Analysis Overview
SHA256
3a7ce9c2729308e680c439e4032c63ff32d83f6d66ab2528d2fadb8ca7f08274
Threat Level: Known bad
The file 6123373352222720.zip was found to be: Known bad.
Malicious Activity Summary
Babuk Locker
CryptBot
Deletes shadow copies
Downloads MZ/PE file
Modifies extensions of user files
Executes dropped EXE
Blocklisted process makes network request
Drops startup file
Reads user/profile data of web browsers
Loads dropped DLL
Enumerates connected drives
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in Program Files directory
Enumerates physical storage devices
Delays execution with timeout.exe
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-06-30 07:26
Signatures
Analysis: behavioral4
Detonation Overview
Submitted
2021-06-30 07:26
Reported
2021-06-30 07:37
Platform
win10v20210410
Max time kernel
578s
Max time network
564s
Command Line
Signatures
CryptBot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OdrQmN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Ritroverai.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Ritroverai.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yicfumdxu.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk | C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OdrQmN.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1580 set thread context of 3416 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\rundll32.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\foler\olader\acppage.dll | C:\Users\Admin\AppData\Local\Temp\OdrQmN.exe | N/A |
| File created | C:\Program Files (x86)\foler\olader\adprovider.dll | C:\Users\Admin\AppData\Local\Temp\OdrQmN.exe | N/A |
| File created | C:\Program Files (x86)\foler\olader\acledit.dll | C:\Users\Admin\AppData\Local\Temp\OdrQmN.exe | N/A |
| File created | C:\PROGRA~3\Bklngfpngf\kgjocbpkfku.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\PROGRA~3\Bklngfpngf\Vhxwcgzi.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Ritroverai.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Ritroverai.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data | C:\Windows\SysWOW64\rundll32.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Ritroverai.exe.com | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\327F54D1ED9BC4527F1A8A1735362B26453CA0A7 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\327F54D1ED9BC4527F1A8A1735362B26453CA0A7\Blob = 030000000100000014000000327f54d1ed9bc4527f1a8a1735362b26453ca0a720000000010000007802000030820274308201dda003020102020802d57c0134dd2278300d06092a864886f70d01010b0500305f3122302006035504030c1941413541204365727469666963617465205365727669636573311a3018060355040a0c11436f6d6f646f204341204c696d69746564310b30090603550406130247423110300e06035504070c0753616c666f7264301e170d3139303730313037333335385a170d3233303633303037333335385a305f3122302006035504030c1941413541204365727469666963617465205365727669636573311a3018060355040a0c11436f6d6f646f204341204c696d69746564310b30090603550406130247423110300e06035504070c0753616c666f726430819f300d06092a864886f70d010101050003818d0030818902818100ca7ee45f11a87de06156274faff29857c1ea76d751417c472b3d532c2ebda972f2baeca5702dd1b8db8736a21b21fb86b1197c13cda87b630731a4eab23a5660238ea2a0540425698616535b8036fcb6c9392a04901968e06d67baeb187aa0d0f5a3a095c7b6b1d910ff8078bd1f7068dbdea5c5807922f59850aae4c011f9690203010001a3393037300f0603551d130101ff040530030101ff30240603551d11041d301b821941413541204365727469666963617465205365727669636573300d06092a864886f70d01010b05000381810009779de50065a3230e7338f2d76b92d2c7d61dd44b6d6cfb35b55b05e4b22d8f708983f75ca3da694d98faa6ac5867d08f02830a182d81a23fca93ef21b27003eb9343da99d00e1cf7b6a8e26de79decc44d454f3ecf63869006b25d0102c133eb261b11e8d5955ed7ec7d7c2f44eda27e9ebd1077e0cadcb11e079196673476 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b2ead315d6a392726c96cc0f928a5218ecc4282dacd43f36a249219391457093.exe
"C:\Users\Admin\AppData\Local\Temp\b2ead315d6a392726c96cc0f928a5218ecc4282dacd43f36a249219391457093.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Ero.avi
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^nwOhgkZOkTAuHApAkWLoGKlGITnVtOaFGtNDNpuScYUkDxTFlwfAaAQOQoFxMrJvBUmDMFNePTNIPZehqSKrmRhuhZNFEMysfbKJUdSFgjLnMoY$" Bellissima.avi
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com
Neghi.exe.com f
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\OdrQmN.exe"
C:\Users\Admin\AppData\Local\Temp\OdrQmN.exe
"C:\Users\Admin\AppData\Local\Temp\OdrQmN.exe"
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\osWauaoIuc & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Ella.mid
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^ApgPFnDaQzNGcomssNqFbYhsjOZmoYlXyIDQobjHZzDEBDsixaEBxNGBWXCQntlRoQANFIoUAzFrcIPIbStQx$" Accade.mid
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Ritroverai.exe.com
Ritroverai.exe.com p
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Ritroverai.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Ritroverai.exe.com p
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
C:\Users\Admin\AppData\Local\Temp\yicfumdxu.exe
"C:\Users\Admin\AppData\Local\Temp\yicfumdxu.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dxvwqpkqve.vbs"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\YICFUM~1.TMP,S C:\Users\Admin\AppData\Local\Temp\YICFUM~1.EXE
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jwqyklelhu.vbs"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\PROGRA~3\BKLNGF~1\KGJOCB~1.TMP,UzkadVBpRw== C:\Users\Admin\AppData\Local\Temp\YICFUM~1.TMP
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 31801
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp1515.tmp.ps1"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp27B5.tmp.ps1"
C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | vzafzaKZyPjuPzyqXmjakXJAq.vzafzaKZyPjuPzyqXmjakXJAq | udp |
| N/A | 8.8.8.8:53 | xeicqn27.top | udp |
| N/A | 157.230.42.171:80 | xeicqn27.top | tcp |
| N/A | 8.8.8.8:53 | morhef02.top | udp |
| N/A | 34.152.7.189:80 | morhef02.top | tcp |
| N/A | 8.8.8.8:53 | loppku02.top | udp |
| N/A | 47.243.129.23:80 | loppku02.top | tcp |
| N/A | 47.243.129.23:80 | loppku02.top | tcp |
| N/A | 8.8.8.8:53 | MpKwwoCuhiTaFZzvmjoL.MpKwwoCuhiTaFZzvmjoL | udp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | 2no.co | udp |
| N/A | 88.99.66.31:443 | 2no.co | tcp |
| N/A | 8.8.8.8:53 | felixrotor.com | udp |
| N/A | 45.91.67.130:80 | felixrotor.com | tcp |
| N/A | 23.254.229.122:80 | 23.254.229.122 | tcp |
| N/A | 66.85.185.120:443 | tcp | |
| N/A | 8.8.8.8:53 | iplogger.org | udp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 66.85.185.120:443 | tcp | |
| N/A | 127.0.0.1:31801 | tcp | |
| N/A | 127.0.0.1:31802 | tcp | |
| N/A | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | localhost | udp |
| N/A | 66.85.185.120:443 | tcp |
Files
memory/3516-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ero.avi
| MD5 | 2dae040957f8c64e88fe86f0a4c2f808 |
| SHA1 | cd2761514cd5476b91d2ad71afc6e7262e4ff093 |
| SHA256 | b13352462e71902e29f75522288fee5d06bb3ba4f118a9c2d0b99e973cbc0f47 |
| SHA512 | 710b32deffb453a83ef8d45657c9713534947e2c7793c140392fe35f236dc6ac4c4869f4bef9d09bd6e61a09d8e8666b8dba9b5ea1bac8426f94e6d0b6a18e9e |
memory/4004-116-0x0000000000000000-mapping.dmp
memory/3700-117-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bellissima.avi
| MD5 | 827b69d060fa94961c8248f6582c4453 |
| SHA1 | 176d303d5562c7c7fe52c43139ef582796ad7b31 |
| SHA256 | 770a9db5a1c79806b604d664c5a1c4131c2aa916cdb00fd41748ebc255cdbb00 |
| SHA512 | 35c6b24d9f738ac6a72a35980e482ad22f10d516c4278589c308cf11b30068450491f3f1cfa381a9158b203348c00f7257f9751931c3932441eadb6a8e07bb68 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bruciavano.avi
| MD5 | 4d149178e76a876ae3c4a2a17136e5d5 |
| SHA1 | 586d90b45be60a58f038c84dd4c0903c0fdc9de1 |
| SHA256 | f0fac793ad1a0244696885f55af7f1e91056a23d6fa78160969a519c68a6950a |
| SHA512 | 72e8623d5deff052118672cc0018a758b0e4f8211c2b2efff2865438c63da3e586c1e1672d8201b516dc73304c58496483712663248f2d423dc2d2cbe2d6c381 |
memory/196-120-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/3160-122-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\f
| MD5 | 4d149178e76a876ae3c4a2a17136e5d5 |
| SHA1 | 586d90b45be60a58f038c84dd4c0903c0fdc9de1 |
| SHA256 | f0fac793ad1a0244696885f55af7f1e91056a23d6fa78160969a519c68a6950a |
