Analysis
-
max time kernel
133s -
max time network
181s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 12:42
Static task
static1
Behavioral task
behavioral1
Sample
04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe
Resource
win10v20210408
General
-
Target
04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe
-
Size
1.1MB
-
MD5
44ff529219044aea635985dbb98b63f1
-
SHA1
b82193412b1cd9cb59d9bbaf30145cbdfb75b6b4
-
SHA256
04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5
-
SHA512
7b60a6038d5045821d019ce0368e604946a699c7d530277a9a08272f6e19e6cd97c20edf6c4263e0d125230dd486dc4a3128c8edc5e3bb65bb5a211b63ec9db3
Malware Config
Extracted
C:\README1.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README2.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README3.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README4.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README5.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README6.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README7.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README8.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README9.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README10.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\WatchConvert.tiff 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Users\Admin\Pictures\ApproveExport.tiff 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe -
Processes:
resource yara_rule behavioral1/memory/1968-62-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 whatismyipaddress.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\3DE4AC9B3DE4AC9B.bmp" 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe -
Drops file in Program Files directory 64 IoCs
Processes:
04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exedescription ioc process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass_lrg.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\calendar.css 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\gadget.xml 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\OpenApprove.zip 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\uninstall.log 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\gadget.xml 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\gadget.xml 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\settings.js 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_left.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_orange.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)redStateIcon.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.ini 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_hov.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\blocklist.xml 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\38.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.bmp 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\THANKS.txt 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\Filters.xml 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_s.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_ButtonGraphic.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_docked.png 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-compat.xml 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1536 1352 WerFault.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1848 vssadmin.exe 576 vssadmin.exe 568 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exeWerFault.exepid process 1968 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe 1968 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe 1536 WerFault.exe 1536 WerFault.exe 1536 WerFault.exe 1536 WerFault.exe 1536 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vssvc.exeWerFault.exedescription pid process Token: SeBackupPrivilege 620 vssvc.exe Token: SeRestorePrivilege 620 vssvc.exe Token: SeAuditPrivilege 620 vssvc.exe Token: SeDebugPrivilege 1536 WerFault.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exepid process 1968 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.execmd.execmd.exedescription pid process target process PID 1968 wrote to memory of 568 1968 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe vssadmin.exe PID 1968 wrote to memory of 568 1968 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe vssadmin.exe PID 1968 wrote to memory of 568 1968 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe vssadmin.exe PID 1968 wrote to memory of 568 1968 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe vssadmin.exe PID 1968 wrote to memory of 1848 1968 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe vssadmin.exe PID 1968 wrote to memory of 1848 1968 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe vssadmin.exe PID 1968 wrote to memory of 1848 1968 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe vssadmin.exe PID 1968 wrote to memory of 1848 1968 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe vssadmin.exe PID 1968 wrote to memory of 576 1968 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe vssadmin.exe PID 1968 wrote to memory of 576 1968 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe vssadmin.exe PID 1968 wrote to memory of 576 1968 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe vssadmin.exe PID 1968 wrote to memory of 576 1968 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe vssadmin.exe PID 1968 wrote to memory of 1620 1968 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe cmd.exe PID 1968 wrote to memory of 1620 1968 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe cmd.exe PID 1968 wrote to memory of 1620 1968 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe cmd.exe PID 1968 wrote to memory of 1620 1968 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe cmd.exe PID 1620 wrote to memory of 1216 1620 cmd.exe chcp.com PID 1620 wrote to memory of 1216 1620 cmd.exe chcp.com PID 1620 wrote to memory of 1216 1620 cmd.exe chcp.com PID 1620 wrote to memory of 1216 1620 cmd.exe chcp.com PID 1968 wrote to memory of 548 1968 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe cmd.exe PID 1968 wrote to memory of 548 1968 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe cmd.exe PID 1968 wrote to memory of 548 1968 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe cmd.exe PID 1968 wrote to memory of 548 1968 04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe cmd.exe PID 548 wrote to memory of 1548 548 cmd.exe chcp.com PID 548 wrote to memory of 1548 548 cmd.exe chcp.com PID 548 wrote to memory of 1548 548 cmd.exe chcp.com PID 548 wrote to memory of 1548 548 cmd.exe chcp.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe"C:\Users\Admin\AppData\Local\Temp\04c4e2ad0699cc27f79c0b4f62a12ce8514aea55e5737628de293d81846cf7c5.sample.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1352 -s 18641⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/548-70-0x0000000000000000-mapping.dmp
-
memory/568-63-0x0000000000000000-mapping.dmp
-
memory/576-65-0x0000000000000000-mapping.dmp
-
memory/1216-67-0x0000000000000000-mapping.dmp
-
memory/1536-68-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmpFilesize
8KB
-
memory/1536-69-0x0000000001CF0000-0x0000000001CF1000-memory.dmpFilesize
4KB
-
memory/1548-71-0x0000000000000000-mapping.dmp
-
memory/1620-66-0x0000000000000000-mapping.dmp
-
memory/1848-64-0x0000000000000000-mapping.dmp
-
memory/1968-60-0x00000000002B0000-0x0000000000385000-memory.dmpFilesize
852KB
-
memory/1968-61-0x0000000075DA1000-0x0000000075DA3000-memory.dmpFilesize
8KB
-
memory/1968-62-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB