Analysis
-
max time kernel
110s -
max time network
101s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
21-10-2021 18:50
Static task
static1
Behavioral task
behavioral1
Sample
Muisvc(unpacked).exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Muisvc(unpacked).exe
Resource
win10-en-20210920
General
-
Target
Muisvc(unpacked).exe
-
Size
1.0MB
-
MD5
dee33a5b0f93ffbf6c5da9e376b89c9b
-
SHA1
e5c0415345340ccec55c6e79503296a846db7a70
-
SHA256
b654cc6156b8cb72642d97672847401552bf72b208d52047b2697612ef3107d1
-
SHA512
9ff39cbd360eca2adafd44f60064da2b6d7e1961599ef28de97d0582725d02c4a81e6429e2a9d33f389d175fb12136d190fd4d2188a44d50d02b2f1fede241c8
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\633754-readme.html
Extracted
C:\633754-readme.html
http://infernoyrxlapxaiq.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
suricata: ET MALWARE Win32/Avaddon Ransomware Style External IP Address Check
suricata: ET MALWARE Win32/Avaddon Ransomware Style External IP Address Check
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Muisvc(unpacked).exedescription ioc process File opened for modification C:\Users\Admin\Pictures\MeasureRepair.tiff Muisvc(unpacked).exe File renamed C:\Users\Admin\Pictures\MeasureRepair.tiff => C:\Users\Admin\Pictures\MeasureRepair.tiff.avdn Muisvc(unpacked).exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Muisvc(unpacked).exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Muisvc(unpacked).exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Muisvc(unpacked).exe" Muisvc(unpacked).exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run Muisvc(unpacked).exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Muisvc(unpacked).exe" Muisvc(unpacked).exe -
Processes:
Muisvc(unpacked).exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Muisvc(unpacked).exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
Muisvc(unpacked).exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2955169046-2371869340-1800780948-1000\desktop.ini Muisvc(unpacked).exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Muisvc(unpacked).exedescription ioc process File opened (read-only) \??\L: Muisvc(unpacked).exe File opened (read-only) \??\S: Muisvc(unpacked).exe File opened (read-only) \??\T: Muisvc(unpacked).exe File opened (read-only) \??\X: Muisvc(unpacked).exe File opened (read-only) \??\E: Muisvc(unpacked).exe File opened (read-only) \??\G: Muisvc(unpacked).exe File opened (read-only) \??\H: Muisvc(unpacked).exe File opened (read-only) \??\J: Muisvc(unpacked).exe File opened (read-only) \??\V: Muisvc(unpacked).exe File opened (read-only) \??\W: Muisvc(unpacked).exe File opened (read-only) \??\Z: Muisvc(unpacked).exe File opened (read-only) \??\I: Muisvc(unpacked).exe File opened (read-only) \??\P: Muisvc(unpacked).exe File opened (read-only) \??\Q: Muisvc(unpacked).exe File opened (read-only) \??\U: Muisvc(unpacked).exe File opened (read-only) \??\N: Muisvc(unpacked).exe File opened (read-only) \??\R: Muisvc(unpacked).exe File opened (read-only) \??\Y: Muisvc(unpacked).exe File opened (read-only) \??\A: Muisvc(unpacked).exe File opened (read-only) \??\B: Muisvc(unpacked).exe File opened (read-only) \??\K: Muisvc(unpacked).exe File opened (read-only) \??\M: Muisvc(unpacked).exe File opened (read-only) \??\F: Muisvc(unpacked).exe File opened (read-only) \??\O: Muisvc(unpacked).exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.myip.com 5 api.myip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1816 vssadmin.exe 1948 vssadmin.exe 1724 vssadmin.