Analysis
-
max time kernel
1200s -
max time network
372s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
14-07-2021 01:38
Behavioral task
behavioral1
Sample
COMPRO.SEDEX-5.TIZOLPLIAXWUJUDLIJJLSNXSDAFMVG?.msi
Resource
win10v20210408
General
-
Target
COMPRO.SEDEX-5.TIZOLPLIAXWUJUDLIJJLSNXSDAFMVG?.msi
-
Size
282KB
-
MD5
4c4b518cd235c9be37cd09c672f67a2f
-
SHA1
fd35655bb7e9555862cba72211baad18e3389872
-
SHA256
56629c6ce6d6975476fb7c10135882bafa55a04576e80d28cb8e0817e052e4d6
-
SHA512
e2c9e12ab2bb446e9650b95bfd5907f9fc7a37d2da4db8400ba5b2390968082030368825e21eb9334fc7ce81e92b2c4937ba569ac80d5c69af50f1f523e4c0a2
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
MsiExec.exeflow pid process 10 1568 MsiExec.exe -
Executes dropped EXE 1 IoCs
Processes:
DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exepid process 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe -
Drops startup file 1 IoCs
Processes:
MsiExec.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YECXPSDSQT.lnk MsiExec.exe -
Loads dropped DLL 5 IoCs
Processes:
MsiExec.exeDHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exepid process 1568 MsiExec.exe 1568 MsiExec.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe -
Processes:
resource yara_rule \Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\Avira.OE.NativeCore.dll themida C:\Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\Avira.OE.NativeCore.dll themida behavioral1/memory/1156-175-0x000000006C240000-0x000000006E4D2000-memory.dmp themida -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
MsiExec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\software\Microsoft\Windows\CurrentVersion\Run MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\YECXPSDSQT = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\YECXPSDSQT.lnk" MsiExec.exe -
Processes:
DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 ipinfo.io -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exedescription ioc process File opened for modification \??\PhysicalDrive0 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exepid process 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI988D.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{A464F5F1-1FB0-4DC8-8F86-339084D9ADBB} msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI9168.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9AB1.tmp msiexec.exe File created C:\Windows\Installer\f7490cc.msi msiexec.exe File opened for modification C:\Windows\Installer\f7490cc.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
OpenWith.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings cmd.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2228 NOTEPAD.EXE -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 18 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exepowershell.exeDHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exepid process 3676 msiexec.exe 3676 msiexec.exe 1152 powershell.exe 1152 powershell.exe 1152 powershell.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
OpenWith.exeDHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exepid process 3712 OpenWith.exe 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe -
Suspicious use of AdjustPrivilegeToken 55 IoCs
Processes:
