Analysis
-
max time kernel
150s -
max time network
197s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
29/08/2021, 08:46
Static task
static1
Behavioral task
behavioral1
Sample
566285f0bda34708c0f19e42f6d23929.exe
Resource
win7v20210408
buranraccoonsmokeloadertofseed02c5d65069fc7ce1993e7c52edf0c9c4c195c81fe582536ec580228180f270f7cb80a867860e010backdoordiscoveryevasionpersistenceransomwarespywarestealerthemidatrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
566285f0bda34708c0f19e42f6d23929.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
566285f0bda34708c0f19e42f6d23929.exe
-
Size
143KB
-
MD5
566285f0bda34708c0f19e42f6d23929
-
SHA1
503bee4aeec4972757c079527a2e0af7bdc84b3a
-
SHA256
73e71254b57fbc49f7e55767aee9ff95507630171bbda89b5adf1907bc802279
-
SHA512
f98d64ed8f4b2cccae95a3baff21285e75dfb42baaa5d935893dc5809ca8b81c39eab32aaef16844998e57b22b450e4085ef09460f730e09eca17b9c3021306f
Malware Config
Extracted
Path
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
Family
buran
Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!!
All your files, documents, photos, databases and other important files are encrypted.
You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.
Only we can give you this key and only we can recover your files.
PAY FAST 500$=0.013 btc
or the price will increase tomorrow
bitcoin address
bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8
To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free.
But this file should be of not valuable!
Do you really want to restore your files?
[email protected]
TELEGRAM @ payfast290
Your personal ID: 2D2-225-83D
Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Extracted
Family
smokeloader
Version
2020
C2
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
rc4.i32
rc4.i32
Extracted
Family
raccoon
Botnet
fe582536ec580228180f270f7cb80a867860e010
Attributes
-
url4cnc
https://telete.in/xylichanjk
rc4.plain
rc4.plain
Extracted
Family
raccoon
Botnet
d02c5d65069fc7ce1993e7c52edf0c9c4c195c81
Attributes
-
url4cnc
https://telete.in/open3entershift
rc4.plain
rc4.plain
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
pid Process 1524 25F8.exe 1572 2731.exe 1816 28E6.exe 1168 33FF.exe 1492 3C88.exe 1632 4205.exe 1756 lsass.exe 1356 lsass.exe 992 vplrcmek.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 33FF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 33FF.exe -
Deletes itself 1 IoCs
pid Process 1204 Process not Found -
Loads dropped DLL 9 IoCs
pid Process 1572 2731.exe 1572 2731.exe 1572 2731.exe 1572 2731.exe 1572 2731.exe 1572 2731.exe 1572 2731.exe 1492 3C88.exe 1492 3C88.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000400000001310e-86.dat themida behavioral1/memory/1168-90-0x00000000010A0000-0x00000000010A1000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run 3C88.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start" 3C88.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 33FF.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: lsass.exe File opened (read-only) \??\X: lsass.exe File opened (read-only) \??\V: lsass.exe File opened (read-only) \??\U: lsass.exe File opened (read-only) \??\T: lsass.exe File opened (read-only) \??\S: lsass.exe File opened (read-only) \??\R: lsass.exe File opened (read-only) \??\N: lsass.exe File opened (read-only) \??\J: lsass.exe File opened (read-only) \??\W: lsass.exe File opened (read-only) \??\P: lsass.exe File opened (read-only) \??\L: lsass.exe File opened (read-only) \??\K: lsass.exe File opened (read-only) \??\Z: lsass.exe File opened (read-only) \??\Y: lsass.exe File opened (read-only) \??\I: lsass.exe File opened (read-only) \??\G: lsass.exe File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\B: lsass.exe File opened (read-only) \??\A: lsass.exe File opened (read-only) \??\Q: lsass.exe File opened (read-only) \??\O: lsass.exe File opened (read-only) \??\H: lsass.exe File opened (read-only) \??\F: lsass.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 geoiptool.com -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1168 33FF.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 520 set thread context of 836 520 566285f0bda34708c0f19e42f6d23929.exe 29 PID 992 set thread context of 1524 992 vplrcmek.exe 82 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\fi.txt.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Amsterdam lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\jvm.lib lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Paramaribo.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rio_Branco.