| SHA512 | 72e8623d5deff052118672cc0018a758b0e4f8211c2b2efff2865438c63da3e586c1e1672d8201b516dc73304c58496483712663248f2d423dc2d2cbe2d6c381 |
memory/1492-124-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Affettuosa.avi
| MD5 | 959dc63c0d554533c3f7cd9ff0fe7cab |
| SHA1 | 33039814422bf243a8d977e3a54dc045c3fca827 |
| SHA256 | 7d1749ce94676c378032f4022040432f530a1f394c9184298c314e8b8e4c3a3e |
| SHA512 | 1959b4633927149dc77924537a95d7b5e5ce39e6307d0a5897b73fc8d90c48f80ce2b6691bfd5a6993b2266d23ee2d22e67eeaf46fd05aefbf43ef7751325114 |
memory/1492-127-0x0000000001CF0000-0x0000000001CF1000-memory.dmp
memory/3892-128-0x0000000000000000-mapping.dmp
memory/2548-129-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\OdrQmN.exe
| MD5 | 706598edd4e3a430a132df94fd9a56f7 |
| SHA1 | ea63ab79d3d7b66233fda1a67fbc967df72ff4ed |
| SHA256 | f694cc6fe218503e9995bd3499a1fe50741d14582ad04350d4cf80e5d6b7fc08 |
| SHA512 | d39184e1139f1631aa43c15d458287e96dd4d8c3b63038b21426788334fcc6d6d8b9d7ded30502db21b07b4fc0321272cc07b79386f5b04a46b5dd7154ff6d49 |
C:\Users\Admin\AppData\Local\Temp\OdrQmN.exe
| MD5 | 706598edd4e3a430a132df94fd9a56f7 |
| SHA1 | ea63ab79d3d7b66233fda1a67fbc967df72ff4ed |
| SHA256 | f694cc6fe218503e9995bd3499a1fe50741d14582ad04350d4cf80e5d6b7fc08 |
| SHA512 | d39184e1139f1631aa43c15d458287e96dd4d8c3b63038b21426788334fcc6d6d8b9d7ded30502db21b07b4fc0321272cc07b79386f5b04a46b5dd7154ff6d49 |
\Users\Admin\AppData\Local\Temp\nsq610D.tmp\UAC.dll
| MD5 | adb29e6b186daa765dc750128649b63d |
| SHA1 | 160cbdc4cb0ac2c142d361df138c537aa7e708c9 |
| SHA256 | 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08 |
| SHA512 | b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada |
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
| MD5 | 170b3c5f04ea154910c94f98178094f5 |
| SHA1 | f3f2dec2a512e031faab3869e4025d2b5f7d4bb2 |
| SHA256 | 7d104367742441045539b226d3518cffe17bf49bc71e7e084d7f4723a7cdfd02 |
| SHA512 | caca362cc052308481d01bdb7ad849430dc969f996042f80cb94e804862cff0913cf7d541e6a8383bd1130ff90f88eeeb0126f33e292603b18cdbc97da50506a |
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
| MD5 | 170b3c5f04ea154910c94f98178094f5 |
| SHA1 | f3f2dec2a512e031faab3869e4025d2b5f7d4bb2 |
| SHA256 | 7d104367742441045539b226d3518cffe17bf49bc71e7e084d7f4723a7cdfd02 |
| SHA512 | caca362cc052308481d01bdb7ad849430dc969f996042f80cb94e804862cff0913cf7d541e6a8383bd1130ff90f88eeeb0126f33e292603b18cdbc97da50506a |
memory/208-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
| MD5 | d2a8774352ad378e27c836eea047fe08 |
| SHA1 | 3809b2827085f67b4665a43cfd3f1d0c1b39177c |
| SHA256 | f3a51cad3a8188273a3cf44ee6a6b9de413d7508481bdd60b0e74d9c74510521 |
| SHA512 | 0d90a6e52addeeb303e37cfabf2276dea50edfd13680433118149766b82d444b0bbe55bdc69c4ee331876a2afcc509417b1801e4a90577ad9afd150b6ea538fd |
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
| MD5 | d2a8774352ad378e27c836eea047fe08 |
| SHA1 | 3809b2827085f67b4665a43cfd3f1d0c1b39177c |
| SHA256 | f3a51cad3a8188273a3cf44ee6a6b9de413d7508481bdd60b0e74d9c74510521 |
| SHA512 | 0d90a6e52addeeb303e37cfabf2276dea50edfd13680433118149766b82d444b0bbe55bdc69c4ee331876a2afcc509417b1801e4a90577ad9afd150b6ea538fd |
memory/3568-133-0x0000000000000000-mapping.dmp
memory/2268-139-0x0000000000000000-mapping.dmp
memory/2484-140-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\osWauaoIuc\files_\SCREEN~1.JPG
| MD5 | 3d401c1213efcc38838b252e514d627a |
| SHA1 | d61206154b266c840a20563fa659cfc963aadec3 |
| SHA256 | 8fbded3ebcca18e12f6810df079d1dd05067a91c71b57f1c0f005b7d975d355d |
| SHA512 | 9146f70813be20d908ee5bad079d9caefa6b0d4598ce2b841581c1d2a4af10a531ee9da6b2ec0e467ae02c8b5d9aa4c36ce5a533f35b59a85c0f174f7d0a784a |
C:\Users\Admin\AppData\Local\Temp\osWauaoIuc\OABNJD~1.ZIP
| MD5 | dae1dcd0ead2ab1c7005dfb7904b858f |
| SHA1 | a0de8037d6ba384601cba3c671b6477301e60361 |
| SHA256 | 0b59dba0053f0616344f11576e2c21f6244705c77c1362da7f9ebe4e509f6be9 |
| SHA512 | dff853e911a8d6919be7b3ba5baf02ab94ef4207cb1eeb1d3ee028fef585ccab5e0fcc7de3723e50d391052f7c77d6796b6d30ebe755645c9e76a515747c6062 |
C:\Users\Admin\AppData\Local\Temp\osWauaoIuc\JKBQEQ~1.ZIP
