescription ioc process File opened for modification \??\c:\program files\InvokeStart.vst c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\RevokeResume.dll c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\TestUse.xml c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\CopyWait.ttf c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\EnableLimit.ppsx c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\ExpandDeny.scf c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\InitializeExpand.htm c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\SaveDeny.bmp c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\UndoSplit.htm c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\CompressAssert.WTV c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\EnterUninstall.clr c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\MoveClear.docx c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\ResetUnregister.wax c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\WaitApprove.ico c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\ApproveRestore.dotx c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\EnterConvertFrom.mp3 c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\SyncMeasure.dwg c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\UseInvoke.contact c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File created \??\c:\program files (x86)\tmp c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\FindSuspend.mpeg c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\MountSelect.ps1xml c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\MoveInvoke.mpeg2 c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\WaitResize.pptx c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files (x86)\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\ReadResume.mp3 c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\ResetProtect.scf c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\RestartRevoke.ocx c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\SubmitWatch.iso c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\SendResize.mov c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\SendWait.dxf c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\StepConfirm.vsd c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File created \??\c:\program files (x86)\5e4p9xj2s4-readme.txt c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\AddOut.xhtml c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\desktop.ini c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\SearchFormat.contact c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\UseSwitch.mp4 c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File created \??\c:\program files\5e4p9xj2s4-readme.txt c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\MoveComplete.3gpp c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\MoveStep.zip c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\SwitchSet.vsdm c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\WaitUnblock.vbs c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File created \??\c:\program files\tmp c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\ConfirmMount.mpe c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\LimitEdit.wpl c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe File opened for modification \??\c:\program files\ResetReceive.gif c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3288 2996 WerFault.exe 3612 1768 WerFault.exe explorer.exe -
Processes:
c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB\Blob = 03000000010000001400000033e4e80807204c2b6182a3a14b591acd25b5f0db1400000001000000140000008d8c5ec454ad8ae177e99bf99b05e1b8018d61e1040000000100000010000000adab5c4df031fb9299f71ada7e18f6130f00000001000000300000008b612b2190a95b28b866b9be5d0b95f368c17534ab1da61a42dfb32766f9ae2908fe6bfd1669be140eddaf0d33e95235190000000100000010000000fc741b3b78cfb31e075744fe5d0eeb965c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf20000000010000001706000030820613308203fba00302010202107d5b5126b476ba11db74160bbc530da7300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a30818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010032bf61bd0e48c34fc7ba474df89c781901dc131d806ffcc370b4529a31339a5752fb319e6ba4ef54aa898d401768f811107cd2cab1f15586c7eeb3369186f63951bf46bf0fa0bab4f77e49c42a36179ee468397aaf944e566fb27b3bbf0a86bdcdc5771c03b838b1a21f5f7edb8adc4648b6680acfb2b5b4e234e467a93866095ed2b8fc9d283a174027c2724e29fd213c7ccf13fb962cc53144fd13edd59ba96968777ceee1ffa4f93638085339a284349c19f3be0eacd52437eb23a878d0d3e7ef924764623922efc6f711be2285c6664424268e10328dc893ae079e833e2fd9f9f5468e63bec1e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exeWerFault.exeWerFault.exepid process 3904 c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe 3904 c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe 3288 WerFault.exe 3288 WerFault.exe 3288 WerFault.exe 3288 WerFault.exe 3288 WerFault.exe 3288 WerFault.exe 3288 WerFault.exe 3288 WerFault.exe 3288 WerFault.exe 3288 WerFault.exe 3288 WerFault.exe 3288 WerFault.exe 3288 WerFault.exe 3288 WerFault.exe 3288 WerFault.exe 3612 WerFault.exe 3612 WerFault.exe 3612 WerFault.exe 3612 WerFault.exe 3612 WerFault.exe 3612 WerFault.exe 3612 WerFault.exe 3612 WerFault.exe 3612 WerFault.exe 3612 WerFault.exe 3612 WerFault.exe 3612 WerFault.exe 3612 WerFault.exe 3612 WerFault.exe 3612 WerFault.exe 3904 c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe 3904 c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe 3904 c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe 3904 c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe 3904 c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe 3904 c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exevssvc.exeWerFault.exeexplorer.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3904 c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe Token: SeTakeOwnershipPrivilege 3904 c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe Token: SeBackupPrivilege 3332 vssvc.exe Token: SeRestorePrivilege 3332 vssvc.exe Token: SeAuditPrivilege 3332 vssvc.exe Token: SeDebugPrivilege 3288 WerFault.exe Token: SeShutdownPrivilege 1768 explorer.exe Token: SeCreatePagefilePrivilege 1768 explorer.exe Token: SeShutdownPrivilege 1768 explorer.exe Token: SeCreatePagefilePrivilege 1768 explorer.exe Token: SeShutdownPrivilege 1768 explorer.exe Token: SeCreatePagefilePrivilege 1768 explorer.exe Token: SeShutdownPrivilege 1768 explorer.exe Token: SeCreatePagefilePrivilege 1768 explorer.exe Token: SeShutdownPrivilege 1768 explorer.exe Token: SeCreatePagefilePrivilege 1768 explorer.exe Token: SeDebugPrivilege 3612 WerFault.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
explorer.exepid process 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
explorer.exepid process 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exedescription pid process target process PID 3904 wrote to memory of 1076 3904 c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe netsh.exe PID 3904 wrote to memory of 1076 3904 c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe netsh.exe PID 3904 wrote to memory of 1076 3904 c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵PID:1076
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3736
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3332
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2996 -s 28481⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3288
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1768 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1768 -s 20442⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\desktop.iniMD5
7af2f291791453e652ffb9f66f7e389d
SHA19c989fef6b36968142c03e359609e85d509b867a
SHA2564c41eb2f0c38a2a5a51cf9e2b54e042395016e52d9b8737cae45be42577da8e9
SHA51282c7e640d317f2fb110b7182e3d2bb068ffed3f4b18dc22ed7cb704b945b473e175b216b57186f7e029e501338d6012a05e2944bba983632086e66e68a24bf72
-
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.5e4p9xj2s4MD5
7bd5cae22b7d92d3789f805f2536332b
SHA193cc3deda7e5b6108e7f7dfbcb306cb6f84f465d
SHA256bd074e27f164f4cc06538fe1f30373aa32cd355e6437f6d3ad8bdbc36e3c3470
SHA5123dd04f75138d6a404ce1b3c2d179bed8cdbf0c7dc583c48e7113fb86a0846d5ecc55a029ad16795b89f830be7f204b47442f78f68f3ba8fe025e2301a0b4f1bc
-
memory/1076-114-0x0000000000000000-mapping.dmp