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh89 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST5EDT.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Fortaleza.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kathmandu.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Fortaleza lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Cocos.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\7-Zip\7z.exe lsass.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png lsass.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\LICENSE lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Bougainville.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Istanbul lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings lsass.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-previous-static.png lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_hu.jar.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Maputo.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\Parity.fx lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\3RDPARTY.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Budapest.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\sa-jdi.jar lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\COPYRIGHT lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-4.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt lsass.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boise.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Monticello.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Lisbon.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml lsass.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF lsass.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files\ReceiveCompress.cab.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Palmer lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pyongyang.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi.payfast290.2D2-225-83D lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg lsass.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 566285f0bda34708c0f19e42f6d23929.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 566285f0bda34708c0f19e42f6d23929.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 566285f0bda34708c0f19e42f6d23929.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1784 vssadmin.exe 1824 vssadmin.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = e43b493d8a8a310424edb47d450dd49d084297dce82e72baa4821efd747d7e1df39a304f87cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56814d9844d7734e3a4644490bdb57f24ed925d01cff2b454758df21d5904e0ac6510d48c4f703ae39d084295d9e13f4bb4c06d02fdadfd542fd69f430a36fba769249ec60b1b79bdf0012dd98ab77423e9925d00cbc4e13b7e85c12b496da0f15d15d88449743de7a45c1ff459a4401453e3c86dfdc48d541ce4ad744a6bbfff02579fc27d440dd49d642df4ccd8c16098a46d34fdc741461ee4ad743c35f4a77311db9a4c703bfaac5c15f4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743de1cc945d svchost.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 2731.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 2731.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 3C88.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 3C88.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 3C88.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 lsass.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e lsass.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 836 566285f0bda34708c0f19e42f6d23929.exe 836 566285f0bda34708c0f19e42f6d23929.exe 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1204 Process not Found -
Suspicious behavior: MapViewOfSection 19 IoCs
pid Process 836 566285f0bda34708c0f19e42f6d23929.exe 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1204 Process not Found Token: SeShutdownPrivilege 1204 Process not Found Token: SeDebugPrivilege 1168 33FF.exe Token: SeDebugPrivilege 1492 3C88.exe Token: SeDebugPrivilege 1492 3C88.exe Token: SeShutdownPrivilege 1204 Process not Found Token: SeIncreaseQuotaPrivilege 752 WMIC.exe Token: SeSecurityPrivilege 752 WMIC.exe Token: SeTakeOwnershipPrivilege 752 WMIC.exe Token: SeLoadDriverPrivilege 752 WMIC.exe Token: SeSystemProfilePrivilege 752 WMIC.exe Token: SeSystemtimePrivilege 752 WMIC.exe Token: SeProfSingleProcessPrivilege 752 WMIC.exe Token: SeIncBasePriorityPrivilege 752 WMIC.exe Token: SeCreatePagefilePrivilege 752 WMIC.exe Token: SeBackupPrivilege 752 WMIC.exe Token: SeRestorePrivilege 752 WMIC.exe Token: SeShutdownPrivilege 752 WMIC.exe Token: SeDebugPrivilege 752 WMIC.exe Token: SeSystemEnvironmentPrivilege 752 