Resubmissions
20-01-2022 19:26
220120-x5jhrsbcdl 1017-01-2022 16:56
220117-vf67esbcd8 1017-01-2022 16:16
220117-tqyscsbedr 1009-12-2021 23:18
211209-299yqseee9 1Analysis
-
max time kernel
1203s -
max time network
756s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
17-01-2022 16:16
Static task
static1
Behavioral task
behavioral1
Sample
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
Resource
win10-en-20211208
General
-
Target
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
-
Size
2.2MB
-
MD5
aea5d3cced6725f37e2c3797735e6467
-
SHA1
087497940a41d96e4e907b6dc92f75f4a38d861a
-
SHA256
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83
-
SHA512
5489753ae1c3ba0dbd3e0ce1b78b0ccba045e534e77fb87c80d56b16229f928c46a15721020142bbc6bd4d1ba5c295f4bec3596efa7b46c906889c156dadbd66
Malware Config
Extracted
\??\Z:\RECOVER-sykffle-FILES.txt
http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21
http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=GfjBJOpvNRomDHpgsWFmQevkENCHPGoFVXNvOwZ5qtw6SKG8kCp%2FQXB0CKxe6xRLJeFStrmxxrCbQi69Lel21pyJ91hmeQKjk%2Ben10Sqh2b01bhXSjaFMUD0e5%2BXGhwxDwqQoRUyKT7vev%2BM9KxFzS8VnaZiT9nCM3z26ET%2Fd3GfFWYXI3ecK8mMbLKf1%2BWlmff363dOih4kRUyk8hEabXK3EYFMuN5cVuR%2FI3J8sLIeeDJ9DizQRIUd2lRlXAFjX0z6sIOWNrj0YJ7tdcSzU5t2y015GAfb3D4L0XlSBjONqAY%2BwKQqk6XQ3TonZw39LdyjfbJQcyfc6uxssBhoUA%3D%3D
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
moo.exedescription ioc process File renamed C:\Users\Admin\Pictures\DenyStep.tiff => C:\Users\Admin\Pictures\DenyStep.tiff.sykffle moo.exe File renamed C:\Users\Admin\Pictures\DisconnectProtect.tif => C:\Users\Admin\Pictures\DisconnectProtect.tif.sykffle moo.exe File renamed C:\Users\Admin\Pictures\FindSplit.crw => C:\Users\Admin\Pictures\FindSplit.crw.sykffle moo.exe File renamed C:\Users\Admin\Pictures\UnblockConvertFrom.tif => C:\Users\Admin\Pictures\UnblockConvertFrom.tif.sykffle moo.exe File opened for modification C:\Users\Admin\Pictures\UnblockConvertFrom.tif.sykffle moo.exe File renamed C:\Users\Admin\Pictures\AddDisconnect.png => C:\Users\Admin\Pictures\AddDisconnect.png.sykffle moo.exe File opened for modification C:\Users\Admin\Pictures\AddDisconnect.png.sykffle moo.exe File opened for modification C:\Users\Admin\Pictures\DisconnectProtect.tif.sykffle moo.exe File opened for modification C:\Users\Admin\Pictures\FindSplit.crw.sykffle moo.exe File renamed C:\Users\Admin\Pictures\UnprotectLock.raw => C:\Users\Admin\Pictures\UnprotectLock.raw.sykffle moo.exe File opened for modification C:\Users\Admin\Pictures\UnprotectLock.raw.sykffle moo.exe File opened for modification C:\Users\Admin\Pictures\DenyStep.tiff moo.exe File opened for modification C:\Users\Admin\Pictures\DenyStep.tiff.sykffle moo.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
moo.exedescription ioc process File opened (read-only) \??\Z: moo.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
moo.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png" moo.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png" moo.exe -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\97717462.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\1361672858.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 3216 vssadmin.exe 2024 vssadmin.exe -
Modifies Control Panel 1 IoCs
Processes:
moo.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\WallpaperStyle = "0" moo.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 2008 taskmgr.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
cmd.exepid process 384 cmd.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
taskmgr.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 2008 taskmgr.exe Token: SeSystemProfilePrivilege 2008 taskmgr.exe Token: SeCreateGlobalPrivilege 2008 taskmgr.exe Token: SeIncreaseQuotaPrivilege 1688 WMIC.exe Token: SeSecurityPrivilege 1688 WMIC.exe Token: SeTakeOwnershipPrivilege 1688 WMIC.exe Token: SeLoadDriverPrivilege 1688 WMIC.exe Token: SeSystemProfilePrivilege 1688 WMIC.exe Token: SeSystemtimePrivilege 1688 WMIC.exe Token: SeProfSingleProcessPrivilege 1688 WMIC.exe Token: SeIncBasePriorityPrivilege 1688 WMIC.exe Token: SeCreatePagefilePrivilege 1688 WMIC.exe Token: SeBackupPrivilege 1688 WMIC.exe Token: SeRestorePrivilege 1688 WMIC.exe Token: SeShutdownPrivilege 1688 WMIC.exe Token: SeDebugPrivilege 1688 WMIC.exe