Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 12:39
Static task
static1
Behavioral task
behavioral1
Sample
d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe
Resource
win10v20210410
General
-
Target
d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe
-
Size
251KB
-
MD5
9140bc80d85e66e5409d13264137f50a
-
SHA1
702cb6bf175e31af579137a1b647e58324d359bc
-
SHA256
d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce
-
SHA512
600170ce9465dc1c50fb28594da061468411ed4f07fe3a24298a6bde6f686b06357093506a93c3e03f291add98c80f827bae6f405ec8f2ad1ed00fa121465be5
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\README.hta
http://xrhwryizf5mui7a5.dc2djf.top/2924-38E1-3BB4-0091-B011http://xrhwryizf5mui7a5.2wfe60.top/2924-38E1-3BB4-0091-B011http://xrhwryizf5mui7a5.onion.to/2924-38E1-3BB4-0091-B011
http://xrhwryizf5mui7a5.onion/2924-38E1-3BB4-0091-B011
https://www.baidu.com
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
suricata: ET MALWARE Ransomware/Cerber Checkin 2
-
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (3)
-
suricata: ET MALWARE Ransomware/Cerber Onion Domain Lookup
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 3 IoCs
Processes:
mshta.exeflow pid process 3273 1072 mshta.exe 3275 1072 mshta.exe 3277 1072 mshta.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\SubmitDismount.tiff d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 364 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exepid process 1060 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp531F.bmp" d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exedescription pid process target process PID 1060 set thread context of 2000 1060 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe -
Drops file in Program Files directory 6 IoCs
Processes:
d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1524 taskkill.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exepid process 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exepid process 1060 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exeWMIC.exevssvc.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe Token: SeIncreaseQuotaPrivilege 1532 WMIC.exe Token: SeSecurityPrivilege 1532 WMIC.exe Token: SeTakeOwnershipPrivilege 1532 WMIC.exe Token: SeLoadDriverPrivilege 1532 WMIC.exe Token: SeSystemProfilePrivilege 1532 WMIC.exe Token: SeSystemtimePrivilege 1532 WMIC.exe Token: SeProfSingleProcessPrivilege 1532 WMIC.exe Token: SeIncBasePriorityPrivilege 1532 WMIC.exe Token: SeCreatePagefilePrivilege 1532 WMIC.exe Token: SeBackupPrivilege 1532 WMIC.exe Token: SeRestorePrivilege 1532 WMIC.exe Token: SeShutdownPrivilege 1532 WMIC.exe Token: SeDebugPrivilege 1532 WMIC.exe Token: SeSystemEnvironmentPrivilege 1532 WMIC.exe Token: SeRemoteShutdownPrivilege 1532 WMIC.exe Token: SeUndockPrivilege 1532 WMIC.exe Token: SeManageVolumePrivilege 1532 WMIC.exe Token: 33 1532 WMIC.exe Token: 34 1532 WMIC.exe Token: 35 1532 WMIC.exe Token: SeIncreaseQuotaPrivilege 1532 WMIC.exe Token: SeSecurityPrivilege 1532 WMIC.exe Token: SeTakeOwnershipPrivilege 1532 WMIC.exe Token: SeLoadDriverPrivilege 1532 WMIC.exe Token: SeSystemProfilePrivilege 1532 WMIC.exe Token: SeSystemtimePrivilege 1532 WMIC.exe Token: SeProfSingleProcessPrivilege 1532 WMIC.exe Token: SeIncBasePriorityPrivilege 1532 WMIC.exe Token: SeCreatePagefilePrivilege 1532 WMIC.exe Token: SeBackupPrivilege 1532 WMIC.exe Token: SeRestorePrivilege 1532 WMIC.exe Token: SeShutdownPrivilege 1532 WMIC.exe Token: SeDebugPrivilege 1532 WMIC.exe Token: SeSystemEnvironmentPrivilege 1532 WMIC.exe Token: SeRemoteShutdownPrivilege 1532 WMIC.exe Token: SeUndockPrivilege 1532 WMIC.exe Token: SeManageVolumePrivilege 1532 WMIC.exe Token: 33 1532 WMIC.exe Token: 34 1532 WMIC.exe Token: 35 1532 WMIC.exe Token: SeBackupPrivilege 744 vssvc.exe Token: SeRestorePrivilege 744 vssvc.exe Token: SeAuditPrivilege 744 vssvc.exe Token: 33 964 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 964 AUDIODG.EXE Token: 33 964 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 964 AUDIODG.EXE Token: SeDebugPrivilege 1524 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mshta.exepid process 1072 mshta.exe 1072 mshta.