WMIC.exe Token: SeRemoteShutdownPrivilege 752 WMIC.exe Token: SeUndockPrivilege 752 WMIC.exe Token: SeManageVolumePrivilege 752 WMIC.exe Token: 33 752 WMIC.exe Token: 34 752 WMIC.exe Token: 35 752 WMIC.exe Token: SeIncreaseQuotaPrivilege 1108 WMIC.exe Token: SeSecurityPrivilege 1108 WMIC.exe Token: SeTakeOwnershipPrivilege 1108 WMIC.exe Token: SeLoadDriverPrivilege 1108 WMIC.exe Token: SeSystemProfilePrivilege 1108 WMIC.exe Token: SeSystemtimePrivilege 1108 WMIC.exe Token: SeProfSingleProcessPrivilege 1108 WMIC.exe Token: SeIncBasePriorityPrivilege 1108 WMIC.exe Token: SeCreatePagefilePrivilege 1108 WMIC.exe Token: SeBackupPrivilege 1108 WMIC.exe Token: SeRestorePrivilege 1108 WMIC.exe Token: SeShutdownPrivilege 1108 WMIC.exe Token: SeDebugPrivilege 1108 WMIC.exe Token: SeSystemEnvironmentPrivilege 1108 WMIC.exe Token: SeRemoteShutdownPrivilege 1108 WMIC.exe Token: SeUndockPrivilege 1108 WMIC.exe Token: SeManageVolumePrivilege 1108 WMIC.exe Token: 33 1108 WMIC.exe Token: 34 1108 WMIC.exe Token: 35 1108 WMIC.exe Token: SeBackupPrivilege 1996 vssvc.exe Token: SeRestorePrivilege 1996 vssvc.exe Token: SeAuditPrivilege 1996 vssvc.exe Token: SeIncreaseQuotaPrivilege 752 WMIC.exe Token: SeSecurityPrivilege 752 WMIC.exe Token: SeTakeOwnershipPrivilege 752 WMIC.exe Token: SeLoadDriverPrivilege 752 WMIC.exe Token: SeSystemProfilePrivilege 752 WMIC.exe Token: SeSystemtimePrivilege 752 WMIC.exe Token: SeProfSingleProcessPrivilege 752 WMIC.exe Token: SeIncBasePriorityPrivilege 752 WMIC.exe Token: SeCreatePagefilePrivilege 752 WMIC.exe Token: SeBackupPrivilege 752 WMIC.exe Token: SeRestorePrivilege 752 WMIC.exe Token: SeShutdownPrivilege 752 WMIC.exe Token: SeDebugPrivilege 752 WMIC.exe Token: SeSystemEnvironmentPrivilege 752 WMIC.exe Token: SeRemoteShutdownPrivilege 752 WMIC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1524 25F8.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 520 wrote to memory of 836 520 566285f0bda34708c0f19e42f6d23929.exe 29 PID 520 wrote to memory of 836 520 566285f0bda34708c0f19e42f6d23929.exe 29 PID 520 wrote to memory of 836 520 566285f0bda34708c0f19e42f6d23929.exe 29 PID 520 wrote to memory of 836 520 566285f0bda34708c0f19e42f6d23929.exe 29 PID 520 wrote to memory of 836 520 566285f0bda34708c0f19e42f6d23929.exe 29 PID 520 wrote to memory of 836 520 566285f0bda34708c0f19e42f6d23929.exe 29 PID 520 wrote to memory of 836 520 566285f0bda34708c0f19e42f6d23929.exe 29 PID 1204 wrote to memory of 1524 1204 Process not Found 30 PID 1204 wrote to memory of 1524 1204 Process not Found 30 PID 1204 wrote to memory of 1524 1204 Process not Found 30 PID 1204 wrote to memory of 1524 1204 Process not Found 30 PID 1204 wrote to memory of 1572 1204 Process not Found 31 PID 1204 wrote to memory of 1572 1204 Process not Found 31 PID 1204 wrote to memory of 1572 1204 Process not Found 31 PID 1204 wrote to memory of 1572 1204 Process not Found 31 PID 1204 wrote to memory of 1816 1204 Process not Found 32 PID 1204 wrote to memory of 1816 1204 Process not Found 32 PID 1204 wrote to memory of 1816 1204 Process not Found 32 PID 1204 wrote to memory of 1816 1204 Process not Found 32 PID 1816 wrote to memory of 2004 1816 28E6.exe 33 PID 1816 wrote to memory of 2004 1816 28E6.exe 33 PID 1816 wrote to memory of 2004 1816 28E6.exe 33 PID 1816 wrote to memory of 2004 1816 28E6.exe 33 PID 1816 wrote to memory of 964 1816 28E6.exe 36 PID 1816 wrote to memory of 964 1816 28E6.exe 36 PID 1816 wrote to memory of 964 1816 28E6.exe 36 PID 1816 wrote to memory of 964 1816 28E6.exe 36 PID 1816 wrote to memory of 1776 1816 28E6.exe 38 PID 1816 wrote to memory of 1776 1816 28E6.exe 38 PID 1816 wrote to memory of 1776 1816 28E6.exe 38 PID 1816 wrote to memory of 1776 1816 28E6.exe 38 PID 1204 wrote to memory of 1168 1204 Process not Found 40 PID 1204 wrote to memory of 1168 1204 Process not Found 40 PID 1204 wrote to memory of 1168 1204 Process not Found 40 PID 1204 wrote to memory of 1168 1204 Process not Found 40 PID 1204 wrote to memory of 1168 1204 Process not Found 40 PID 1204 wrote to memory of 1168 1204 Process not Found 40 PID 1204 wrote to memory of 1168 1204 Process not Found 40 PID 1816 wrote to memory of 908 1816 28E6.exe 42 PID 1816 wrote to memory of 908 1816 28E6.exe 42 PID 1816 wrote to memory of 908 1816 28E6.exe 42 PID 1816 wrote to memory of 908 1816 28E6.exe 42 PID 1204 wrote to memory of 1492 1204 Process not Found 43 PID 1204 wrote to memory of 1492 1204 Process not Found 43 PID 1204 wrote to memory of 1492 1204 Process not Found 43 PID 1204 wrote to memory of 1492 1204 Process not Found 43 PID 1204 