Token: SeSystemEnvironmentPrivilege 1688 WMIC.exe Token: SeRemoteShutdownPrivilege 1688 WMIC.exe Token: SeUndockPrivilege 1688 WMIC.exe Token: SeManageVolumePrivilege 1688 WMIC.exe Token: 33 1688 WMIC.exe Token: 34 1688 WMIC.exe Token: 35 1688 WMIC.exe Token: 36 1688 WMIC.exe Token: SeIncreaseQuotaPrivilege 1688 WMIC.exe Token: SeSecurityPrivilege 1688 WMIC.exe Token: SeTakeOwnershipPrivilege 1688 WMIC.exe Token: SeLoadDriverPrivilege 1688 WMIC.exe Token: SeSystemProfilePrivilege 1688 WMIC.exe Token: SeSystemtimePrivilege 1688 WMIC.exe Token: SeProfSingleProcessPrivilege 1688 WMIC.exe Token: SeIncBasePriorityPrivilege 1688 WMIC.exe Token: SeCreatePagefilePrivilege 1688 WMIC.exe Token: SeBackupPrivilege 1688 WMIC.exe Token: SeRestorePrivilege 1688 WMIC.exe Token: SeShutdownPrivilege 1688 WMIC.exe Token: SeDebugPrivilege 1688 WMIC.exe Token: SeSystemEnvironmentPrivilege 1688 WMIC.exe Token: SeRemoteShutdownPrivilege 1688 WMIC.exe Token: SeUndockPrivilege 1688 WMIC.exe Token: SeManageVolumePrivilege 1688 WMIC.exe Token: 33 1688 WMIC.exe Token: 34 1688 WMIC.exe Token: 35 1688 WMIC.exe Token: 36 1688 WMIC.exe Token: SeBackupPrivilege 1348 vssvc.exe Token: SeRestorePrivilege 1348 vssvc.exe Token: SeAuditPrivilege 1348 vssvc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe 2008 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exemoo.execmd.execmd.exedescription pid process target process PID 384 wrote to memory of 3948 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 3948 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 3948 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 2064 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 2064 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 2064 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 3780 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 3780 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 3780 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 2052 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 2052 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 2052 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 1776 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 1776 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 1776 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 3792 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 3792 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 3792 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 3380 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 3380 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 3380 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 3968 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 3968 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 3968 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 3592 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 3592 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 3592 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 684 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 684 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 684 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 2096 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 2096 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 2096 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 3544 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 3544 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 3544 384 cmd.exe 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe PID 384 wrote to memory of 4088 384 cmd.exe moo.exe PID 384 wrote to memory of 4088 384 cmd.exe moo.exe PID 384 wrote to memory of 4088 384 cmd.exe moo.exe PID 384 wrote to memory of 2624 384 cmd.exe moo.exe PID 384 wrote to memory of 2624 384 cmd.exe moo.exe PID 384 wrote to memory of 2624 384 cmd.exe moo.exe PID 384 wrote to memory of 936 384 cmd.exe moo.exe PID 384 wrote to memory of 936 384 cmd.exe moo.exe PID 384 wrote to memory of 936 384 cmd.exe moo.exe PID 384 wrote to memory of 1336 384 cmd.exe moo.exe PID 384 wrote to memory of 1336 384 cmd.exe moo.exe PID 384 wrote to memory of 1336 384 cmd.exe moo.exe PID 384 wrote to memory of 2012 384 cmd.exe moo.exe PID 384 wrote to memory of 2012 384 cmd.exe moo.exe PID 384 wrote