Analysis
-
max time kernel
131s -
max time network
194s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 13:00
Static task
static1
Behavioral task
behavioral1
Sample
dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe
Resource
win10v20210410
General
-
Target
dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe
-
Size
1.8MB
-
MD5
cb83d6c4e2e5de482e6e18abcc2d2a5d
-
SHA1
6bb5b3e9ceb1eea6a493471d1ebc527327d9f8ac
-
SHA256
dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732
-
SHA512
851c7181b7bff17cffe614427a21be6a1716d5319fd3c8c84a6de8076a35ed71107e05f5c2105152559630300a667e299682911adf9a0a0c9498828167f90625
Malware Config
Extracted
C:\README1.txt
Lukyan.Sazonov26@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README2.txt
Lukyan.Sazonov26@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README3.txt
Lukyan.Sazonov26@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README4.txt
Lukyan.Sazonov26@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README5.txt
Lukyan.Sazonov26@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README6.txt
Lukyan.Sazonov26@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README7.txt
Lukyan.Sazonov26@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README8.txt
Lukyan.Sazonov26@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README9.txt
Lukyan.Sazonov26@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README10.txt
Lukyan.Sazonov26@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 whatismyipaddress.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\7255E2C07255E2C0.bmp" dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe -
Drops file in Program Files directory 64 IoCs
Processes:
dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exedescription ioc process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_matte2.wmv dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\icon.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_snow.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_windy.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\2.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\ContentDirectory.xml dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_bottom.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile.html dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\1.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.log dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_docked.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile16.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\settings.js dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\SendPop.dotm dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\greenStateIcon.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\icon.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_up.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 960 1192 WerFault.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1064 vssadmin.exe 432 vssadmin.exe 564 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exeWerFault.exepid process 1220 dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe 1220 dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe 960 WerFault.exe 960 WerFault.exe 960 WerFault.exe 960 WerFault.exe 960 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vssvc.exeWerFault.exedescription pid process Token: SeBackupPrivilege 1676 vssvc.exe Token: SeRestorePrivilege 1676 vssvc.exe Token: SeAuditPrivilege 1676 vssvc.exe Token: SeDebugPrivilege 960 WerFault.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.execmd.exedescription pid process target process PID 1220 wrote to memory of 564 1220 dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe vssadmin.exe PID 1220 wrote to memory of 564 1220 dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe vssadmin.exe PID 1220 wrote to memory of 564 1220 dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe vssadmin.exe PID 1220 wrote to memory of 564 1220 dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe vssadmin.exe PID 1220 wrote to memory of 1064 1220 dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe vssadmin.exe PID 1220 wrote to memory of 1064 1220 dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe vssadmin.exe PID 1220 wrote to memory of 1064 1220 dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe vssadmin.exe PID 1220 wrote to memory of 1064 1220 dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe vssadmin.exe PID 1220 wrote to memory of 432 1220 dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe vssadmin.exe PID 1220 wrote to memory of 432 1220 dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe vssadmin.exe PID 1220 wrote to memory of 432 1220 dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe vssadmin.exe PID 1220 wrote to memory of 432 1220 dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe vssadmin.exe PID 1220 wrote to memory of 316 1220 dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe cmd.exe PID 1220 wrote to memory of 316 1220 dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe cmd.exe PID 1220 wrote to memory of 316 1220 dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe cmd.exe PID 1220 wrote to memory of 316 1220 dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe cmd.exe PID 316 wrote to memory of 1016 316 cmd.exe chcp.com PID 316 wrote to memory of 1016 316 cmd.exe chcp.com PID 316 wrote to memory of 1016 316 cmd.exe chcp.com PID 316 wrote to memory of 1016 316 cmd.exe chcp.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe"C:\Users\Admin\AppData\Local\Temp\dcc056e22b9479b84787d8affd79778f494cf6a86c1dd51e8cc7fb5a04c61732.sample.exe"1⤵
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1192 -s 8041⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/316-65-0x0000000000000000-mapping.dmp
-
memory/432-64-0x0000000000000000-mapping.dmp
-
memory/564-62-0x0000000000000000-mapping.dmp
-
memory/960-67-0x000007FEFC0C1000-0x000007FEFC0C3000-memory.dmpFilesize
8KB
-
memory/960-68-0x0000000002200000-0x0000000002201000-memory.dmpFilesize
4KB
-
memory/1016-66-0x0000000000000000-mapping.dmp
-
memory/1064-63-0x0000000000000000-mapping.dmp
-
memory/1220-60-0x00000000769B1000-0x00000000769B3000-memory.dmpFilesize
8KB
-
memory/1220-61-0x0000000000400000-0x00000000005DA000-memory.dmpFilesize
1.9MB