wrote to memory of 1632 1204 Process not Found 44 PID 1204 wrote to memory of 1632 1204 Process not Found 44 PID 1204 wrote to memory of 1632 1204 Process not Found 44 PID 1204 wrote to memory of 1632 1204 Process not Found 44 PID 1204 wrote to memory of 1752 1204 Process not Found 45 PID 1204 wrote to memory of 1752 1204 Process not Found 45 PID 1204 wrote to memory of 1752 1204 Process not Found 45 PID 1204 wrote to memory of 1752 1204 Process not Found 45 PID 1204 wrote to memory of 1752 1204 Process not Found 45 PID 1204 wrote to memory of 524 1204 Process not Found 46 PID 1204 wrote to memory of 524 1204 Process not Found 46 PID 1204 wrote to memory of 524 1204 Process not Found 46 PID 1204 wrote to memory of 524 1204 Process not Found 46 PID 1204 wrote to memory of 1160 1204 Process not Found 47 PID 1204 wrote to memory of 1160 1204 Process not Found 47 PID 1204 wrote to memory of 1160 1204 Process not Found 47 PID 1204 wrote to memory of 1160 1204 Process not Found 47 PID 1204 wrote to memory of 1160 1204 Process not Found 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\566285f0bda34708c0f19e42f6d23929.exe"C:\Users\Admin\AppData\Local\Temp\566285f0bda34708c0f19e42f6d23929.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Users\Admin\AppData\Local\Temp\566285f0bda34708c0f19e42f6d23929.exe"C:\Users\Admin\AppData\Local\Temp\566285f0bda34708c0f19e42f6d23929.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:836
-
-
C:\Users\Admin\AppData\Local\Temp\25F8.exeC:\Users\Admin\AppData\Local\Temp\25F8.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1524
-
C:\Users\Admin\AppData\Local\Temp\2731.exeC:\Users\Admin\AppData\Local\Temp\2731.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1572
-
C:\Users\Admin\AppData\Local\Temp\28E6.exeC:\Users\Admin\AppData\Local\Temp\28E6.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fmicghg\2⤵PID:2004
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vplrcmek.exe" C:\Windows\SysWOW64\fmicghg\2⤵PID:964
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create fmicghg binPath= "C:\Windows\SysWOW64\fmicghg\vplrcmek.exe /d\"C:\Users\Admin\AppData\Local\Temp\28E6.exe\"" type= own start= auto DisplayName= "wifi support"2⤵PID:1776
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description fmicghg "wifi internet conection"2⤵PID:908
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start fmicghg2⤵PID:2036
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵PID:1392
-
-
C:\Users\Admin\AppData\Local\Temp\33FF.exeC:\Users\Admin\AppData\Local\Temp\33FF.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
C:\Users\Admin\AppData\Local\Temp\3C88.exeC:\Users\Admin\AppData\Local\Temp\3C88.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1492 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
PID:1756 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵PID:1684
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵PID:1264
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵PID:968
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵PID:520
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵PID:1712
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1784
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵PID:1284
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1824
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1356
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵PID:820
-
-
C:\Users\Admin\AppData\Local\Temp\4205.exeC:\Users\Admin\AppData\Local\Temp\4205.exe1⤵
- Executes dropped EXE
PID:1632
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1752
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:524
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1160
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1748
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1660
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1440
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1752
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1072
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1572
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
C:\Windows\SysWOW64\fmicghg\vplrcmek.exeC:\Windows\SysWOW64\fmicghg\vplrcmek.exe /d"C:\Users\Admin\AppData\Local\Temp\28E6.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:992 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1524
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1New Service
1Registry Run Keys / Startup Folder
2Defense Evasion
File Deletion
2Install Root Certificate
1Modify Registry
3Virtualization/Sandbox Evasion
1Web Service
1