| MD5 | 908a854ff8a38da0fc551d5e5f9c7b93 |
| SHA1 | 8c286ed00f71003d24bba97575a8e654452b6866 |
| SHA256 | f64a7b952ca3673a30a51961d102ed6c3aa71524739785e3e2a7b19e7a9abd71 |
| SHA512 | 9c9992996eef0c52bc1df20a7a530deaae46232533eea7ea9fc98a4ad875b39d7d06b96c06bc5ebd7f15220f7ab57ca64a02d202e87b16bfe848766be7d35e9e |
C:\Users\Admin\AppData\Local\Temp\osWauaoIuc\files_\SYSTEM~1.TXT
| MD5 | ca5a8da045bab513c79103fc02692f3d |
| SHA1 | 77f0d9bf16732b1f2b2663643dcb18257e0da803 |
| SHA256 | 472216e84292b8fbbaf977666c32a54ac0c4b21c90895134e235ea5818066d7a |
| SHA512 | d96253d0ef58ac041dcb84092780b177b4da9d94897a64effe1821b940001a071a4caa3dde60337f1395f1cb4ee18ef43b16adbfa184056dbea5e6751686a2d2 |
C:\Users\Admin\AppData\Local\Temp\osWauaoIuc\_Files\_SCREE~1.JPE
| MD5 | 3d401c1213efcc38838b252e514d627a |
| SHA1 | d61206154b266c840a20563fa659cfc963aadec3 |
| SHA256 | 8fbded3ebcca18e12f6810df079d1dd05067a91c71b57f1c0f005b7d975d355d |
| SHA512 | 9146f70813be20d908ee5bad079d9caefa6b0d4598ce2b841581c1d2a4af10a531ee9da6b2ec0e467ae02c8b5d9aa4c36ce5a533f35b59a85c0f174f7d0a784a |
memory/3464-149-0x0000000000000000-mapping.dmp
memory/3724-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\osWauaoIuc\_Files\_INFOR~1.TXT
| MD5 | 966ebe41c61478985a78477663451a27 |
| SHA1 | df361983ec6958296c932ceb34ff5e54d88db41e |
| SHA256 | 55a363a1b0cc300e5e57a0a6822e25665e811de01c6bed03e0aff0b61ff581e7 |
| SHA512 | e6607d531e05dfc1d3bd75a7c48018963b62bb7a8290ce49a2eb6729bd1cd7d99ebfa13c351ffbc00c48b233e32cfa6bd15643a37c95447c744fffe49b30e99f |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Ella.mid
| MD5 | 027558b9fb57e90aceba66490f286c94 |
| SHA1 | e1df247bd97a658223486e5163138c931fd06d77 |
| SHA256 | 8adf6f1430d85c615cb50dd6b5fe681e0bf51db6ae1e5593cae65483701dd086 |
| SHA512 | 33cda386e9fb92db30eb4bc628bca47b8363112095cde49d6957794f52d4735fe276a00a29a1c27b5d4f98622a2c14b61b660db00bcd684f68a99921559e0004 |
memory/680-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Accade.mid
| MD5 | f9f90f629c9c8f7e25aee515fa23e32b |
| SHA1 | 1a23918042c75f3ec8e5d1913239f18c57378224 |
| SHA256 | f25f9dd42b582da6e19ce0f287a8e4086fa59381173265bc98f19859fdc0fe3d |
| SHA512 | 645bb4430f6230fd213a3735cfd9da48a98ed862b6fe0f08dc52cdd2fb2f2fba8931ff77cd8dc8e4126dba699aa6d4716e8c024cc0190cb43d0db36ad1211c3c |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Nei.mid
| MD5 | f711e17a95c480b3c72512594947dd33 |
| SHA1 | a13a93f65efc31b3d655b346f557cca5f374b51e |
| SHA256 | fa5ffcd883c567cfd0711de936aecc53b6d3684e09e5a2aa03f1baf6ecb35a66 |
| SHA512 | cae837e77d4753edc65e8be307f82855be941433cc539cae40e4dfd3c349c754487f0ff8a971603e5fcb9a66bd924b5afa437aa309450f62f6495ba492dbb096 |
memory/3472-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Ritroverai.exe.com
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/3184-155-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\p
| MD5 | f711e17a95c480b3c72512594947dd33 |
| SHA1 | a13a93f65efc31b3d655b346f557cca5f374b51e |
| SHA256 | fa5ffcd883c567cfd0711de936aecc53b6d3684e09e5a2aa03f1baf6ecb35a66 |
| SHA512 | cae837e77d4753edc65e8be307f82855be941433cc539cae40e4dfd3c349c754487f0ff8a971603e5fcb9a66bd924b5afa437aa309450f62f6495ba492dbb096 |
memory/3064-157-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Ritroverai.exe.com
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Chi.mid
| MD5 | 90cab252cbfb1a4bdc685f0e4afa707a |
| SHA1 | f87648a30afe3193e803d445f19561bc2cbcde4e |
| SHA256 | e9dc003a1d6b1d6bef21a8d3d28b82c084f73a687ca7f4a770159f58ac4ef0fc |
| SHA512 | 9cddfc991ea53e37facdf9ac9bed608698b9e827c7a238a9a9df8b0f3937b4ce5c4ef518b79c9c5413b52fbeb2d176708331e0053c10c44d977e533531b739af |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/208-161-0x0000000000550000-0x0000000000576000-memory.dmp
memory/208-162-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2660-163-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
| MD5 | d2a8774352ad378e27c836eea047fe08 |
| SHA1 | 3809b2827085f67b4665a43cfd3f1d0c1b39177c |
| SHA256 | f3a51cad3a8188273a3cf44ee6a6b9de413d7508481bdd60b0e74d9c74510521 |
