872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
168KB
21-10-2021 09:18
behavioral1
700a4f7ed40dd9ac29891c2ec3d4bef7
1546e3bbe9eb3e6b185097226bb758d98a207429
872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f
1b615297f445eb4c3909e46191834450191b6e9716a83c380a02db6566dd96431f6e2271c01508d3f271af0b4fbfff31b485e1fc6bf952a4b2177aa41fb65c0a
Extracted
Path | C:\ZVRYIONLNM-DECRYPT.txt |
Ransom Note |
---= GANDCRAB V5.0.1 =---
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .ZVRYIONLNM
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
----------------------------------------------------------------------------------------
| 0. Download Tor browser - https://www.torproject.org/
| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/53559f29a53d0f6d
| 4. Follow the instructions on this page
----------------------------------------------------------------------------------------
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW
---BEGIN GANDCRAB KEY---
lAQAAE+G+3/EdUFICPnOBuNObRZum1VGv/JEzx3yS50UZH3qofnkmdgVnwxzO4pdydqO5Jhj4nLGYacIhP2gGL06FvGSPh3MEJqXgcFcE+iWWB2OQIU2mJfCkysI72okrog2ABAJ3Z0FaomwUdCC32z0/LWeEpbEV0xAa4UViamwnmLkkoJ/3oiy/AoFTaJaliIA0VldQDQ5vxbOiXJq4iXAKGmrX5DeIlRDPf+oE8o/fiajl77iWm6FdQYTg4rRyMTN/WyCtp604gVZjzqukDPKNCelk1n33+fwumxA+NM/Ox+eD+pRa9ZEneACqKSCyoT24g7mha90W6Hleg9SDFXDfoJZm8WHbOS4+Zhv199O7g/hzbztQFBjKOEcelAt7Q5NdvSia6144eqq5DizdWqHS2qaW0Gj0qT48fWKQuxR1qEoWe/fCelqIM7qKN4CSwWw7mFxCi86+5LzAcaCkVLd+g+6gfyaSL43g4fP+qGzONPsSrdCymmH7nQrmSmSyaL39Zrj98yQAdIG28OHI5pq9+dE72S4U87GA1J+Gk2IQ1GHLtaBQpeR2OwqOStkQbjW567coSBoALitkHiXInHTr5YmAO+lEB7A3rYXO0u8Z7K37rnOsg7UcuJtgDhjRhqHoPwvHiJqHBElSdgTNtuAbNa2LJ5b/ViZXQ5gqCfR7NW3SulIhIxnpRUhhd4eXKgBQeIW2ie9XqDSgCqZiBwl/rc0pOl4sUkY6z/5iBeO1v52zLDAR961v8anbRsknJ4KLiX95mf2KZU7VJr1SgaoCutq9uagzE+yw73/L1RYgZqIbe+z1eNSO2KsJwEyHfYDz12AI5UUpiqAEy4OBhoHuIkB8g07S8432Dbv32Bgz34OwyMILthVpGlbM3eigJS3eMh23rLxWIAfNe1WsxSuEOAJbFawbLTuvwad9kSrBdUOl6GzqnLB6AdX5ejkASyYV9B5GhZh4wLfFvJjMIFqvuHV1V3+uAcXJjRAU7VQaxae1GQ9J1KC3HY1gXhy3xQeBNR5bTvk3OsKoP9WqX5H+uUtaz87yDPTR5ElVFJbCCyulDskFPEQ9oDdjvL8j3kRMg85X0fCC6lPIeGXf3F+u8AEybRdBEkdkIWHKj+0aOp/DS+Ih+Tuw3PWvDk7noLfJTAA52yf/m+lxnM/qp0Ftwyi+AlHGf5gpaFlU4z20sTlBQFW5Sz1XDESO4Z207XhCOxH1Qx4DY2h6MQv/bvO6vhm17LLbh6HvCoqEVNW4YaDmgHw7fMbb4tNb8WhpHHHsbp7ByM50upfTYDA0/Raar7Jx+SABd8JwJUDyHImZqVLYaDn7Dq5P5D+1HnR8jGq/lYJcbOJkMNVA9DSsD78HgXdXGgwZpG5w09U71zli7X7qCHfbKIV8nAzukjt4ZL0j8YSwNiiwRZdDd3uEmqB5gV3zkJc3d54WRtLSFNBT6hi2zm6eXwXbKa2EeKjBkX46UTazlEimt7BRQpY9pv6pz1cgzwxumsLYxZ2rhzt6teIgvJPx1D3YGBUpsLs/D4EfvlMhfVKggd/j4sI2aAxweRxicvgPf2+Np1EG1v1IzL3EIE6a8dxLJn1sjCHOxcK1lFfPndKgQIpmEI70mSzlfsiVYtv0HpPB5VEER9oWoTYkmPt7ZNki8V6/krp68RzmznyiqwuH92+N9kRsGmTyQAQugH1gm9V4jiUgy5N+bGzGuoqPQVodTYi9p8qLagFJxQYtMWf++Bi34KoVAGvaGZSQNUUMlCtO6DCv8jfFzfqfUmnXGcRZYhBcQHXJRApMgKkhduLaU0WbosBMAeb0VI/N7ewv9JTlFyLCuzyBNKkdbwGoXGaCNoWcztZ/3xdEnEDumWaqPvmewjsV6N84XOhbtlU75A6ML+JAhpQYHbyfQwQgTM6E/51S2Ukx87lj1dB0FLgUdjkqx7EYvBHiR1SEjam+p+Gaw/mgCOm/4E3Z/2/os+SsATRSLo4vwf7F5y6mAc8ImsDZbgOGliP+1ADSzOSte+VPEgUBmA32Xz7v4pViwVIhoDr1D016o0QWC4P9gkb6GfOvUElyMcUWRb0PMpL00DgvgXEJzikBmhetaYIEDVjuT7I2pZMJ3AkXpI87ZLvowpgMcoRTC5bExrDWfW+fpsttJiakiaoj3en+fcmYOpR65KLIVjLd5hlzFsQQ5VTrt9msjFrKCKgvLHM8Rr2mPIxdoRxsqAU5R09HrccQt1WcoUypXj/u6q1agt1K1U=
---END GANDCRAB KEY---
---BEGIN PC DATA---
wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZdToZRtXYL7nJWobfbTGuHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZdP6U/VvqF1shzlzbajc1AHXg7l8xnT91gCFUxMg7ADMEr7316SnTFUg/DkeItL9jgqZqn87qt5+hi6rEkkUrB6eL1/2M2EutyGttYOlqFBnPtuxGOEY0b9Scf4qq4MaaXY7JyAYzW2Q+irpQZTWgqalO4JIUJo5FhwNYoDBPInKY+DO5AAL2fiGE1g65rIQ3vxA5KyA7wZi/pDRFN3uPLaOb91wsZOHQfRkOKPzmU1gPgG39UmRzflSz0QUpnmbI4lomwvnJMVc3pJTerfEocccBmP2hNgn9IQ3DCzaYTErDtaEjxBdZMM5H4HskOLb+SRYUP
---END PC DATA---
|
URLs |
http://gandcrabmfe6mnef.onion/53559f29a53d0f6d |
Filter: none
-
Gandcrab
Description
Gandcrab is a Trojan horse that encrypts files on a computer.
Tags
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
Description
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
Tags
-
Deletes shadow copies
Description
Ransomware often targets backup files to inhibit system recovery.
Tags
TTPs
-
Modifies extensions of user files872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Description
Ransomware generally changes the extension on encrypted files.
Tags
Reported IOCs
description ioc process File renamed C:\Users\Admin\Pictures\CompressWait.raw => C:\Users\Admin\Pictures\CompressWait.raw.zvryionlnm 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File renamed C:\Users\Admin\Pictures\InitializeStart.raw => C:\Users\Admin\Pictures\InitializeStart.raw.zvryionlnm 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File renamed C:\Users\Admin\Pictures\RemoveStep.crw => C:\Users\Admin\Pictures\RemoveStep.crw.zvryionlnm 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File renamed C:\Users\Admin\Pictures\CloseGroup.png => C:\Users\Admin\Pictures\CloseGroup.png.zvryionlnm 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe -
Drops startup file872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Reported IOCs
description ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\ZVRYIONLNM-DECRYPT.txt 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\a53d088da53d0f6141c.lock 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe -
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Enumerates connected drives872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Description
Attempts to read the root path of hard drives other than the default C: drive.
TTPs
Reported IOCs
description ioc process File opened (read-only) \??\W: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\X: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\Y: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\B: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\F: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\M: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\Q: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\R: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\T: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\V: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\Z: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\H: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\L: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\P: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\J: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\K: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\N: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\O: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\S: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\A: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\E: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\G: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\I: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\U: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe -
Sets desktop wallpaper using registry872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Tags
TTPs
Reported IOCs
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe -
Drops file in Program Files directory872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Reported IOCs
description ioc process File opened for modification C:\Program Files\UnprotectStart.iso 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\MeasureInitialize.iso 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\RemoveStop.DVR-MS 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\UnblockSubmit.ppt 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\UndoImport.ini 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File created C:\Program Files\a53d088da53d0f6141c.lock 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\EditConvert.dot 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\EnterStart.temp 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\InitializeCompress.eprtx 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File created C:\Program Files (x86)\ZVRYIONLNM-DECRYPT.txt 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File created C:\Program Files (x86)\a53d088da53d0f6141c.lock 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\DebugUnprotect.mpv2 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\HideUnblock.mp2v 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\AddCheckpoint.docm 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\AssertWrite.7z 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\CompressSwitch.ods 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\ConfirmWait.WTV 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\NewShow.wma 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\StopConfirm.ods 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File created C:\Program Files\ZVRYIONLNM-DECRYPT.txt 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\AssertStep.ppsx 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\ExitSearch.potx 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\ImportRevoke.txt 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe -
Enumerates physical storage devices
Description
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
TTPs
-
Checks processor information in registry872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Description
Processor information is often read in order to detect sandboxing environments.
