Analysis
-
max time kernel
40s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-07-2021 12:41
Static task
static1
Behavioral task
behavioral1
Sample
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe
Resource
win10v20210410
General
-
Target
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe
-
Size
5.1MB
-
MD5
1874b6394a6060c34dae60305f48a0b3
-
SHA1
6f559fd57304197443b71d8bf553cce3c9de8d53
-
SHA256
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151
-
SHA512
eff6e29ca32d96388832bdffb5356b8a72b91b4672958ff3e2c9995ce0f45ce4d0858d9b4666e3870ae862fff62a84c67f35cf301f793bef7daf6b7f4a64200b
Malware Config
Extracted
C:\Users\Public\Documents\!!!_READ_ME_A3ED31EC_!!!.txt
https://prnt.sc/vb3g0f
https://prnt.sc/vb3hg9
https://prnt.sc/vb3hqd
https://prnt.sc/vb3iuj
https://prnt.sc/vb3j7c
https://prnt.sc/vb3m3t
https://prnt.sc/vb3pia
http://p6o7m73ujalhgkiv.onion/?068vV05uS2GCgqa
http://rgnar43spcnsocswaw22lmk7jnget5f6vow7kqmnf4jc6hfwpiwoajid.onion/client/?FB5dDAEC6F63aA6cd5D52B8822e2Eb0278aDCCEE8E7592f379ed00Ac14fD16cc
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 3 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exepid process 3024 bcdedit.exe 2144 bcdedit.exe 4016 bcdedit.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exedescription ioc process File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exedescription ioc process File opened (read-only) \??\E: 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exepid process 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe -
Drops file in Program Files directory 64 IoCs
Processes:
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exedescription ioc process File created C:\Program Files\Common Files\System\msadc\en-US\!!!_READ_ME_A3ED31EC_!!!.txt 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyrun.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands_3.6.100.v20140528-1422.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-windows.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_CopyNoDrop32x32.gif 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\COPYRIGHT 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul.xrm-ms 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-ms 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\!!!_READ_ME_A3ED31EC_!!!.txt 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\README.TXT 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-pl.xrm-ms 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_zh_CN.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-pl.xrm-ms 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.nl_ja_4.4.0.v20140623020002.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_zh_4.4.0.v20140623020002.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_ja_4.4.0.v20140623020002.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-openide-execution.xml_hidden 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ul-oob.xrm-ms 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\notification_plugin.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File created C:\Program Files\Common Files\microsoft shared\ink\hu-HU\!!!_READ_ME_A3ED31EC_!!!.txt 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File created C:\Program Files\Microsoft Office\root\!!!_READ_ME_A3ED31EC_!!!.txt 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-pl.xrm-ms 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\profile.jfc 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\README.txt 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-execution.xml 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ul-oob.xrm-ms 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Common Files\System\msadc\adcjavas.inc 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkDrop32x32.gif 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-execution.xml 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActionExceptionHandlers.exsd 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe File created C:\Program Files\Java\jre1.8.0_66\bin\server\!!!_READ_ME_A3ED31EC_!!!.txt 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exepid process 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exewmic.exevssvc.exedescription pid process Token: SeTakeOwnershipPrivilege 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe Token: SeRestorePrivilege 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe Token: SeIncreaseQuotaPrivilege 2332 wmic.exe Token: SeSecurityPrivilege 2332 wmic.exe Token: SeTakeOwnershipPrivilege 2332 wmic.exe Token: SeLoadDriverPrivilege 2332 wmic.exe Token: SeSystemProfilePrivilege 2332 wmic.exe Token: SeSystemtimePrivilege 2332 wmic.exe Token: SeProfSingleProcessPrivilege 2332 wmic.exe Token: SeIncBasePriorityPrivilege 2332 wmic.exe Token: SeCreatePagefilePrivilege 2332 wmic.exe Token: SeBackupPrivilege 2332 wmic.exe Token: SeRestorePrivilege 2332 wmic.exe Token: SeShutdownPrivilege 2332 wmic.exe Token: SeDebugPrivilege 2332 wmic.exe Token: SeSystemEnvironmentPrivilege 2332 wmic.exe Token: SeRemoteShutdownPrivilege 2332 wmic.exe Token: SeUndockPrivilege 2332 wmic.exe Token: SeManageVolumePrivilege 2332 wmic.exe Token: 33 2332 wmic.exe Token: 34 2332 wmic.exe Token: 35 2332 wmic.exe Token: 36 2332 wmic.exe Token: SeIncreaseQuotaPrivilege 2332 wmic.exe Token: SeSecurityPrivilege 2332 wmic.exe Token: SeTakeOwnershipPrivilege 2332 wmic.exe Token: SeLoadDriverPrivilege 2332 wmic.exe Token: SeSystemProfilePrivilege 2332 wmic.exe Token: SeSystemtimePrivilege 2332 wmic.exe Token: SeProfSingleProcessPrivilege 2332 wmic.exe Token: SeIncBasePriorityPrivilege 2332 wmic.exe Token: SeCreatePagefilePrivilege 2332 wmic.exe Token: SeBackupPrivilege 2332 wmic.exe Token: SeRestorePrivilege 2332 wmic.exe Token: SeShutdownPrivilege 2332 wmic.exe Token: SeDebugPrivilege 2332 wmic.exe Token: SeSystemEnvironmentPrivilege 2332 wmic.exe Token: SeRemoteShutdownPrivilege 2332 wmic.exe Token: SeUndockPrivilege 2332 wmic.exe Token: SeManageVolumePrivilege 2332 wmic.exe Token: 33 2332 wmic.exe Token: 34 2332 wmic.exe Token: 35 2332 wmic.exe Token: 36 2332 wmic.exe Token: SeBackupPrivilege 3576 vssvc.exe Token: SeRestorePrivilege 3576 vssvc.exe Token: SeAuditPrivilege 3576 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exedescription pid process target process PID 3692 wrote to memory of 2332 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe wmic.exe PID 3692 wrote to memory of 2332 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe wmic.exe PID 3692 wrote to memory of 3024 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe bcdedit.exe PID 3692 wrote to memory of 3024 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe bcdedit.exe PID 3692 wrote to memory of 2144 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe bcdedit.exe PID 3692 wrote to memory of 2144 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe bcdedit.exe PID 3692 wrote to memory of 4016 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe bcdedit.exe PID 3692 wrote to memory of 4016 3692 9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe"C:\Users\Admin\AppData\Local\Temp\9416e5a57e6de00c685560fa9fee761126569d123f62060792bf2049ebba4151.sample.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit /set {globalsettings} advancedoptions false2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2144-122-0x0000000000000000-mapping.dmp
-
memory/2332-120-0x0000000000000000-mapping.dmp
-
memory/3024-121-0x0000000000000000-mapping.dmp
-
memory/3692-117-0x0000000002D20000-0x0000000002D21000-memory.dmpFilesize
4KB
-
memory/3692-118-0x0000000000400000-0x0000000000C4B000-memory.dmpFilesize
8.3MB
-
memory/3692-119-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4016-123-0x0000000000000000-mapping.dmp