Analysis
-
max time kernel
25s -
max time network
156s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 12:41
Static task
static1
Behavioral task
behavioral1
Sample
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe
Resource
win10v20210410
General
-
Target
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe
-
Size
5.1MB
-
MD5
1874b6394a6060c34dae60305f48a0b3
-
SHA1
6f559fd57304197443b71d8bf553cce3c9de8d53
-
SHA256
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151
-
SHA512
eff6e29ca32d96388832bdffb5356b8a72b91b4672958ff3e2c9995ce0f45ce4d0858d9b4666e3870ae862fff62a84c67f35cf301f793bef7daf6b7f4a64200b
Malware Config
Extracted
C:\Users\Public\Documents\!!!_READ_ME_3CA64D43_!!!.txt
https://prnt.sc/vb3g0f
https://prnt.sc/vb3hg9
https://prnt.sc/vb3hqd
https://prnt.sc/vb3iuj
https://prnt.sc/vb3j7c
https://prnt.sc/vb3m3t
https://prnt.sc/vb3pia
http://p6o7m73ujalhgkiv.onion/?068vV05uS2GCgqa
http://rgnar43spcnsocswaw22lmk7jnget5f6vow7kqmnf4jc6hfwpiwoajid.onion/client/?FB5dDAEC6F63aA6cd5D52B8822e2Eb0278aDCCEE8E7592f379ed00Ac14fD16cc
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exepid process 1140 bcdedit.exe 1784 bcdedit.exe 920 bcdedit.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exedescription ioc process File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exedescription ioc process File opened (read-only) \??\E: 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exepid process 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe -
Drops file in Program Files directory 64 IoCs
Processes:
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Prague 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\US_export_policy.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Swift_Current 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\net.properties 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File created C:\Program Files\Common Files\System\en-US\!!!_READ_ME_3CA64D43_!!!.txt 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\!!!_READ_ME_3CA64D43_!!!.txt 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations_2.4.0.v20131119-0908.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yekaterinburg 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia_Banderas 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File created C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\!!!_READ_ME_3CA64D43_!!!.txt 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EET 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Common Files\System\ado\msado25.tlb 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thunder_Bay 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\!!!_READ_ME_3CA64D43_!!!.txt 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-api.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\!!!_READ_ME_3CA64D43_!!!.txt 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Warsaw 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\!!!_READ_ME_3CA64D43_!!!.txt 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\!!!_READ_ME_3CA64D43_!!!.txt 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\!!!_READ_ME_3CA64D43_!!!.txt 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Asuncion 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Common Files\System\ado\msado20.tlb 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser_5.5.0.165303.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\LICENSE 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_zh_CN.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-util-enumerations.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\!!!_READ_ME_3CA64D43_!!!.txt 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.RSA 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exepid process 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exewmic.exevssvc.exedescription pid process Token: SeTakeOwnershipPrivilege 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe Token: SeRestorePrivilege 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe Token: SeIncreaseQuotaPrivilege 1720 wmic.exe Token: SeSecurityPrivilege 1720 wmic.exe Token: SeTakeOwnershipPrivilege 1720 wmic.exe Token: SeLoadDriverPrivilege 1720 wmic.exe Token: SeSystemProfilePrivilege 1720 wmic.exe Token: SeSystemtimePrivilege 1720 wmic.exe