Analysis
-
max time kernel
110s -
max time network
119s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
19-12-2021 09:35
Static task
static1
Behavioral task
behavioral1
Sample
e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
Resource
win10-en-20211208
General
-
Target
e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe
-
Size
549KB
-
MD5
0aef3aef127a4f780fc0166e4ed8ebac
-
SHA1
de5e59cd81f17027d811400bc7d48765e1d55df2
-
SHA256
e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152
-
SHA512
1cd35a889aebf12b42b43eb83aa8c224e1896045c37b0f08f89b5910ff55e15bcba9e215f97ead7432dc47796263508906287e184ab9f6c602097f7eb93ce5fa
Malware Config
Extracted
C:\Windows\Tasks\readme-warning.txt
https://tox.chat/
Extracted
redline
10
18.191.251.199:45097
Signatures
-
MAKOP ransomware payload 3 IoCs
Processes:
resource yara_rule C:\Windows\Tasks\wmi.exe family_makop C:\Windows\Tasks\wmi.exe family_makop C:\Windows\Tasks\wmi.exe family_makop -
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/892-122-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/892-123-0x0000000000419322-mapping.dmp family_redline -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 668 wbadmin.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
condition.exewmi.exewmi.exepid process 64 condition.exe 2024 wmi.exe 2284 wmi.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exedescription pid process target process PID 3052 set thread context of 892 3052 e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe -
Drops file in Program Files directory 64 IoCs
Processes:
wmi.exedescription ioc process File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\readme-warning.txt wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\move.scale-180.png wmi.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml wmi.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-oob.xrm-ms wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\5.jpg wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeAppList.targetsize-32_altform-unplated.png wmi.exe File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssui.dll.mui wmi.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\MedTile.scale-125.png wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\sg_16x11.png wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosStoreLogo.png wmi.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_de_135x40.svg wmi.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\msadox28.tlb wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\je_60x42.png wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\fb_blank_profile_portrait.png wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-32.png wmi.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\StarClubTile.Wide.jpg wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\AppxManifest.xml wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\Assets\Logo.png wmi.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui wmi.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\BRANDING.XML wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\klondike_menu_icon.png wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsLargeTile.scale-200.png wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-unplated.png wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\LoadIconRTL_contrast-black.png wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-125_contrast-white.png wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-336.png wmi.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_ie8.gif wmi.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml wmi.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\readme-warning.txt wmi.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\readme-warning.txt wmi.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\readme-warning.txt wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Marble.png wmi.