Behavioral Report

Analysis

max time kernel
91s
max time network
100s
platform
windows10_x64
resource
win10-en-20211014
submitted
21-10-2021 09:16

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Size

168KB
MD5

700a4f7ed40dd9ac29891c2ec3d4bef7
SHA1

1546e3bbe9eb3e6b185097226bb758d98a207429
SHA256

872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f
SHA512

1b615297f445eb4c3909e46191834450191b6e9716a83c380a02db6566dd96431f6e2271c01508d3f271af0b4fbfff31b485e1fc6bf952a4b2177aa41fb65c0a

Score

10^/10

gandcrab backdoor ransomware spyware stealer suricata

Malware Config

Extracted

Path

C:\ZVRYIONLNM-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.1 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .ZVRYIONLNM The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/53559f29a53d0f6d | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAE+G+3/EdUFICPnOBuNObRZum1VGv/JEzx3yS50UZH3qofnkmdgVnwxzO4pdydqO5Jhj4nLGYacIhP2gGL06FvGSPh3MEJqXgcFcE+iWWB2OQIU2mJfCkysI72okrog2ABAJ3Z0FaomwUdCC32z0/LWeEpbEV0xAa4UViamwnmLkkoJ/3oiy/AoFTaJaliIA0VldQDQ5vxbOiXJq4iXAKGmrX5DeIlRDPf+oE8o/fiajl77iWm6FdQYTg4rRyMTN/WyCtp604gVZjzqukDPKNCelk1n33+fwumxA+NM/Ox+eD+pRa9ZEneACqKSCyoT24g7mha90W6Hleg9SDFXDfoJZm8WHbOS4+Zhv199O7g/hzbztQFBjKOEcelAt7Q5NdvSia6144eqq5DizdWqHS2qaW0Gj0qT48fWKQuxR1qEoWe/fCelqIM7qKN4CSwWw7mFxCi86+5LzAcaCkVLd+g+6gfyaSL43g4fP+qGzONPsSrdCymmH7nQrmSmSyaL39Zrj98yQAdIG28OHI5pq9+dE72S4U87GA1J+Gk2IQ1GHLtaBQpeR2OwqOStkQbjW567coSBoALitkHiXInHTr5YmAO+lEB7A3rYXO0u8Z7K37rnOsg7UcuJtgDhjRhqHoPwvHiJqHBElSdgTNtuAbNa2LJ5b/ViZXQ5gqCfR7NW3SulIhIxnpRUhhd4eXKgBQeIW2ie9XqDSgCqZiBwl/rc0pOl4sUkY6z/5iBeO1v52zLDAR961v8anbRsknJ4KLiX95mf2KZU7VJr1SgaoCutq9uagzE+yw73/L1RYgZqIbe+z1eNSO2KsJwEyHfYDz12AI5UUpiqAEy4OBhoHuIkB8g07S8432Dbv32Bgz34OwyMILthVpGlbM3eigJS3eMh23rLxWIAfNe1WsxSuEOAJbFawbLTuvwad9kSrBdUOl6GzqnLB6AdX5ejkASyYV9B5GhZh4wLfFvJjMIFqvuHV1V3+uAcXJjRAU7VQaxae1GQ9J1KC3HY1gXhy3xQeBNR5bTvk3OsKoP9WqX5H+uUtaz87yDPTR5ElVFJbCCyulDskFPEQ9oDdjvL8j3kRMg85X0fCC6lPIeGXf3F+u8AEybRdBEkdkIWHKj+0aOp/DS+Ih+Tuw3PWvDk7noLfJTAA52yf/m+lxnM/qp0Ftwyi+AlHGf5gpaFlU4z20sTlBQFW5Sz1XDESO4Z207XhCOxH1Qx4DY2h6MQv/bvO6vhm17LLbh6HvCoqEVNW4YaDmgHw7fMbb4tNb8WhpHHHsbp7ByM50upfTYDA0/Raar7Jx+SABd8JwJUDyHImZqVLYaDn7Dq5P5D+1HnR8jGq/lYJcbOJkMNVA9DSsD78HgXdXGgwZpG5w09U71zli7X7qCHfbKIV8nAzukjt4ZL0j8YSwNiiwRZdDd3uEmqB5gV3zkJc3d54WRtLSFNBT6hi2zm6eXwXbKa2EeKjBkX46UTazlEimt7BRQpY9pv6pz1cgzwxumsLYxZ2rhzt6teIgvJPx1D3YGBUpsLs/D4EfvlMhfVKggd/j4sI2aAxweRxicvgPf2+Np1EG1v1IzL3EIE6a8dxLJn1sjCHOxcK1lFfPndKgQIpmEI70mSzlfsiVYtv0HpPB5VEER9oWoTYkmPt7ZNki8V6/krp68RzmznyiqwuH92+N9kRsGmTyQAQugH1gm9V4jiUgy5N+bGzGuoqPQVodTYi9p8qLagFJxQYtMWf++Bi34KoVAGvaGZSQNUUMlCtO6DCv8jfFzfqfUmnXGcRZYhBcQHXJRApMgKkhduLaU0WbosBMAeb0VI/N7ewv9JTlFyLCuzyBNKkdbwGoXGaCNoWcztZ/3xdEnEDumWaqPvmewjsV6N84XOhbtlU75A6ML+JAhpQYHbyfQwQgTM6E/51S2Ukx87lj1dB0FLgUdjkqx7EYvBHiR1SEjam+p+Gaw/mgCOm/4E3Z/2/os+SsATRSLo4vwf7F5y6mAc8ImsDZbgOGliP+1ADSzOSte+VPEgUBmA32Xz7v4pViwVIhoDr1D016o0QWC4P9gkb6GfOvUElyMcUWRb0PMpL00DgvgXEJzikBmhetaYIEDVjuT7I2pZMJ3AkXpI87ZLvowpgMcoRTC5bExrDWfW+fpsttJiakiaoj3en+fcmYOpR65KLIVjLd5hlzFsQQ5VTrt9msjFrKCKgvLHM8Rr2mPIxdoRxsqAU5R09HrccQt1WcoUypXj/u6q1agt1K1U= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZdToZRtXYL7nJWobfbTGuHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZdP6U/VvqF1shzlzbajc1AHXg7l8xnT91gCFUxMg7ADMEr7316SnTFUg/DkeItL9jgqZqn87qt5+hi6rEkkUrB6eL1/2M2EutyGttYOlqFBnPtuxGOEY0b9Scf4qq4MaaXY7JyAYzW2Q+irpQZTWgqalO4JIUJo5FhwNYoDBPInKY+DO5AAL2fiGE1g65rIQ3vxA5KyA7wZi/pDRFN3uPLaOb91wsZOHQfRkOKPzmU1gPgG39UmRzflSz0QUpnmbI4lomwvnJMVc3pJTerfEocccBmP2hNgn9IQ3DCzaYTErDtaEjxBdZMM5H4HskOLb+SRYUP ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/53559f29a53d0f6d