msiexec.exemsiexec.exepowershell.exeAUDIODG.EXEDHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exedescription pid process Token: SeShutdownPrivilege 1484 msiexec.exe Token: SeIncreaseQuotaPrivilege 1484 msiexec.exe Token: SeSecurityPrivilege 3676 msiexec.exe Token: SeCreateTokenPrivilege 1484 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1484 msiexec.exe Token: SeLockMemoryPrivilege 1484 msiexec.exe Token: SeIncreaseQuotaPrivilege 1484 msiexec.exe Token: SeMachineAccountPrivilege 1484 msiexec.exe Token: SeTcbPrivilege 1484 msiexec.exe Token: SeSecurityPrivilege 1484 msiexec.exe Token: SeTakeOwnershipPrivilege 1484 msiexec.exe Token: SeLoadDriverPrivilege 1484 msiexec.exe Token: SeSystemProfilePrivilege 1484 msiexec.exe Token: SeSystemtimePrivilege 1484 msiexec.exe Token: SeProfSingleProcessPrivilege 1484 msiexec.exe Token: SeIncBasePriorityPrivilege 1484 msiexec.exe Token: SeCreatePagefilePrivilege 1484 msiexec.exe Token: SeCreatePermanentPrivilege 1484 msiexec.exe Token: SeBackupPrivilege 1484 msiexec.exe Token: SeRestorePrivilege 1484 msiexec.exe Token: SeShutdownPrivilege 1484 msiexec.exe Token: SeDebugPrivilege 1484 msiexec.exe Token: SeAuditPrivilege 1484 msiexec.exe Token: SeSystemEnvironmentPrivilege 1484 msiexec.exe Token: SeChangeNotifyPrivilege 1484 msiexec.exe Token: SeRemoteShutdownPrivilege 1484 msiexec.exe Token: SeUndockPrivilege 1484 msiexec.exe Token: SeSyncAgentPrivilege 1484 msiexec.exe Token: SeEnableDelegationPrivilege 1484 msiexec.exe Token: SeManageVolumePrivilege 1484 msiexec.exe Token: SeImpersonatePrivilege 1484 msiexec.exe Token: SeCreateGlobalPrivilege 1484 msiexec.exe Token: SeRestorePrivilege 3676 msiexec.exe Token: SeTakeOwnershipPrivilege 3676 msiexec.exe Token: SeRestorePrivilege 3676 msiexec.exe Token: SeTakeOwnershipPrivilege 3676 msiexec.exe Token: SeRestorePrivilege 3676 msiexec.exe Token: SeTakeOwnershipPrivilege 3676 msiexec.exe Token: SeRestorePrivilege 3676 msiexec.exe Token: SeTakeOwnershipPrivilege 3676 msiexec.exe Token: SeRestorePrivilege 3676 msiexec.exe Token: SeTakeOwnershipPrivilege 3676 msiexec.exe Token: SeRestorePrivilege 3676 msiexec.exe Token: SeTakeOwnershipPrivilege 3676 msiexec.exe Token: SeRestorePrivilege 3676 msiexec.exe Token: SeTakeOwnershipPrivilege 3676 msiexec.exe Token: SeDebugPrivilege 1152 powershell.exe Token: 33 2508 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2508 AUDIODG.EXE Token: 33 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe Token: SeIncBasePriorityPrivilege 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe Token: 33 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe Token: SeIncBasePriorityPrivilege 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe Token: 33 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe Token: SeIncBasePriorityPrivilege 1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msiexec.exeMsiExec.exepid process 1484 msiexec.exe 1568 MsiExec.exe 1484 msiexec.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
MsiExec.exepid process 1568 MsiExec.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
OpenWith.exepid process 3712 OpenWith.exe 3712 OpenWith.exe 3712 OpenWith.exe 3712 OpenWith.exe 3712 OpenWith.exe 3712 OpenWith.exe 3712 OpenWith.exe 3712 OpenWith.exe 3712 OpenWith.exe 3712 OpenWith.exe 3712 OpenWith.exe 3712 OpenWith.exe 3712 OpenWith.exe 3712 OpenWith.exe 3712 OpenWith.exe 3712 OpenWith.exe 3712 OpenWith.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