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-30_altform-unplated.png wmi.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-cn_get.svg wmi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-60_altform-colorize.png wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\MedTile.scale-100.png wmi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo2.targetsize-36.png wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40_altform-fullcolor.png wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsMedTile.contrast-white_scale-100.png wmi.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\main-selector.css wmi.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\Office16\1033\getofficecarousel.dcp wmi.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxAccountsLargeTile.scale-100.png wmi.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\readme-warning.txt wmi.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\readme-warning.txt wmi.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\de-de\ui-strings.js wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_TR-TR.respack wmi.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5601_24x24x32.png wmi.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-125.png wmi.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office-client15.xrm-ms wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-100.png wmi.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\readme-warning.txt wmi.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\bg4.jpg wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png wmi.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\vscroll-thumb.png wmi.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\readme-warning.txt wmi.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\Attribution\holiday_weather.png wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\terms_of_use.png wmi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-200.png wmi.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestsRunningInCleanRunspace.Tests.ps1 wmi.exe -
Drops file in Windows directory 7 IoCs
Processes:
wmi.exeDism.exee7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exedescription ioc process File created C:\Windows\Tasks\readme-warning.txt wmi.exe File opened for modification C:\Windows\Logs\DISM\dism.log Dism.exe File created C:\Windows\Tasks\wmi.exe e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe File created C:\Windows\Tasks\SA.abf e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe File created C:\Windows\Tasks\condition.exe e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe File opened for modification C:\Windows\Tasks\SA.abf wmi.exe File opened for modification C:\Windows\Tasks\SA.DAT wmi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1116 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.execondition.exewmi.exepid process 4060 powershell.exe 4060 powershell.exe 4060 powershell.exe 64 condition.exe 64 condition.exe 2024 wmi.exe 2024 wmi.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exee7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exepowershell.execondition.exevssvc.exewbengine.exeWMIC.exedescription pid process Token: SeDebugPrivilege 3052 e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe Token: SeDebugPrivilege 892 e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe Token: SeDebugPrivilege 4060 powershell.exe Token: SeDebugPrivilege 64 condition.exe Token: SeBackupPrivilege 780 vssvc.exe Token: SeRestorePrivilege 780 vssvc.exe Token: SeAuditPrivilege 780 vssvc.exe Token: SeBackupPrivilege 1640 wbengine.exe Token: SeRestorePrivilege 1640 wbengine.exe Token: SeSecurityPrivilege 1640 wbengine.exe Token: SeIncreaseQuotaPrivilege 1952 WMIC.exe Token: SeSecurityPrivilege 1952 WMIC.exe Token: SeTakeOwnershipPrivilege 1952 WMIC.exe Token: SeLoadDriverPrivilege 1952 WMIC.exe Token: SeSystemProfilePrivilege 1952 WMIC.exe Token: SeSystemtimePrivilege 1952 WMIC.exe Token: SeProfSingleProcessPrivilege 1952 WMIC.exe Token: SeIncBasePriorityPrivilege 1952 WMIC.exe Token: SeCreatePagefilePrivilege 1952 WMIC.exe Token: SeBackupPrivilege 1952 WMIC.exe Token: SeRestorePrivilege 1952 WMIC.exe Token: SeShutdownPrivilege 1952 WMIC.exe Token: SeDebugPrivilege 1952 WMIC.exe Token: SeSystemEnvironmentPrivilege 1952 WMIC.exe Token: SeRemoteShutdownPrivilege 1952 WMIC.exe Token: SeUndockPrivilege 1952 WMIC.exe Token: SeManageVolumePrivilege 1952 WMIC.exe Token: 33 1952 WMIC.exe Token: 34 1952 WMIC.exe Token: 35 1952 WMIC.exe Token: 36 1952 WMIC.exe Token: SeIncreaseQuotaPrivilege 1952 WMIC.exe Token: SeSecurityPrivilege 1952 WMIC.exe Token: SeTakeOwnershipPrivilege 1952 WMIC.exe Token: SeLoadDriverPrivilege 1952 WMIC.exe Token: SeSystemProfilePrivilege 1952 WMIC.exe Token: SeSystemtimePrivilege 1952 WMIC.exe Token: SeProfSingleProcessPrivilege 1952 WMIC.exe Token: SeIncBasePriorityPrivilege 1952 WMIC.exe Token: SeCreatePagefilePrivilege 1952 WMIC.exe Token: SeBackupPrivilege 1952 WMIC.exe Token: SeRestorePrivilege 1952 WMIC.exe Token: SeShutdownPrivilege 1952 WMIC.exe Token: SeDebugPrivilege 1952 WMIC.exe Token: SeSystemEnvironmentPrivilege 1952 WMIC.exe Token: SeRemoteShutdownPrivilege 1952 WMIC.exe Token: SeUndockPrivilege 1952 WMIC.exe Token: SeManageVolumePrivilege 1952 WMIC.exe Token: 33 1952 WMIC.exe Token: 34 1952 WMIC.exe Token: 35 1952 WMIC.exe Token: 36 1952 WMIC.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exee7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.execmd.execmd.execondition.execmd.exewmi.execmd.exedescription pid process target process PID 3052 wrote to memory of 916 3052 e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe PID 3052 wrote to memory of 916 3052 e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe PID 3052 wrote to memory of 916 3052 e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe PID 3052 wrote to memory of 892 3052 e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe PID 3052 wrote to memory of 892 3052 e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe PID 3052 wrote to memory of 892 3052 e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe PID 3052 wrote to memory of 892 3052 e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe PID 3052 wrote to memory of 892 3052 e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe PID 3052 wrote to memory of 892 3052 e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe PID 3052 wrote to memory of 892 3052 e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe PID 3052 wrote to memory of 892 3052 e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe PID 892 wrote to memory of 604 892 e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe cmd.exe PID 892 wrote to memory of 604 892 e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe cmd.exe PID 892 wrote to memory of 604 892 e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe cmd.exe PID 604 wrote to memory of 1052 604 cmd.exe cmd.exe PID 604 wrote to memory of 1052 604 cmd.exe cmd.exe PID 604 wrote to memory of 1052 604 cmd.exe cmd.exe PID 1052 wrote to memory of 712 1052 cmd.exe reg.exe PID 1052 wrote to memory of 712 1052 cmd.exe reg.exe PID 1052 wrote to memory of 712 1052 cmd.exe reg.exe PID 604 wrote to memory of 1256 604 cmd.exe reg.exe PID 604 wrote to memory of 1256 604 cmd.exe reg.exe PID 604 wrote to memory of 1256 604 cmd.exe reg.exe PID 604 wrote to memory of 4060 604 cmd.exe powershell.exe PID 604 wrote to memory of 4060 604 cmd.exe powershell.exe PID 604 wrote to memory of 4060 604 cmd.exe powershell.exe PID 604 wrote to memory of 2808 604 cmd.exe Dism.exe PID 604 wrote to memory of 2808 604 cmd.exe Dism.exe PID 604 wrote to memory of 2808 604 cmd.exe Dism.exe PID 892 wrote to memory of 64 892 e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe condition.exe PID 892 wrote to memory of 64 892 e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe condition.exe PID 892 wrote to