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

TTPs:

File Deletion Inhibit System Recovery

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CompressWait.raw => C:\Users\Admin\Pictures\CompressWait.raw.zvryionlnm	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File renamed	C:\Users\Admin\Pictures\InitializeStart.raw => C:\Users\Admin\Pictures\InitializeStart.raw.zvryionlnm	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File renamed	C:\Users\Admin\Pictures\RemoveStep.crw => C:\Users\Admin\Pictures\RemoveStep.crw.zvryionlnm	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File renamed	C:\Users\Admin\Pictures\CloseGroup.png => C:\Users\Admin\Pictures\CloseGroup.png.zvryionlnm	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

Drops startup file 2 IoCs

Processes:

872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\ZVRYIONLNM-DECRYPT.txt	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\a53d088da53d0f6141c.lock	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

TTPs:

Data from Local System Credentials in Files

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

TTPs:

Query Registry Peripheral Device Discovery System Information Discovery

Processes:

872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

description	ioc	process
File opened (read-only)	\??\W:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\X:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\Y:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\B:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\F:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\M:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\Q:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\R:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\T:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\V:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\Z:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\H:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\L:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\P:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\J:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\K:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\N:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\O:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\S:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\A:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\E:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\G:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\I:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened (read-only)	\??\U:	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

TTPs:

Defacement Modify Registry

Processes:

872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp"	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

Drops file in Program Files directory 23 IoCs

Processes:

872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

description	ioc	process
File opened for modification	C:\Program Files\UnprotectStart.iso	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened for modification	C:\Program Files\MeasureInitialize.iso	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened for modification	C:\Program Files\RemoveStop.DVR-MS	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened for modification	C:\Program Files\UnblockSubmit.ppt	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened for modification	C:\Program Files\UndoImport.ini	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File created	C:\Program Files\a53d088da53d0f6141c.lock	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened for modification	C:\Program Files\EditConvert.dot	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened for modification	C:\Program Files\EnterStart.temp	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened for modification	C:\Program Files\InitializeCompress.eprtx	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File created	C:\Program Files (x86)\ZVRYIONLNM-DECRYPT.txt	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File created	C:\Program Files (x86)\a53d088da53d0f6141c.lock	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened for modification	C:\Program Files\DebugUnprotect.mpv2	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened for modification	C:\Program Files\HideUnblock.mp2v	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened for modification	C:\Program Files\AddCheckpoint.docm	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened for modification	C:\Program Files\AssertWrite.7z	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened for modification	C:\Program Files\CompressSwitch.ods	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened for modification	C:\Program Files\ConfirmWait.WTV	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened for modification	C:\Program Files\NewShow.wma	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened for modification	C:\Program Files\StopConfirm.ods	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File created	C:\Program Files\ZVRYIONLNM-DECRYPT.txt	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened for modification	C:\Program Files\AssertStep.ppsx	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened for modification	C:\Program Files\ExitSearch.potx	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
File opened for modification	C:\Program Files\ImportRevoke.txt	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

TTPs:

Query Registry System Information Discovery

Processes:

872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

TTPs:

Install Root Certificate Modify Registry

Processes:

872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

pid	process
2276	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
2276	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
2276	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
2276	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

wmic.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2128	wmic.exe
Token: SeSecurityPrivilege	2128	wmic.exe
Token: SeTakeOwnershipPrivilege	2128	wmic.exe
Token: SeLoadDriverPrivilege	2128	wmic.exe
Token: SeSystemProfilePrivilege	2128	wmic.exe
Token: SeSystemtimePrivilege	2128	wmic.exe
Token: SeProfSingleProcessPrivilege	2128	wmic.exe
Token: SeIncBasePriorityPrivilege	2128	wmic.exe
Token: SeCreatePagefilePrivilege	2128	wmic.exe
Token: SeBackupPrivilege	2128	wmic.exe
Token: SeRestorePrivilege	2128	wmic.exe
Token: SeShutdownPrivilege	2128	wmic.exe
Token: SeDebugPrivilege	2128	wmic.exe
Token: SeSystemEnvironmentPrivilege	2128	wmic.exe
Token: SeRemoteShutdownPrivilege	2128	wmic.exe
Token: SeUndockPrivilege	2128	wmic.exe
Token: SeManageVolumePrivilege	2128	wmic.exe
Token: 33	2128	wmic.exe
Token: 34	2128	wmic.exe
Token: 35	2128	wmic.exe
Token: 36	2128	wmic.exe
Token: SeIncreaseQuotaPrivilege	2128	wmic.exe
Token: SeSecurityPrivilege	2128	wmic.exe
Token: SeTakeOwnershipPrivilege	2128	wmic.exe
Token: SeLoadDriverPrivilege	2128	wmic.exe
Token: SeSystemProfilePrivilege	2128	wmic.exe
Token: SeSystemtimePrivilege	2128	wmic.exe
Token: SeProfSingleProcessPrivilege	2128	wmic.exe
Token: SeIncBasePriorityPrivilege	2128	wmic.exe
Token: SeCreatePagefilePrivilege	2128	wmic.exe
Token: SeBackupPrivilege	2128	wmic.exe
Token: SeRestorePrivilege	2128	wmic.exe
Token: SeShutdownPrivilege	2128	wmic.exe
Token: SeDebugPrivilege	2128	wmic.exe
Token: SeSystemEnvironmentPrivilege	2128	wmic.exe
Token: SeRemoteShutdownPrivilege	2128	wmic.exe
Token: SeUndockPrivilege	2128	wmic.exe
Token: SeManageVolumePrivilege	2128	wmic.exe
Token: 33	2128	wmic.exe
Token: 34	2128	wmic.exe
Token: 35	2128	wmic.exe
Token: 36	2128	wmic.exe
Token: SeBackupPrivilege	608	vssvc.exe
Token: SeRestorePrivilege	608	vssvc.exe
Token: SeAuditPrivilege	608	vssvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

description	pid	process	target process
PID 2276 wrote to memory of 2128	2276	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe	wmic.exe
PID 2276 wrote to memory of 2128	2276	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe	wmic.exe
PID 2276 wrote to memory of 2128	2276	872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe

"C:\Users\Admin\AppData\Local\Temp\872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe"

Modifies extensions of user files
Drops startup file
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Program Files directory
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory

PID:2276

C:\Windows\SysWOW64\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete

Suspicious use of AdjustPrivilegeToken

PID:2128

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Suspicious use of AdjustPrivilegeToken

PID:608

Network

MITRE ATT&CK Matrix

Collection

Data from Local System

T1005

Command and Control

Credential Access

Credentials in Files

T1081

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Execution

Exfiltration

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

memory/2128-115-0x0000000000000000-mapping.dmp

Download