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{22FD8B21-32B1-11EC-ADBE-4ECD28260268} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb1936000000000200000000001066000000010000200000002949c3ab3c74245bbc1811d3e494d0f6d0f4ef93fe553ef55076f8f5046f396b000000000e800000000200002000000020cb4b9d96762e44f9a6e725257e962045f3b2066a02389033195509568d20ea90000000792228ca13a6ff7c30329508dce85b80d3a06b381384243407781c22182b0f722de412088fa38924ef33da1372b0c4abd8a7b62b5bdd6b02c06db68be54013b0c268c9624bf9595a91de8b10ad8b21ae4acab9b042ac85fcee67674a00d059300a7c932c99fb56e311be946fe01a7e56694f4be4831c40e376e32df038232a510cb4dbebee01a44274c19ef81e3e492840000000a8b3807d019dcc74a61df30d4c680de2c62cc6a422776b3314e58258ca0937595ba202177b64c5446467b00a6032c3f50ac7cc3eefd214601dc754e213af6e98 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 102c20fabdc6d701 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb193600000000020000000000106600000001000020000000dd6711c8c1ab070ffd3c411bfa380c0f8f8b6f438c5511ef40aed5db7d43c670000000000e8000000002000020000000563276f9a78f988d7628ed584fe425ce22eb87ed179044f6f0566c82746bde63200000007d5fd87280d3c3d46c09f1e9718f6e3001bd2fd28b49f08233b00aa05a1f94d040000000e0f15322b80804485f801f3e9957b1365218c214f5d9acb82d6bff392a8bd55aa92ecd01f5be743e5b6273d44106fd9b0d9c06390600a2af43f28280c19932df iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Muisvc(unpacked).exepid process 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe 1740 Muisvc(unpacked).exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exevssvc.exewmic.exewmic.exeAUDIODG.EXEdescription pid process Token: SeIncreaseQuotaPrivilege 564 wmic.exe Token: SeSecurityPrivilege 564 wmic.exe Token: SeTakeOwnershipPrivilege 564 wmic.exe Token: SeLoadDriverPrivilege 564 wmic.exe Token: SeSystemProfilePrivilege 564 wmic.exe Token: SeSystemtimePrivilege 564 wmic.exe Token: SeProfSingleProcessPrivilege 564 wmic.exe Token: SeIncBasePriorityPrivilege 564 wmic.exe Token: SeCreatePagefilePrivilege 564 wmic.exe Token: SeBackupPrivilege 564 wmic.exe Token: SeRestorePrivilege 564 wmic.exe Token: SeShutdownPrivilege 564 wmic.exe Token: SeDebugPrivilege 564 wmic.exe Token: SeSystemEnvironmentPrivilege 564 wmic.exe Token: SeRemoteShutdownPrivilege 564 wmic.exe Token: SeUndockPrivilege 564 wmic.exe Token: SeManageVolumePrivilege 564 wmic.exe Token: 33 564 wmic.exe Token: 34 564 wmic.exe Token: 35 564 wmic.exe Token: SeBackupPrivilege 1364 vssvc.exe Token: SeRestorePrivilege 1364 vssvc.exe Token: SeAuditPrivilege 1364 vssvc.exe Token: SeIncreaseQuotaPrivilege 1716 wmic.exe Token: SeSecurityPrivilege 1716 wmic.exe Token: SeTakeOwnershipPrivilege 1716 wmic.exe Token: SeLoadDriverPrivilege 1716 wmic.exe Token: SeSystemProfilePrivilege 1716 wmic.exe Token: SeSystemtimePrivilege 1716 wmic.exe Token: SeProfSingleProcessPrivilege 1716 wmic.exe Token: SeIncBasePriorityPrivilege 1716 wmic.exe Token: SeCreatePagefilePrivilege 1716 wmic.exe Token: SeBackupPrivilege 1716 wmic.exe Token: SeRestorePrivilege 1716 wmic.exe Token: SeShutdownPrivilege 1716 wmic.exe Token: SeDebugPrivilege 1716 wmic.exe Token: SeSystemEnvironmentPrivilege 1716 wmic.exe Token: SeRemoteShutdownPrivilege 1716 wmic.exe Token: SeUndockPrivilege 1716 wmic.exe Token: SeManageVolumePrivilege 1716 wmic.exe Token: 33 1716 wmic.exe Token: 34 1716 wmic.exe Token: 35 1716 wmic.exe Token: SeIncreaseQuotaPrivilege 1728 wmic.exe Token: SeSecurityPrivilege 1728 wmic.exe Token: SeTakeOwnershipPrivilege 1728 wmic.exe Token: SeLoadDriverPrivilege 1728 wmic.exe Token: SeSystemProfilePrivilege 1728 wmic.exe Token: SeSystemtimePrivilege 1728 wmic.exe Token: SeProfSingleProcessPrivilege 1728 wmic.exe Token: SeIncBasePriorityPrivilege 1728 wmic.exe Token: SeCreatePagefilePrivilege 1728 wmic.exe Token: SeBackupPrivilege 1728 wmic.exe Token: SeRestorePrivilege 1728 wmic.exe Token: SeShutdownPrivilege 1728 wmic.exe Token: SeDebugPrivilege 1728 wmic.exe Token: SeSystemEnvironmentPrivilege 1728 wmic.exe Token: SeRemoteShutdownPrivilege 1728 wmic.exe Token: SeUndockPrivilege 1728 wmic.exe Token: SeManageVolumePrivilege 1728 wmic.exe Token: 33 1728 wmic.exe Token: 34 1728 wmic.exe Token: 35 1728 wmic.exe Token: 33 1424 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 304 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 304 iexplore.exe 304 iexplore.exe 324 IEXPLORE.EXE 324 IEXPLORE.EXE 324 IEXPLORE.EXE 324 IEXPLORE.EXE 324 IEXPLORE.EXE 324 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