TTPs
Reported IOCs
description ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe -
Modifies system certificate store872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Tags
TTPs
Reported IOCs
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe -
Suspicious behavior: EnumeratesProcesses872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Reported IOCs
pid process 2276 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe 2276 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe 2276 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe 2276 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe -
Suspicious use of AdjustPrivilegeTokenwmic.exevssvc.exe
Reported IOCs
description pid process Token: SeIncreaseQuotaPrivilege 2128 wmic.exe Token: SeSecurityPrivilege 2128 wmic.exe Token: SeTakeOwnershipPrivilege 2128 wmic.exe Token: SeLoadDriverPrivilege 2128 wmic.exe Token: SeSystemProfilePrivilege 2128 wmic.exe Token: SeSystemtimePrivilege 2128 wmic.exe Token: SeProfSingleProcessPrivilege 2128 wmic.exe Token: SeIncBasePriorityPrivilege 2128 wmic.exe Token: SeCreatePagefilePrivilege 2128 wmic.exe Token: SeBackupPrivilege 2128 wmic.exe Token: SeRestorePrivilege 2128 wmic.exe Token: SeShutdownPrivilege 2128 wmic.exe Token: SeDebugPrivilege 2128 wmic.exe Token: SeSystemEnvironmentPrivilege 2128 wmic.exe Token: SeRemoteShutdownPrivilege 2128 wmic.exe Token: SeUndockPrivilege 2128 wmic.exe Token: SeManageVolumePrivilege 2128 wmic.exe Token: 33 2128 wmic.exe Token: 34 2128 wmic.exe Token: 35 2128 wmic.exe Token: 36 2128 wmic.exe Token: SeIncreaseQuotaPrivilege 2128 wmic.exe Token: SeSecurityPrivilege 2128 wmic.exe Token: SeTakeOwnershipPrivilege 2128 wmic.exe Token: SeLoadDriverPrivilege 2128 wmic.exe Token: SeSystemProfilePrivilege 2128 wmic.exe Token: SeSystemtimePrivilege 2128 wmic.exe Token: SeProfSingleProcessPrivilege 2128 wmic.exe Token: SeIncBasePriorityPrivilege 2128 wmic.exe Token: SeCreatePagefilePrivilege 2128 wmic.exe Token: SeBackupPrivilege 2128 wmic.exe Token: SeRestorePrivilege 2128 wmic.exe Token: SeShutdownPrivilege 2128 wmic.exe Token: SeDebugPrivilege 2128 wmic.exe Token: SeSystemEnvironmentPrivilege 2128 wmic.exe Token: SeRemoteShutdownPrivilege 2128 wmic.exe Token: SeUndockPrivilege 2128 wmic.exe Token: SeManageVolumePrivilege 2128 wmic.exe Token: 33 2128 wmic.exe Token: 34 2128 wmic.exe Token: 35 2128 wmic.exe Token: 36 2128 wmic.exe Token: SeBackupPrivilege 608 vssvc.exe Token: SeRestorePrivilege 608 vssvc.exe Token: SeAuditPrivilege 608 vssvc.exe -
Suspicious use of WriteProcessMemory872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Reported IOCs
description pid process target process PID 2276 wrote to memory of 2128 2276 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe wmic.exe PID 2276 wrote to memory of 2128 2276 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe wmic.exe PID 2276 wrote to memory of 2128 2276 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe wmic.exe
-
C:\Users\Admin\AppData\Local\Temp\872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe"C:\Users\Admin\AppData\Local\Temp\872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe"Modifies extensions of user filesDrops startup fileEnumerates connected drivesSets desktop wallpaper using registryDrops file in Program Files directoryChecks processor information in registryModifies system certificate storeSuspicious behavior: EnumeratesProcessesSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy deleteSuspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeSuspicious use of AdjustPrivilegeToken
-
memory/2128-115-0x0000000000000000-mapping.dmp