msiexec.exeMsiExec.exeOpenWith.exepowershell.execmd.execmd.exedescription pid process target process PID 3676 wrote to memory of 1568 3676 msiexec.exe MsiExec.exe PID 3676 wrote to memory of 1568 3676 msiexec.exe MsiExec.exe PID 3676 wrote to memory of 1568 3676 msiexec.exe MsiExec.exe PID 1568 wrote to memory of 1152 1568 MsiExec.exe powershell.exe PID 1568 wrote to memory of 1152 1568 MsiExec.exe powershell.exe PID 1568 wrote to memory of 1152 1568 MsiExec.exe powershell.exe PID 3712 wrote to memory of 2228 3712 OpenWith.exe NOTEPAD.EXE PID 3712 wrote to memory of 2228 3712 OpenWith.exe NOTEPAD.EXE PID 1152 wrote to memory of 1156 1152 powershell.exe DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe PID 1152 wrote to memory of 1156 1152 powershell.exe DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe PID 1152 wrote to memory of 1156 1152 powershell.exe DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe PID 576 wrote to memory of 2436 576 cmd.exe xcopy.exe PID 576 wrote to memory of 2436 576 cmd.exe xcopy.exe PID 2952 wrote to memory of 1568 2952 cmd.exe zmstage.exe PID 2952 wrote to memory of 1568 2952 cmd.exe zmstage.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\COMPRO.SEDEX-5.TIZOLPLIAXWUJUDLIJJLSNXSDAFMVG_.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 94A2633D9A3D5655E909ABF7F4CAC4352⤵
- Blocklisted process makes network request
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cd\;cd 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup';Start-Sleep -s 60;Invoke-Item 'YECXPSDSQT.lnk'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe"C:\Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe"4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy payload.dll payload.dat2⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\752221487\payload.dat2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3101⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\752221487\zmstage.exezmstage.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSI48a63.LOGMD5
e6a2c968cfcd69702da6f68c6b54597f
SHA130432805e6aad2ddb74be04c5bb2811a33adbd97
SHA25616ad8c7be806989a721312e60ce529dd770a003cd4546511dc16b6007a5e1bf8
SHA5120ef3b74cb931e3d194a870e04e9d04daf017a30648406c9a4984fbf64c04c99352eae36fc84a442279b6d80bf539e7977cae967d9093573b5a73ecb1775486bc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YECXPSDSQT.lnkMD5
40a23750d365cefe1d6958f98c6278d8
SHA10c861fff697d927f7ee8819e3ae269875b18050c
SHA256b8242f151d96a49989c335890e9bf940e6e0580139aeaa29890ae7aeaf8deb1d
SHA51219853ed3cc118959e82492a4ffc7bda4df44f5da4e70d3091d5e1590a4cd605ae6bcd4674bcbed9e4047fb592eabb4bc287de3ce4273488d7254f00f9a5d5581
-
C:\Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\Avira.OE.NativeCore.dllMD5
759bbd553496e0fad10ed1e89f83ecf9
SHA1240a2c2c465660e46f19de5bd5cb58a6f3a2d92a
SHA256568829dea29381ac4f997a1db9625e6619511b6849b1ddd0338a2a41f2710f72
SHA512186abbcf425b0d8f64c38aeaceac208df001321a49814642441bc236d14b8a82f3ebcb8e1eff839eef6ad0f00ba4388e4eb46bf5b43c8b3582f7573625a377ef
-
C:\Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exeMD5
8cbb75febfb4b0b7c3b6d3613386220c
SHA1ba5493b08354aee85151b7bbd15150a1c3f03d1d
SHA256f495d7c5c98457febc42ec96a959293788f6915e4245899d3bb1808ab84f0d9a
SHA5128cb5f08f9e21fb6648f364869366ad09908be9e0317f95708a9e1931d30855cdfab199464bf5d72675bc1e166e8ce4645e6d0dca0d8d1c78428fbc77d4dd25fd
-
C:\Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exeMD5
8cbb75febfb4b0b7c3b6d3613386220c
SHA1ba5493b08354aee85151b7bbd15150a1c3f03d1d
SHA256f495d7c5c98457febc42ec96a959293788f6915e4245899d3bb1808ab84f0d9a
SHA5128cb5f08f9e21fb6648f364869366ad09908be9e0317f95708a9e1931d30855cdfab199464bf5d72675bc1e166e8ce4645e6d0dca0d8d1c78428fbc77d4dd25fd
-
C:\Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\MSVCP120.dllMD5
fd5cabbe52272bd76007b68186ebaf00
SHA1efd1e306c1092c17f6944cc6bf9a1bfad4d14613
SHA25687c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