to memory of 2012 384 cmd.exe moo.exe PID 384 wrote to memory of 1328 384 cmd.exe moo.exe PID 384 wrote to memory of 1328 384 cmd.exe moo.exe PID 384 wrote to memory of 1328 384 cmd.exe moo.exe PID 1328 wrote to memory of 2708 1328 moo.exe cmd.exe PID 1328 wrote to memory of 2708 1328 moo.exe cmd.exe PID 1328 wrote to memory of 2708 1328 moo.exe cmd.exe PID 2708 wrote to memory of 1688 2708 cmd.exe WMIC.exe PID 2708 wrote to memory of 1688 2708 cmd.exe WMIC.exe PID 2708 wrote to memory of 1688 2708 cmd.exe WMIC.exe PID 1328 wrote to memory of 2260 1328 moo.exe cmd.exe PID 1328 wrote to memory of 2260 1328 moo.exe cmd.exe PID 1328 wrote to memory of 2260 1328 moo.exe cmd.exe PID 2260 wrote to memory of 2780 2260 cmd.exe fsutil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe --help1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe --help2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -help2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -help2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -help2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -help2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe --help2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe --help2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -help2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -u2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe --ui2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -v2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe --version2⤵
-
C:\Users\Admin\AppData\Local\Temp\moo.exemoo -v2⤵
-
C:\Users\Admin\AppData\Local\Temp\moo.exemoo -h2⤵
-
C:\Users\Admin\AppData\Local\Temp\moo.exemoo --help2⤵
-
C:\Users\Admin\AppData\Local\Temp\moo.exemoo --ui2⤵
-
C:\Users\Admin\AppData\Local\Temp\moo.exemoo -V2⤵
-
C:\Users\Admin\AppData\Local\Temp\moo.exemoo -v -a monkeynuts2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "wmic csproduct get UUID"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get UUID4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "fsutil behavior set SymlinkEvaluation R2L:1"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set SymlinkEvaluation R2L:14⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "fsutil behavior set SymlinkEvaluation R2R:1"3⤵
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set SymlinkEvaluation R2R:14⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"3⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c "vssadmin.exe delete shadows /all /quiet"3⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "arp -a"3⤵
-
C:\Windows\SysWOW64\ARP.EXEarp -a4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c "vssadmin.exe delete shadows /all /quiet"3⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/684-124-0x0000000000000000-mapping.dmp
-
memory/936-129-0x0000000000000000-mapping.dmp
-
memory/1328-132-0x0000000000000000-mapping.dmp
-
memory/1336-130-0x0000000000000000-mapping.dmp
-
memory/1688-134-0x0000000000000000-mapping.dmp
-
memory/1776-119-0x0000000000000000-mapping.dmp
-
memory/1848-143-0x0000000000000000-mapping.dmp
-
memory/2012-131-0x0000000000000000-mapping.dmp
-
memory/2024-146-0x0000000000000000-mapping.dmp
-
memory/2044-140-0x0000000000000000-mapping.dmp
-
memory/2052-118-0x0000000000000000-mapping.dmp
-
memory/2064-116-0x0000000000000000-mapping.dmp
-
memory/2096-125-0x0000000000000000-mapping.dmp
-
memory/2220-137-0x0000000000000000-mapping.dmp
-
memory/2260-135-0x0000000000000000-mapping.dmp
-
memory/2488-139-0x0000000000000000-mapping.dmp
-
memory/2624-128-0x0000000000000000-mapping.dmp
-
memory/2708-133-0x0000000000000000-mapping.dmp
-
memory/2780-136-0x0000000000000000-mapping.dmp
-
memory/3032-142-0x0000000000000000-mapping.dmp
-
memory/3216-141-0x0000000000000000-mapping.dmp
-
memory/3380-121-0x0000000000000000-mapping.dmp
-
memory/3544-126-0x0000000000000000-mapping.dmp
-
memory/3576-145-0x0000000000000000-mapping.dmp
-
memory/3592-123-0x0000000000000000-mapping.dmp
-
memory/3628-138-0x0000000000000000-mapping.dmp
-
memory/3780-117-0x0000000000000000-mapping.dmp
-
memory/3784-144-0x0000000000000000-mapping.dmp
-
memory/3792-120-0x0000000000000000-mapping.dmp
-
memory/3948-115-0x0000000000000000-mapping.dmp
-
memory/3968-122-0x0000000000000000-mapping.dmp
-
memory/4088-127-0x0000000000000000-mapping.dmp