| SHA512 | 0d90a6e52addeeb303e37cfabf2276dea50edfd13680433118149766b82d444b0bbe55bdc69c4ee331876a2afcc509417b1801e4a90577ad9afd150b6ea538fd |
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
| MD5 | d2a8774352ad378e27c836eea047fe08 |
| SHA1 | 3809b2827085f67b4665a43cfd3f1d0c1b39177c |
| SHA256 | f3a51cad3a8188273a3cf44ee6a6b9de413d7508481bdd60b0e74d9c74510521 |
| SHA512 | 0d90a6e52addeeb303e37cfabf2276dea50edfd13680433118149766b82d444b0bbe55bdc69c4ee331876a2afcc509417b1801e4a90577ad9afd150b6ea538fd |
memory/2660-167-0x0000000000400000-0x000000000045B000-memory.dmp
memory/3064-168-0x00000000013D0000-0x000000000147E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Ritroverai.exe.com
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/2824-170-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\yicfumdxu.exe
| MD5 | 5fe07471980b7f36719d29cbed9fc18c |
| SHA1 | 3d8feb77fa34e480ac0e9806a30a9f9dd601c3fa |
| SHA256 | 04e0b8caecd18df59efd6b937299996c1eeb2298571838ef5fc821209ac84eb7 |
| SHA512 | 2cd343914a7dd55a2a38ec54825ea80466b5c02d599ce27ca9b53254b315c6d521753aa610bcbd6402feb228e1e4033896f4c1f8cd2242f7d6bf4b0f05919b06 |
C:\Users\Admin\AppData\Local\Temp\yicfumdxu.exe
| MD5 | 5fe07471980b7f36719d29cbed9fc18c |
| SHA1 | 3d8feb77fa34e480ac0e9806a30a9f9dd601c3fa |
| SHA256 | 04e0b8caecd18df59efd6b937299996c1eeb2298571838ef5fc821209ac84eb7 |
| SHA512 | 2cd343914a7dd55a2a38ec54825ea80466b5c02d599ce27ca9b53254b315c6d521753aa610bcbd6402feb228e1e4033896f4c1f8cd2242f7d6bf4b0f05919b06 |
memory/2204-173-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dxvwqpkqve.vbs
| MD5 | f8528b229db39b897dbd6986564e54e9 |
| SHA1 | 55ae143cbbabd38b70e896525a2e876b3cdad287 |
| SHA256 | 84f5cdda21fe0cc3599019c8b6d5b6148c1f316708e64123eb549b03bc653cd5 |
| SHA512 | c71a46b525be0b2706dad47bfee24596772d12eac19d9c815f8e22646b4912fd8c3fc7a7b4a83bd6a10bcde3f297170b750d78d9d7c1c751daedc6e685f15a4f |
memory/3280-175-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\YICFUM~1.TMP
| MD5 | 0f08891ac02021c199af8c6f0ed7b108 |
| SHA1 | 946299fa83884244ae1436be3d891db01255ca41 |
| SHA256 | dae134576145a0fe36a5824afb34d60aaa20cdc91935c81366afee1e8bc7e601 |
| SHA512 | e5c76715836eadb1a2c5246f569193e700c28184f4378f1df780db475eeb352d27cc9e2f15dae63d046472301fe27c213c86d4efff97533e0530106b3d9f53bb |
\Users\Admin\AppData\Local\Temp\YICFUM~1.TMP
| MD5 | 0f08891ac02021c199af8c6f0ed7b108 |
| SHA1 | 946299fa83884244ae1436be3d891db01255ca41 |
| SHA256 | dae134576145a0fe36a5824afb34d60aaa20cdc91935c81366afee1e8bc7e601 |
| SHA512 | e5c76715836eadb1a2c5246f569193e700c28184f4378f1df780db475eeb352d27cc9e2f15dae63d046472301fe27c213c86d4efff97533e0530106b3d9f53bb |
\Users\Admin\AppData\Local\Temp\YICFUM~1.TMP
| MD5 | 0f08891ac02021c199af8c6f0ed7b108 |
| SHA1 | 946299fa83884244ae1436be3d891db01255ca41 |
| SHA256 | dae134576145a0fe36a5824afb34d60aaa20cdc91935c81366afee1e8bc7e601 |
| SHA512 | e5c76715836eadb1a2c5246f569193e700c28184f4378f1df780db475eeb352d27cc9e2f15dae63d046472301fe27c213c86d4efff97533e0530106b3d9f53bb |
memory/3280-179-0x0000000004240000-0x000000000437F000-memory.dmp
memory/2824-180-0x00000000049E0000-0x0000000004AB6000-memory.dmp
memory/2824-181-0x0000000004BA0000-0x0000000004C8B000-memory.dmp
memory/2824-182-0x0000000000400000-0x0000000004495000-memory.dmp
memory/2568-183-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\jwqyklelhu.vbs
| MD5 | 217d1727a8ded93712b5c0dbe3797d35 |
| SHA1 | 648d9835637620c73f0df0de97c4281c54b53261 |
| SHA256 | 65401d01c4e27e10455351809111a8934d21eab5989e4f33034125770b51eec8 |
| SHA512 | 745e5290fdb03ceb50f6bd84bd4f2da2c4ee972d622dcf6753813d3eb422c0b60d178499375a2b870383ca14e9eb3c57119a4fdbbe1e8d9795be7a66cd84a53b |
memory/1580-185-0x0000000000000000-mapping.dmp
C:\PROGRA~3\BKLNGF~1\KGJOCB~1.TMP
| MD5 | 88d6b8dff30209e5f514e3be70207baa |
| SHA1 | be4106dcd9b37c6ee000f3a0548fd4ed58d8dfef |
| SHA256 | b33636aa33fda8ae2d5b0b17039dbfac0c040b887c0bce43c75ccff1ae24d360 |
| SHA512 | 0838efb166936d1dff087264b65b1356ad06761ae8ade95c32ceea0df6f6d230b361409b2eac229df974c3d1936a00a186a183c215d6c9bdb6b202adceb5326f |
\PROGRA~3\BKLNGF~1\KGJOCB~1.TMP
| MD5 | 88d6b8dff30209e5f514e3be70207baa |
| SHA1 | be4106dcd9b37c6ee000f3a0548fd4ed58d8dfef |
| SHA256 | b33636aa33fda8ae2d5b0b17039dbfac0c040b887c0bce43c75ccff1ae24d360 |
| SHA512 | 0838efb166936d1dff087264b65b1356ad06761ae8ade95c32ceea0df6f6d230b361409b2eac229df974c3d1936a00a186a183c215d6c9bdb6b202adceb5326f |
C:\PROGRA~3\Bklngfpngf\Vhxwcgzi.tmp
| MD5 | e74647a73f67ccb58dbcab436648b451 |
| SHA1 | b9a6420520ea810366321f6d17d81e3a74485fb8 |
| SHA256 | 77ad994734b8bf51206db5c18775580de6d84625452afef42bcbdbc85ae45ad0 |
| SHA512 | ef6cf42bf81743e397989e559c050399591e2eddad8806dba7a92bff56702835e335c0a52109a6b572c0fd75c54a31a5db3c991d1633c2ded5393207f873857c |
memory/3416-195-0x00007FF6DCFD5FD0-mapping.dmp
memory/3416-199-0x00000000003A0000-0x0000000000540000-memory.dmp
memory/3416-200-0x0000018E26890000-0x0000018E26A41000-memory.dmp
memory/1580-198-0x0000000003280000-0x0000000003281000-memory.dmp
memory/2332-201-0x0000000000000000-mapping.dmp
memory/2332-204-0x0000000006830000-0x0000000006831000-memory.dmp
memory/2332-205-0x0000000006EA0000-0x0000000006EA1000-memory.dmp
memory/2332-206-0x00000000067E0000-0x00000000067E1000-memory.dmp
memory/2332-207-0x00000000067E2000-0x00000000067E3000-memory.dmp
memory/2332-208-0x0000000007580000-0x0000000007581000-memory.dmp
memory/2332-209-0x0000000007800000-0x0000000007801000-memory.dmp
memory/2332-210-0x0000000007720000-0x0000000007721000-memory.dmp
memory/2332-211-0x0000000007890000-0x0000000007891000-memory.dmp
memory/2332-212-0x0000000007BE0000-0x0000000007BE1000-memory.dmp
memory/2332-213-0x0000000008150000-0x0000000008151000-memory.dmp
memory/2332-214-0x0000000008040000-0x0000000008041000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1515.tmp.ps1
| MD5 | 0583ac9bf16b2c18b6293567e8afaa23 |
| SHA1 | 38752d0927588c3cad884f32ac2fc7d4515a0ac2 |
| SHA256 | 349f91dcc691d6155c6cafca32504399fd768db8f6b740d36ee8fc2f2ed7f6ee |
| SHA512 | 7ac7c51de5545cc598ebc58205feaf142cac32439cf56f32c76f56096fd5e0f538a236b9e9511289ebfedfbb4e0c93bddee8c1d37777c6916e295c42339e71fd |
memory/2332-216-0x00000000080F0000-0x00000000080F1000-memory.dmp
memory/2332-221-0x00000000097A0000-0x00000000097A1000-memory.dmp
memory/2332-222-0x0000000008F30000-0x0000000008F31000-memory.dmp
memory/2332-223-0x0000000009000000-0x0000000009001000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1516.tmp
| MD5 | c416c12d1b2b1da8c8655e393b544362 |
| SHA1 | fb1a43cd8e1c556c2d25f361f42a21293c29e447 |
| SHA256 | 0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046 |
| SHA512 | cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c |
memory/2332-226-0x00000000067E3000-0x00000000067E4000-memory.dmp
memory/1832-227-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 47eebe401625bbc55e75dbfb72e9e89a |
| SHA1 | db3b2135942d2532c59b9788253638eb77e5995e |
| SHA256 | f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3 |
| SHA512 | 590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56 |
memory/1832-236-0x0000000007950000-0x0000000007951000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 98da7b7681dcd6dc5a83c23c305b16d3 |
| SHA1 | 60c052e533b0f61e6beddb98fb04de6caebea265 |
| SHA256 | cb14f7a2e1b416bde2ec1763e5b89393952022bfbabe6a38eaa6db9158f9291a |
| SHA512 | a6399d9f950a5b641b2a15cd70fc6d6f6fe8688abd2f39f8573ee15c4507e3cc6e5d10d4c74fa4b17c8fb99b25843d829b759576ff613a50199a5e0cd06e1b0b |
memory/1832-239-0x0000000007F00000-0x0000000007F01000-memory.dmp
memory/1832-240-0x0000000006940000-0x0000000006941000-memory.dmp
memory/1832-242-0x0000000006942000-0x0000000006943000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp27B5.tmp.ps1
| MD5 | a27550ac69b77cc27c30bf5553c5d696 |
| SHA1 | 75d2b1b95e019a67f93ac9f238f6f8ab0acb746f |
| SHA256 | be8cf59e4b42f09631b1d57c69258f01b5b8306c59d1c847cc5329327c5206b8 |
| SHA512 | 5852840fb5c56e2ae1964b7e049a88cdf28d21deae0f37296eae43e8455ad46e9622270ebc2d051fa49d9c24a72ad210615604411238f1c35d7ebae14f76506d |
memory/4036-250-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp27B6.tmp
| MD5 | 1860260b2697808b80802352fe324782 |
| SHA1 | f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b |
| SHA256 | 0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1 |
| SHA512 | d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f |