Token: SeProfSingleProcessPrivilege 1720 wmic.exe Token: SeIncBasePriorityPrivilege 1720 wmic.exe Token: SeCreatePagefilePrivilege 1720 wmic.exe Token: SeBackupPrivilege 1720 wmic.exe Token: SeRestorePrivilege 1720 wmic.exe Token: SeShutdownPrivilege 1720 wmic.exe Token: SeDebugPrivilege 1720 wmic.exe Token: SeSystemEnvironmentPrivilege 1720 wmic.exe Token: SeRemoteShutdownPrivilege 1720 wmic.exe Token: SeUndockPrivilege 1720 wmic.exe Token: SeManageVolumePrivilege 1720 wmic.exe Token: 33 1720 wmic.exe Token: 34 1720 wmic.exe Token: 35 1720 wmic.exe Token: SeIncreaseQuotaPrivilege 1720 wmic.exe Token: SeSecurityPrivilege 1720 wmic.exe Token: SeTakeOwnershipPrivilege 1720 wmic.exe Token: SeLoadDriverPrivilege 1720 wmic.exe Token: SeSystemProfilePrivilege 1720 wmic.exe Token: SeSystemtimePrivilege 1720 wmic.exe Token: SeProfSingleProcessPrivilege 1720 wmic.exe Token: SeIncBasePriorityPrivilege 1720 wmic.exe Token: SeCreatePagefilePrivilege 1720 wmic.exe Token: SeBackupPrivilege 1720 wmic.exe Token: SeRestorePrivilege 1720 wmic.exe Token: SeShutdownPrivilege 1720 wmic.exe Token: SeDebugPrivilege 1720 wmic.exe Token: SeSystemEnvironmentPrivilege 1720 wmic.exe Token: SeRemoteShutdownPrivilege 1720 wmic.exe Token: SeUndockPrivilege 1720 wmic.exe Token: SeManageVolumePrivilege 1720 wmic.exe Token: 33 1720 wmic.exe Token: 34 1720 wmic.exe Token: 35 1720 wmic.exe Token: SeBackupPrivilege 836 vssvc.exe Token: SeRestorePrivilege 836 vssvc.exe Token: SeAuditPrivilege 836 vssvc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exedescription pid process target process PID 1020 wrote to memory of 1720 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe wmic.exe PID 1020 wrote to memory of 1720 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe wmic.exe PID 1020 wrote to memory of 1720 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe wmic.exe PID 1020 wrote to memory of 1720 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe wmic.exe PID 1020 wrote to memory of 1140 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe bcdedit.exe PID 1020 wrote to memory of 1140 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe bcdedit.exe PID 1020 wrote to memory of 1140 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe bcdedit.exe PID 1020 wrote to memory of 1140 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe bcdedit.exe PID 1020 wrote to memory of 1784 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe bcdedit.exe PID 1020 wrote to memory of 1784 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe bcdedit.exe PID 1020 wrote to memory of 1784 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe bcdedit.exe PID 1020 wrote to memory of 1784 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe bcdedit.exe PID 1020 wrote to memory of 920 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe bcdedit.exe PID 1020 wrote to memory of 920 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe bcdedit.exe PID 1020 wrote to memory of 920 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe bcdedit.exe PID 1020 wrote to memory of 920 1020 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe"C:\Users\Admin\AppData\Local\Temp\9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {globalsettings} advancedoptions false2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\notepad.exeC:\Users\Public\Documents\!!!_READ_ME_3CA64D43_!!!.txt2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\!!!_READ_ME_3CA64D43_!!!.txtMD5
a53e1c0f07da7dc52c368b926111d3b5
SHA106cfe102048cb38863959befd5468f353ea4940a
SHA2562da3b2c785de5d5f551d8e5df2e9fc59afa27202db57f5ca3a808f002045dd00
SHA512d7529ae89d987d4c55dd2b7874f69a7cf8e8f2542e450056f1e7d586e28766fd139df4d5de17c39838383dc4d260adea3b92ac87832be47dcaeead83498d1d1b
-
memory/920-67-0x0000000000000000-mapping.dmp
-
memory/1020-59-0x0000000075971000-0x0000000075973000-memory.dmpFilesize
8KB
-
memory/1020-61-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1020-62-0x0000000000400000-0x0000000000C4B000-memory.dmpFilesize
8.3MB
-
memory/1020-63-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1140-65-0x0000000000000000-mapping.dmp
-
memory/1520-68-0x0000000000000000-mapping.dmp
-
memory/1720-64-0x0000000000000000-mapping.dmp
-
memory/1784-66-0x0000000000000000-mapping.dmp