memory of 64 892 e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe condition.exe PID 64 wrote to memory of 3664 64 condition.exe cmd.exe PID 64 wrote to memory of 3664 64 condition.exe cmd.exe PID 64 wrote to memory of 3664 64 condition.exe cmd.exe PID 3664 wrote to memory of 2024 3664 cmd.exe wmi.exe PID 3664 wrote to memory of 2024 3664 cmd.exe wmi.exe PID 3664 wrote to memory of 2024 3664 cmd.exe wmi.exe PID 2024 wrote to memory of 2616 2024 wmi.exe cmd.exe PID 2024 wrote to memory of 2616 2024 wmi.exe cmd.exe PID 2616 wrote to memory of 1116 2616 cmd.exe vssadmin.exe PID 2616 wrote to memory of 1116 2616 cmd.exe vssadmin.exe PID 2616 wrote to memory of 668 2616 cmd.exe wbadmin.exe PID 2616 wrote to memory of 668 2616 cmd.exe wbadmin.exe PID 2616 wrote to memory of 1952 2616 cmd.exe WMIC.exe PID 2616 wrote to memory of 1952 2616 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe"C:\Users\Admin\AppData\Local\Temp\e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exeC:\Users\Admin\AppData\Local\Temp\e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exeC:\Users\Admin\AppData\Local\Temp\e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C cmd /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f & reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f & c:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableRealtimeMonitoring $true" & dism /online /disable-feature /featurename:windows-defender /remove /norestart /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f5⤵
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f4⤵
-
\??\c:\windows\SysWOW64\windowspowershell\v1.0\powershell.exec:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableRealtimeMonitoring $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Dism.exedism /online /disable-feature /featurename:windows-defender /remove /norestart /quiet4⤵
- Drops file in Windows directory
-
C:\Windows\Tasks\condition.exe"C:\Windows\Tasks\condition.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\Tasks\wmi.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Tasks\wmi.exeC:\Windows\Tasks\wmi.exe5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Tasks\wmi.exe"C:\Windows\Tasks\wmi.exe" n20246⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet7⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet7⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152.exe.logMD5
41fbed686f5700fc29aaccf83e8ba7fd
SHA15271bc29538f11e42a3b600c8dc727186e912456
SHA256df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437
SHA512234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034
-
C:\Windows\Tasks\SA.abfMD5
3ecdeace2a9e31dd8174853dec020926
SHA1b83182c1cc6555bccbe675893c91f5e011eb417d
SHA25654ce79542872a4f491f70eb56314f6e49282ede13e7d55662ef06c296d54aa54
SHA512c27f4fa8f6ef437a11ae361478249ab4ac601e45404cf3d8ddd613391a0711ab256ac5712ed31dbe905a6d5764054a01902303d944336b6d5f992a67fb919421
-
C:\Windows\Tasks\condition.exeMD5
77641a8ced792a27d6e11d69d068ce17
SHA139153e51fd474b299087f4adba901a0cc064eb11
SHA256bdf924721a28595ab2d233ffbca8cea121194642786a76bfe1cd58f3721ed3b7
SHA51283933db29bb384fd843ae0a25728c17180722c835e9f023dc4a4d7aac2c876851aa098aeb9893561bffd06682814fb1ca0b5359af7e46b19946e2ecfb38a6b2c
-
C:\Windows\Tasks\condition.exeMD5
77641a8ced792a27d6e11d69d068ce17
SHA139153e51fd474b299087f4adba901a0cc064eb11
SHA256bdf924721a28595ab2d233ffbca8cea121194642786a76bfe1cd58f3721ed3b7
SHA51283933db29bb384fd843ae0a25728c17180722c835e9f023dc4a4d7aac2c876851aa098aeb9893561bffd06682814fb1ca0b5359af7e46b19946e2ecfb38a6b2c
-
C:\Windows\Tasks\wmi.exeMD5
b114584d7fb38dae39cb48f466248961
SHA179baf946da58c3aadc0781eb7dd808b22100e44b
SHA256414e6e1fd3889db48779b4452e28dca9371a552356f6a658b7b1ce005d3b1c27
SHA51263fb0094f062e08926a1d0716e13a4e67eab50f0b115c92b8d9d182a56b5c0500c227887dde3075e11476229ff74db16c2aaf95bc36f4093834409cbe06fe2ee
-
C:\Windows\Tasks\wmi.exeMD5
b114584d7fb38dae39cb48f466248961
SHA179baf946da58c3aadc0781eb7dd808b22100e44b
SHA256414e6e1fd3889db48779b4452e28dca9371a552356f6a658b7b1ce005d3b1c27
SHA51263fb0094f062e08926a1d0716e13a4e67eab50f0b115c92b8d9d182a56b5c0500c227887dde3075e11476229ff74db16c2aaf95bc36f4093834409cbe06fe2ee
-
C:\Windows\Tasks\wmi.exeMD5
b114584d7fb38dae39cb48f466248961
SHA179baf946da58c3aadc0781eb7dd808b22100e44b
SHA256414e6e1fd3889db48779b4452e28dca9371a552356f6a658b7b1ce005d3b1c27
SHA51263fb0094f062e08926a1d0716e13a4e67eab50f0b115c92b8d9d182a56b5c0500c227887dde3075e11476229ff74db16c2aaf95bc36f4093834409cbe06fe2ee
-
memory/64-398-0x0000000000000000-mapping.dmp
-
memory/64-418-0x00000000050E0000-0x0000000005708000-memory.dmpFilesize
6.2MB
-
memory/604-141-0x0000000000000000-mapping.dmp
-
memory/668-426-0x0000000000000000-mapping.dmp
-
memory/712-143-0x0000000000000000-mapping.dmp
-
memory/892-132-0x00000000056E0000-0x00000000056E1000-memory.dmpFilesize
4KB
-
memory/892-127-0x0000000005BE0000-0x0000000005BE1000-memory.dmpFilesize
4KB
-
memory/892-130-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/892-135-0x00000000061F0000-0x00000000061F1000-memory.dmpFilesize
4KB
-
memory/892-137-0x0000000006660000-0x0000000006661000-memory.dmpFilesize
4KB
-
memory/892-138-0x0000000007200000-0x0000000007201000-memory.dmpFilesize
4KB
-
memory/892-139-0x0000000008000000-0x0000000008001000-memory.dmpFilesize
4KB
-
memory/892-140-0x00000000073D0000-0x00000000073D1000-memory.dmpFilesize
4KB
-
memory/892-129-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/892-122-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/892-128-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/892-123-0x0000000000419322-mapping.dmp
-
memory/892-131-0x00000000055D0000-0x0000000005BD6000-memory.dmpFilesize
6.0MB
-
memory/1052-142-0x0000000000000000-mapping.dmp
-
memory/1116-425-0x0000000000000000-mapping.dmp
-
memory/1256-144-0x0000000000000000-mapping.dmp
-
memory/1952-427-0x0000000000000000-mapping.dmp
-
memory/2024-420-0x0000000000000000-mapping.dmp
-
memory/2616-424-0x0000000000000000-mapping.dmp
-
memory/2808-397-0x0000000000000000-mapping.dmp
-
memory/3052-115-0x0000000000AF0000-0x0000000000AF1000-memory.dmpFilesize
4KB
-
memory/3052-117-0x0000000005360000-0x0000000005361000-memory.dmpFilesize
4KB
-
memory/3052-118-0x0000000005340000-0x0000000005341000-memory.dmpFilesize
4KB
-
memory/3052-119-0x00000000054E0000-0x00000000054E1000-memory.dmpFilesize
4KB
-
memory/3052-120-0x0000000002CD0000-0x0000000002CD1000-memory.dmpFilesize
4KB
-
memory/3052-121-0x0000000005C10000-0x0000000005C11000-memory.dmpFilesize
4KB
-
memory/3664-419-0x0000000000000000-mapping.dmp
-
memory/4060-151-0x0000000008090000-0x0000000008091000-memory.dmpFilesize
4KB
-
memory/4060-148-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/4060-222-0x000000007E670000-0x000000007E671000-memory.dmpFilesize
4KB
-
memory/4060-181-0x0000000009E20000-0x0000000009E21000-memory.dmpFilesize
4KB
-
memory/4060-153-0x00000000083E0000-0x00000000083E1000-memory.dmpFilesize
4KB
-
memory/4060-154-0x0000000008230000-0x0000000008231000-memory.dmpFilesize
4KB
-
memory/4060-150-0x0000000007860000-0x0000000007861000-memory.dmpFilesize
4KB
-
memory/4060-149-0x00000000079F0000-0x00000000079F1000-memory.dmpFilesize
4KB
-
memory/4060-180-0x0000000009C00000-0x0000000009C01000-memory.dmpFilesize
4KB
-
memory/4060-224-0x0000000004F83000-0x0000000004F84000-memory.dmpFilesize
4KB
-
memory/4060-147-0x00000000035F0000-0x00000000035F1000-memory.dmpFilesize
4KB
-
memory/4060-146-0x00000000035F0000-0x00000000035F1000-memory.dmpFilesize
4KB
-
memory/4060-145-0x0000000000000000-mapping.dmp
-
memory/4060-175-0x0000000009AB0000-0x0000000009AB1000-memory.dmpFilesize
4KB
-
memory/4060-168-0x0000000009AD0000-0x0000000009B03000-memory.dmpFilesize
204KB
-
memory/4060-159-0x00000000035F0000-0x00000000035F1000-memory.dmpFilesize
4KB
-
memory/4060-156-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/4060-157-0x0000000004F82000-0x0000000004F83000-memory.dmpFilesize
4KB