SHA5121563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5
-
C:\Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\MSVCR120.dllMD5
034ccadc1c073e4216e9466b720f9849
SHA1f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
SHA25686e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
SHA5125f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7
-
C:\Windows\Installer\MSI9168.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
C:\Windows\Installer\MSI988D.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
\Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\Avira.OE.NativeCore.dllMD5
759bbd553496e0fad10ed1e89f83ecf9
SHA1240a2c2c465660e46f19de5bd5cb58a6f3a2d92a
SHA256568829dea29381ac4f997a1db9625e6619511b6849b1ddd0338a2a41f2710f72
SHA512186abbcf425b0d8f64c38aeaceac208df001321a49814642441bc236d14b8a82f3ebcb8e1eff839eef6ad0f00ba4388e4eb46bf5b43c8b3582f7573625a377ef
-
\Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\msvcp120.dllMD5
fd5cabbe52272bd76007b68186ebaf00
SHA1efd1e306c1092c17f6944cc6bf9a1bfad4d14613
SHA25687c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
SHA5121563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5
-
\Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\msvcr120.dllMD5
034ccadc1c073e4216e9466b720f9849
SHA1f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
SHA25686e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
SHA5125f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7
-
\Windows\Installer\MSI9168.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
\Windows\Installer\MSI988D.tmpMD5
5c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
memory/1152-132-0x0000000006DF2000-0x0000000006DF3000-memory.dmpFilesize
4KB
-
memory/1152-134-0x0000000007AE0000-0x0000000007AE1000-memory.dmpFilesize
4KB
-
memory/1152-138-0x0000000008470000-0x0000000008471000-memory.dmpFilesize
4KB
-
memory/1152-139-0x00000000084C0000-0x00000000084C1000-memory.dmpFilesize
4KB
-
memory/1152-144-0x00000000091F0000-0x00000000091F1000-memory.dmpFilesize
4KB
-
memory/1152-145-0x0000000009110000-0x0000000009111000-memory.dmpFilesize
4KB
-
memory/1152-146-0x0000000009180000-0x0000000009181000-memory.dmpFilesize
4KB
-
memory/1152-147-0x0000000009820000-0x0000000009821000-memory.dmpFilesize
4KB
-
memory/1152-152-0x000000000A3A0000-0x000000000A3A1000-memory.dmpFilesize
4KB
-
memory/1152-173-0x0000000006DF3000-0x0000000006DF4000-memory.dmpFilesize
4KB
-
memory/1152-136-0x0000000007D30000-0x0000000007D31000-memory.dmpFilesize
4KB
-
memory/1152-135-0x0000000007A60000-0x0000000007A61000-memory.dmpFilesize
4KB
-
memory/1152-126-0x0000000000000000-mapping.dmp
-
memory/1152-137-0x0000000008140000-0x0000000008141000-memory.dmpFilesize
4KB
-
memory/1152-133-0x0000000007290000-0x0000000007291000-memory.dmpFilesize
4KB
-
memory/1152-131-0x0000000006DF0000-0x0000000006DF1000-memory.dmpFilesize
4KB
-
memory/1152-130-0x0000000007430000-0x0000000007431000-memory.dmpFilesize
4KB
-
memory/1152-129-0x0000000004920000-0x0000000004921000-memory.dmpFilesize
4KB
-
memory/1156-164-0x0000000000000000-mapping.dmp
-
memory/1156-174-0x0000000077860000-0x00000000779EE000-memory.dmpFilesize
1.6MB
-
memory/1156-175-0x000000006C240000-0x000000006E4D2000-memory.dmpFilesize
34.6MB
-
memory/1156-177-0x000000006C241000-0x000000006C6E7000-memory.dmpFilesize
4.6MB
-
memory/1156-178-0x0000000000A50000-0x0000000000A51000-memory.dmpFilesize
4KB
-
memory/1568-119-0x0000000000000000-mapping.dmp
-
memory/1568-181-0x0000000000000000-mapping.dmp
-
memory/2228-153-0x0000000000000000-mapping.dmp
-
memory/2436-176-0x0000000000000000-mapping.dmp