Muisvc(unpacked).exeiexplore.exedescription pid process target process PID 1740 wrote to memory of 564 1740 Muisvc(unpacked).exe wmic.exe PID 1740 wrote to memory of 564 1740 Muisvc(unpacked).exe wmic.exe PID 1740 wrote to memory of 564 1740 Muisvc(unpacked).exe wmic.exe PID 1740 wrote to memory of 564 1740 Muisvc(unpacked).exe wmic.exe PID 1740 wrote to memory of 1816 1740 Muisvc(unpacked).exe vssadmin.exe PID 1740 wrote to memory of 1816 1740 Muisvc(unpacked).exe vssadmin.exe PID 1740 wrote to memory of 1816 1740 Muisvc(unpacked).exe vssadmin.exe PID 1740 wrote to memory of 1816 1740 Muisvc(unpacked).exe vssadmin.exe PID 1740 wrote to memory of 1716 1740 Muisvc(unpacked).exe wmic.exe PID 1740 wrote to memory of 1716 1740 Muisvc(unpacked).exe wmic.exe PID 1740 wrote to memory of 1716 1740 Muisvc(unpacked).exe wmic.exe PID 1740 wrote to memory of 1716 1740 Muisvc(unpacked).exe wmic.exe PID 1740 wrote to memory of 1948 1740 Muisvc(unpacked).exe vssadmin.exe PID 1740 wrote to memory of 1948 1740 Muisvc(unpacked).exe vssadmin.exe PID 1740 wrote to memory of 1948 1740 Muisvc(unpacked).exe vssadmin.exe PID 1740 wrote to memory of 1948 1740 Muisvc(unpacked).exe vssadmin.exe PID 1740 wrote to memory of 1728 1740 Muisvc(unpacked).exe wmic.exe PID 1740 wrote to memory of 1728 1740 Muisvc(unpacked).exe wmic.exe PID 1740 wrote to memory of 1728 1740 Muisvc(unpacked).exe wmic.exe PID 1740 wrote to memory of 1728 1740 Muisvc(unpacked).exe wmic.exe PID 1740 wrote to memory of 1724 1740 Muisvc(unpacked).exe vssadmin.exe PID 1740 wrote to memory of 1724 1740 Muisvc(unpacked).exe vssadmin.exe PID 1740 wrote to memory of 1724 1740 Muisvc(unpacked).exe vssadmin.exe PID 1740 wrote to memory of 1724 1740 Muisvc(unpacked).exe vssadmin.exe PID 304 wrote to memory of 324 304 iexplore.exe IEXPLORE.EXE PID 304 wrote to memory of 324 304 iexplore.exe IEXPLORE.EXE PID 304 wrote to memory of 324 304 iexplore.exe IEXPLORE.EXE PID 304 wrote to memory of 324 304 iexplore.exe IEXPLORE.EXE -
System policy modification 1 TTPs 3 IoCs
Processes:
Muisvc(unpacked).exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Muisvc(unpacked).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" Muisvc(unpacked).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Muisvc(unpacked).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Muisvc(unpacked).exe"C:\Users\Admin\AppData\Local\Temp\Muisvc(unpacked).exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x59c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\633754-readme.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:304 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\633754-readme.htmlMD5
3ade478a30c55cdeec2ef3db51b60503
SHA15171287ad45694aed083dde0c40a5e44258f8b9d
SHA256e340777458c2a119c4edcc6c7dfe5b7b47dfc2d720c41c4bcab8e5c197bf6ac8
SHA5127de89f8198e9cc939e14afbac1da8996314b7c3ac117a1c7a89f9aa00bb64663e21288543d1dec43fd1028c68e3aef0c2d0c8d852af3b5510e15f56dbfd6472d
-
memory/324-64-0x0000000000000000-mapping.dmp
-
memory/564-57-0x0000000000000000-mapping.dmp
-
memory/1360-63-0x000007FEFC371000-0x000007FEFC373000-memory.dmpFilesize
8KB
-
memory/1716-59-0x0000000000000000-mapping.dmp
-
memory/1724-62-0x0000000000000000-mapping.dmp
-
memory/1728-61-0x0000000000000000-mapping.dmp
-
memory/1740-55-0x0000000075BA1000-0x0000000075BA3000-memory.dmpFilesize
8KB
-
memory/1740-56-0x0000000000A70000-0x0000000000B7A000-memory.dmpFilesize
1.0MB
-
memory/1816-58-0x0000000000000000-mapping.dmp
-
memory/1948-60-0x0000000000000000-mapping.dmp