memory/4008-253-0x0000000000000000-mapping.dmp
memory/1832-254-0x0000000006943000-0x0000000006944000-memory.dmp
memory/1020-255-0x0000000000000000-mapping.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2021-06-30 07:26
Reported
2021-06-30 07:37
Platform
win7v20210408
Max time kernel
191s
Max time network
44s
Command Line
Signatures
Babuk Locker
Deletes shadow copies
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d17c45b69bc45e17de1152841ebddb3a6abfe85202569fd5dea6b8d52a44c053.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d17c45b69bc45e17de1152841ebddb3a6abfe85202569fd5dea6b8d52a44c053.exe
"C:\Users\Admin\AppData\Local\Temp\d17c45b69bc45e17de1152841ebddb3a6abfe85202569fd5dea6b8d52a44c053.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
Network
Files
memory/1900-60-0x0000000075B31000-0x0000000075B33000-memory.dmp
memory/1592-61-0x0000000000000000-mapping.dmp
memory/1540-62-0x0000000000000000-mapping.dmp
memory/1900-63-0x0000000000220000-0x0000000000235000-memory.dmp
memory/1900-64-0x0000000000400000-0x00000000004D7000-memory.dmp
memory/240-65-0x0000000000000000-mapping.dmp
memory/960-66-0x0000000000000000-mapping.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2021-06-30 07:26
Reported
2021-06-30 07:37
Platform
win10v20210410
Max time kernel
329s
Max time network
526s
Command Line
Signatures
Babuk Locker
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\DisableMerge.png => C:\Users\Admin\Pictures\DisableMerge.png.babyk | C:\Users\Admin\AppData\Local\Temp\d17c45b69bc45e17de1152841ebddb3a6abfe85202569fd5dea6b8d52a44c053.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DisableMerge.png.babyk | C:\Users\Admin\AppData\Local\Temp\d17c45b69bc45e17de1152841ebddb3a6abfe85202569fd5dea6b8d52a44c053.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ImportDismount.crw => C:\Users\Admin\Pictures\ImportDismount.crw.babyk | C:\Users\Admin\AppData\Local\Temp\d17c45b69bc45e17de1152841ebddb3a6abfe85202569fd5dea6b8d52a44c053.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ImportDismount.crw.babyk | C:\Users\Admin\AppData\Local\Temp\d17c45b69bc45e17de1152841ebddb3a6abfe85202569fd5dea6b8d52a44c053.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ReceiveUnregister.crw => C:\Users\Admin\Pictures\ReceiveUnregister.crw.babyk | C:\Users\Admin\AppData\Local\Temp\d17c45b69bc45e17de1152841ebddb3a6abfe85202569fd5dea6b8d52a44c053.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ReceiveUnregister.crw.babyk | C:\Users\Admin\AppData\Local\Temp\d17c45b69bc45e17de1152841ebddb3a6abfe85202569fd5dea6b8d52a44c053.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d17c45b69bc45e17de1152841ebddb3a6abfe85202569fd5dea6b8d52a44c053.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d17c45b69bc45e17de1152841ebddb3a6abfe85202569fd5dea6b8d52a44c053.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d17c45b69bc45e17de1152841ebddb3a6abfe85202569fd5dea6b8d52a44c053.exe
"C:\Users\Admin\AppData\Local\Temp\d17c45b69bc45e17de1152841ebddb3a6abfe85202569fd5dea6b8d52a44c053.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
Network
Files
memory/3836-114-0x0000000000000000-mapping.dmp
memory/2464-115-0x0000000000000000-mapping.dmp
memory/4048-116-0x0000000000600000-0x000000000074A000-memory.dmp
memory/4048-117-0x0000000000400000-0x00000000004D7000-memory.dmp
memory/1512-118-0x0000000000000000-mapping.dmp
memory/2056-119-0x0000000000000000-mapping.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2021-06-30 07:26
Reported
2021-06-30 07:37
Platform
win7v20210410
Max time kernel
242s
Max time network
272s
Command Line
Signatures
Babuk Locker
Deletes shadow copies
Modifies extensions of user files
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc.exe
"C:\Users\Admin\AppData\Local\Temp\028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
Network
Files
memory/640-59-0x0000000074F31000-0x0000000074F33000-memory.dmp
memory/1160-60-0x0000000000000000-mapping.dmp
memory/1980-61-0x0000000000000000-mapping.dmp
memory/268-62-0x0000000000000000-mapping.dmp
memory/1232-63-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-06-30 07:26
Reported
2021-06-30 07:37
Platform
win10v20210408
Max time kernel
300s
Max time network
542s
Command Line
Signatures
Babuk Locker
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\AddSplit.raw => C:\Users\Admin\Pictures\AddSplit.raw.babyk | C:\Users\Admin\AppData\Local\Temp\028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\AddSplit.raw.babyk | C:\Users\Admin\AppData\Local\Temp\028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\GrantDisable.raw => C:\Users\Admin\Pictures\GrantDisable.raw.babyk | C:\Users\Admin\AppData\Local\Temp\028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\GrantDisable.raw.babyk | C:\Users\Admin\AppData\Local\Temp\028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc.exe
"C:\Users\Admin\AppData\Local\Temp\028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
Network
Files
memory/576-114-0x0000000000000000-mapping.dmp
memory/3220-115-0x0000000000000000-mapping.dmp
memory/1620-116-0x0000000000000000-mapping.dmp
memory/3336-117-0x0000000000000000-mapping.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2021-06-30 07:26
Reported
2021-06-30 07:37
Platform
win7v20210410
Max time kernel
360s
Max time network
361s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b2ead315d6a392726c96cc0f928a5218ecc4282dacd43f36a249219391457093.exe
"C:\Users\Admin\AppData\Local\Temp\b2ead315d6a392726c96cc0f928a5218ecc4282dacd43f36a249219391457093.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Ero.avi
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^nwOhgkZOkTAuHApAkWLoGKlGITnVtOaFGtNDNpuScYUkDxTFlwfAaAQOQoFxMrJvBUmDMFNePTNIPZehqSKrmRhuhZNFEMysfbKJUdSFgjLnMoY$" Bellissima.avi
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com
Neghi.exe.com f
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com f
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | vzafzaKZyPjuPzyqXmjakXJAq.vzafzaKZyPjuPzyqXmjakXJAq | udp |
Files
memory/1684-60-0x0000000075011000-0x0000000075013000-memory.dmp
memory/2032-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ero.avi
| MD5 | 2dae040957f8c64e88fe86f0a4c2f808 |
| SHA1 | cd2761514cd5476b91d2ad71afc6e7262e4ff093 |
| SHA256 | b13352462e71902e29f75522288fee5d06bb3ba4f118a9c2d0b99e973cbc0f47 |
| SHA512 | 710b32deffb453a83ef8d45657c9713534947e2c7793c140392fe35f236dc6ac4c4869f4bef9d09bd6e61a09d8e8666b8dba9b5ea1bac8426f94e6d0b6a18e9e |
memory/1288-63-0x0000000000000000-mapping.dmp
memory/1228-64-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bellissima.avi
| MD5 | 827b69d060fa94961c8248f6582c4453 |
| SHA1 | 176d303d5562c7c7fe52c43139ef582796ad7b31 |
| SHA256 | 770a9db5a1c79806b604d664c5a1c4131c2aa916cdb00fd41748ebc255cdbb00 |
| SHA512 | 35c6b24d9f738ac6a72a35980e482ad22f10d516c4278589c308cf11b30068450491f3f1cfa381a9158b203348c00f7257f9751931c3932441eadb6a8e07bb68 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bruciavano.avi
| MD5 | 4d149178e76a876ae3c4a2a17136e5d5 |
| SHA1 | 586d90b45be60a58f038c84dd4c0903c0fdc9de1 |
| SHA256 | f0fac793ad1a0244696885f55af7f1e91056a23d6fa78160969a519c68a6950a |
| SHA512 | 72e8623d5deff052118672cc0018a758b0e4f8211c2b2efff2865438c63da3e586c1e1672d8201b516dc73304c58496483712663248f2d423dc2d2cbe2d6c381 |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/1356-68-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/1632-70-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\f
| MD5 | 4d149178e76a876ae3c4a2a17136e5d5 |
| SHA1 | 586d90b45be60a58f038c84dd4c0903c0fdc9de1 |
| SHA256 | f0fac793ad1a0244696885f55af7f1e91056a23d6fa78160969a519c68a6950a |
| SHA512 | 72e8623d5deff052118672cc0018a758b0e4f8211c2b2efff2865438c63da3e586c1e1672d8201b516dc73304c58496483712663248f2d423dc2d2cbe2d6c381 |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/412-75-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Affettuosa.avi
| MD5 | 959dc63c0d554533c3f7cd9ff0fe7cab |
| SHA1 | 33039814422bf243a8d977e3a54dc045c3fca827 |
| SHA256 | 7d1749ce94676c378032f4022040432f530a1f394c9184298c314e8b8e4c3a3e |
| SHA512 | 1959b4633927149dc77924537a95d7b5e5ce39e6307d0a5897b73fc8d90c48f80ce2b6691bfd5a6993b2266d23ee2d22e67eeaf46fd05aefbf43ef7751325114 |
memory/412-79-0x00000000000B0000-0x00000000000B1000-memory.dmp