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exed2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.execmd.execmd.exedescription pid process target process PID 1060 wrote to memory of 2000 1060 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe PID 1060 wrote to memory of 2000 1060 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe PID 1060 wrote to memory of 2000 1060 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe PID 1060 wrote to memory of 2000 1060 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe PID 1060 wrote to memory of 2000 1060 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe PID 2000 wrote to memory of 848 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe cmd.exe PID 2000 wrote to memory of 848 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe cmd.exe PID 2000 wrote to memory of 848 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe cmd.exe PID 2000 wrote to memory of 848 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe cmd.exe PID 848 wrote to memory of 1532 848 cmd.exe WMIC.exe PID 848 wrote to memory of 1532 848 cmd.exe WMIC.exe PID 848 wrote to memory of 1532 848 cmd.exe WMIC.exe PID 2000 wrote to memory of 1072 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe mshta.exe PID 2000 wrote to memory of 1072 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe mshta.exe PID 2000 wrote to memory of 1072 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe mshta.exe PID 2000 wrote to memory of 1072 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe mshta.exe PID 2000 wrote to memory of 364 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe cmd.exe PID 2000 wrote to memory of 364 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe cmd.exe PID 2000 wrote to memory of 364 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe cmd.exe PID 2000 wrote to memory of 364 2000 d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe cmd.exe PID 364 wrote to memory of 1524 364 cmd.exe taskkill.exe PID 364 wrote to memory of 1524 364 cmd.exe taskkill.exe PID 364 wrote to memory of 1524 364 cmd.exe taskkill.exe PID 364 wrote to memory of 780 364 cmd.exe PING.EXE PID 364 wrote to memory of 780 364 cmd.exe PING.EXE PID 364 wrote to memory of 780 364 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe"C:\Users\Admin\AppData\Local\Temp\d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe"C:\Users\Admin\AppData\Local\Temp\d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe"2⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\README.hta"3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im "d2404be59ce484ea9579f6cc1d15f0b4c952c7bc2f2b9ce1295c493248c29bce.sample.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4481⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\README.htaMD5
b0f0413b5a2b547fe2251f6a569ee0e1
SHA13cdbe587ccbcf5d371538ce8b2b42c87d60e2f73
SHA256219e2541533c3a108d8309d2591c7e9407cc74a159caf7929e34016ecbbadd16
SHA512bdb65206763a522322fc6104ed7a353b7a52820fcd1548bd4bca158c9f16b4e1cac9469c1058615729d791055b904256cd558efefe8edebd1351727edd54ac11
-
\Users\Admin\AppData\Local\Temp\nsdB3D7.tmp\System.dllMD5
ca332bb753b0775d5e806e236ddcec55
SHA1f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA5122de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00
-
memory/364-69-0x0000000000000000-mapping.dmp
-
memory/780-72-0x0000000000000000-mapping.dmp
-
memory/848-66-0x0000000000000000-mapping.dmp
-
memory/1060-60-0x0000000075C31000-0x0000000075C33000-memory.dmpFilesize
8KB
-
memory/1060-62-0x0000000000500000-0x000000000052C000-memory.dmpFilesize
176KB
-
memory/1072-68-0x0000000000000000-mapping.dmp
-
memory/1524-70-0x0000000000000000-mapping.dmp
-
memory/1532-67-0x0000000000000000-mapping.dmp
-
memory/2000-63-0x0000000000402BDD-mapping.dmp
-
memory/2000-65-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB