gandcrab | 4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f

General

Target

4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
Size

192KB
MD5

2e99d80a8b6534a2604d5ea918a3879e
SHA1

be0101b10243aa75b4d003a8eb47c2c06aa32cb2
SHA256

4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f
SHA512

71ae3aecee68777b324d36b1850bd14cab244290232584d4d7d6ce1ab276e5540ac12d3bfe3fde5d411ba201e7062e067e914b12e311adaaf4aaa59f590f2d46

Score

10^/10

gandcrab backdoor ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\KRAB-DECRYPT.txt

Ransom Note

---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/5775be967041606 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAEJesQTpnaqr/v/fgRJgW/qNkp6ygraL1mE2Ktxp7B4u7PDsWJrMGcF45g36c61SECIWZwplCrfydt1gP/MA7UOJiwCmNGpVVy3bS4h2RBUJpuaUbSDrleQNz9idOCH+sowbnwBCEhsheRNuJ/epF8Re9a1CfZIkE+FzXR15k8uA39VuSGduwY9mTYRXA1E/XrRBoFoxnC4lYsEe72rwEF6ouPDgVKMCagNDVjINGVKSoMZOPt6ihwVLt0S7+vhTWcN+POVKZuGt5dXTJ4W6quCe89eMnjgnK6oME7mM7MT3kyBVdvhbZ1xP8nN1J475jxrBpegZu4LIoTLmTCI6Yg/fixjZyOaa0M0sOr4XU5i5DACXzJyXXGnkRNIENFg3q/4i2dJZnV73ojDPlxa+H/VWA/JD5D9OlgJVLW1bCBe2GRL+pdpkHn+Cnhx8hUHi+ye4f3I1QTeo4UvnROmMZYvrI0+Vew6PHvr95j1TORZVe20YnurSP7Pgfvray2gUHu4TDw1GObSr3Jtgef/YklGj7670Fk94OTGIZovv8zWHdvf/6xI4LOfyFNvjM59O51wL/wpXd4ReSsZNNFNx8zXebPnskq9cbdAclpPM7UYIgq7K1vaArckQAohGPYzHTXk2y3Nb0C9LtHuaa6V/OKCWmbbmVsvaVuPJhjCncDZ32QyQPQGoWSK5OQ63/ArVkv54FyeBJDLl7q6OI9JDm45zzP9aZDXPyrsDKPKMgv0maBgRiHcmpr+AeD06xV5Y5Gm2efIZjnqsyFU6mV61WzU5xEmK/BumHkywtysHPhv/ouTEtthB3aME/gCIYrETFRR9leuETnkk+Di+M7iUfNPJ5U2DjYQk397nFDsbW43aMJ0MCd8NbmOwl6xuAj9bovoh72zwfHY3+ulTElBRMFM8sIozASqo9TNBSNdf1UAffI7c1pMOlO7ycoMjFlKQe632Br/NFDkrfIuG2fifbWZ9zrYYJ03uiPh9b0Yd59K0APlYrK9waGM2S/Vdb4c8i0d9JmMtKwdZrYDnEf7QR3gK7FDcEu/bt8j+csERcmcAfzUu7cuibaIxA9YE6xCA5eeqtBQvz/8HUSt6OBz66Dhu8GJHu0FbzEv5WcNjuc31vDCymEyWqTzvXSDnM9ipyLg2PesGkm6ArICWcAjy65+6ajWDc/dTX/wPQKb0WwnijIXpD5vDaVso+9jkqgng2H9gGDAHSlXQk2ypUBXPDIEUWwzPSMhsUNzD4ikd3LrkvK0gjbL9/JFmXZN+np1NDfKlOyU2U8zZi09sXbKF2d7CqB4rJ/Xe1vm3uKMGoc9HLdMoSTgqt+vuBn0UiiR5vRiRUXonAgj0GAYo9Gu+VzWOAQz6KK74S9jHTHu/A2RhBUzM/s5hgDaLbaHPYBeS5SWgTx5uwxCGoVTZm2JlWg07We7KHQOSyu3evY9pn65vWuxp+Lo09ec29VW1aFaj2ptwIoYu7n147nij+oScGpDdnrTNBwbUVnLO97zHA/MgAnC6YPiJv+GoTM39ScQope12QaFmxBrY3TOzp3x6ZS+S4MWrBWKPDqLOysKtXoB5X/uTqfW+yEnBgBL04XqbWPHWkEbtFv3Dm0DJ7ebf/TkDUlbEm491JShe3y+yZJpZxvMEH31HgkB9Oxze2bt1uheaXa9VbQm6kdNGpc/I0QmuPOL6px+AUj4mbflDo/1GwbyLXrVgWxlj0fzLfX0U3xMkOKt26xQ7kX/cy43q7IBRnx3hcnVEXBaXPliI1tC+8RiTOub52COJHITX1mJZH+di2sMFi9Spb8uefS8Q/A7iDWv9gtD2U5h9RTl+eUgDLSbC18BLm4sOScQBSXko0APXMaOt5VuvvON9FDgDPxQ95RHBzvWjQFdhtP//KtZh7+37rf4ubUcX+tklXTAhmqRNbXayhSr74iHN2nxuRF71D8slSKY1XXnVYwZaRNowaBk2oPRvzRm8Yw/bzZ0lKsxEOZMiUxL1hfzQJcfghde60rLIyPJQGbqlKM8gFbujIZ3WCQ6Bi62OLzUU926V+BiQnbqHLuhARqhpXPl4psZlREXbHI0vLp3g9Vr8SV92fhzP7CcOkDMt2rRqOi89sPIGdEkYmPLEKv2SHcS/oLcR9MaNDtLjGyBCA/Nw1mvHLj/eZu+MZdlBueyp4fpcf8hg7qQ0FzRE58dc+rM42IXG8UK5ra8g4CpPHus7B6V7cpz+/MTedwOApdBMJarrgu9q+9M= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZaTp9RtXYU7nBWsLfMTGiHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZdP6U/VvqF1shzlzbajc1AHXg7l8xnT91gCFUxMg7ADMEr7316SnTFUg/DkeItL9jgqZqn97qv5+hisbEnkUHB5uKj/2Y2FesnGt1YbFqFBjHt9RGCEY0brCdh4tO4TaaYY6NyHIzX2RSiw5QcTWsqa1O5JIMJoZFrwNAoDBPBnKk+Fe5dALqfjmE2g6RrLQ3pxA5Kww7wZijpDxFb3qzLZeak1w8ZOHQARhaKOTmD1j7gLX9ZmUXfnSzyQU5ni7JolpqwqXJNVdfpIzeqfBkceMB9P3VNlH8HQyLCn6YbErztckilBdpMPJGpHsYO ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/5775be967041606

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe

pid process

1484 4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe

pid	process
1484	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ConvertFromWatch.tif => C:\Users\Admin\Pictures\ConvertFromWatch.tif.KRAB	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Users\Admin\Pictures\ExitDisable.tiff	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File renamed	C:\Users\Admin\Pictures\ExitDisable.tiff => C:\Users\Admin\Pictures\ExitDisable.tiff.KRAB	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File renamed	C:\Users\Admin\Pictures\GetConvert.raw => C:\Users\Admin\Pictures\GetConvert.raw.KRAB	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File renamed	C:\Users\Admin\Pictures\RevokeShow.crw => C:\Users\Admin\Pictures\RevokeShow.crw.KRAB	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File renamed	C:\Users\Admin\Pictures\ClearUnblock.tif => C:\Users\Admin\Pictures\ClearUnblock.tif.KRAB	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File renamed	C:\Users\Admin\Pictures\UnblockRead.crw => C:\Users\Admin\Pictures\UnblockRead.crw.KRAB	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File renamed	C:\Users\Admin\Pictures\UnregisterUninstall.raw => C:\Users\Admin\Pictures\UnregisterUninstall.raw.KRAB	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File renamed	C:\Users\Admin\Pictures\ConvertUndo.raw => C:\Users\Admin\Pictures\ConvertUndo.raw.KRAB	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1484-122-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/1484-120-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/1484-123-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/1484-125-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Drops startup file 2 IoCs

Processes:

4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\KRAB-DECRYPT.txt	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\670411e66704160c74.lock	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe

description	ioc	process
File opened (read-only)	\??\G:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened (read-only)	\??\J:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened (read-only)	\??\L:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened (read-only)	\??\M:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened (read-only)	\??\Q:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened (read-only)	\??\R:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened (read-only)	\??\T:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened (read-only)	\??\F:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened (read-only)	\??\Y:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened (read-only)	\??\V:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened (read-only)	\??\H:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened (read-only)	\??\I:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened (read-only)	\??\S:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened (read-only)	\??\Z:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened (read-only)	\??\A:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened (read-only)	\??\P:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened (read-only)	\??\U:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened (read-only)	\??\X:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened (read-only)	\??\B:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened (read-only)	\??\K:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened (read-only)	\??\N:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened (read-only)	\??\O:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened (read-only)	\??\W:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened (read-only)	\??\E:	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe

Drops file in Program Files directory 35 IoCs

Processes:

4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe

description	ioc	process
File opened for modification	C:\Program Files\InvokeMount.xsl	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\RedoNew.vbe	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\BackupClose.bin	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\EditExit.docx	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\ExpandGet.mpe	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\OutGroup.jpg	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\PingUnpublish.xlsm	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\SuspendEnter.ttc	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\UnregisterOut.wmv	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File created	C:\Program Files (x86)\KRAB-DECRYPT.txt	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\CompareClear.ini	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\ReceiveResolve.bmp	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File created	C:\Program Files (x86)\670411e66704160c74.lock	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\ClosePublish.vsx	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File created	C:\Program Files\670411e66704160c74.lock	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\ApproveMeasure.wps	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\ImportClose.001	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\InitializeSubmit.wmv	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File created	C:\Program Files\KRAB-DECRYPT.txt	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\RestartTrace.jpeg	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\GrantRequest.au3	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\ApproveProtect.asp	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\InvokeEnable.xml	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\LockSuspend.rm	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\MergeUse.MTS	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\MountShow.pcx	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\PingDismount.txt	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\SaveCompress.mht	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\AddConfirm.TTS	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\EditGrant.dotm	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\ProtectConvertFrom.DVR	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\StepAssert.xsl	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\StepOpen.i64	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\StopBlock.asf	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
File opened for modification	C:\Program Files\ClearGrant.dotm	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{15987351-5B13-11EC-9231-6E964C5F562A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{15987353-5B13-11EC-9231-6E964C5F562A}.dat = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe

pid	process
1560	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
1560	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
1560	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
1560	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
1484	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe
1484	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe
1484	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe
1484	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe
1484	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe
1484	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe
1484	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe
1484	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exewmic.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1484	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe
Token: SeIncreaseQuotaPrivilege	1740	wmic.exe
Token: SeSecurityPrivilege	1740	wmic.exe
Token: SeTakeOwnershipPrivilege	1740	wmic.exe
Token: SeLoadDriverPrivilege	1740	wmic.exe
Token: SeSystemProfilePrivilege	1740	wmic.exe
Token: SeSystemtimePrivilege	1740	wmic.exe
Token: SeProfSingleProcessPrivilege	1740	wmic.exe
Token: SeIncBasePriorityPrivilege	1740	wmic.exe
Token: SeCreatePagefilePrivilege	1740	wmic.exe
Token: SeBackupPrivilege	1740	wmic.exe
Token: SeRestorePrivilege	1740	wmic.exe
Token: SeShutdownPrivilege	1740	wmic.exe
Token: SeDebugPrivilege	1740	wmic.exe
Token: SeSystemEnvironmentPrivilege	1740	wmic.exe
Token: SeRemoteShutdownPrivilege	1740	wmic.exe
Token: SeUndockPrivilege	1740	wmic.exe
Token: SeManageVolumePrivilege	1740	wmic.exe
Token: 33	1740	wmic.exe
Token: 34	1740	wmic.exe
Token: 35	1740	wmic.exe
Token: 36	1740	wmic.exe
Token: SeIncreaseQuotaPrivilege	1740	wmic.exe
Token: SeSecurityPrivilege	1740	wmic.exe
Token: SeTakeOwnershipPrivilege	1740	wmic.exe
Token: SeLoadDriverPrivilege	1740	wmic.exe
Token: SeSystemProfilePrivilege	1740	wmic.exe
Token: SeSystemtimePrivilege	1740	wmic.exe
Token: SeProfSingleProcessPrivilege	1740	wmic.exe
Token: SeIncBasePriorityPrivilege	1740	wmic.exe
Token: SeCreatePagefilePrivilege	1740	wmic.exe
Token: SeBackupPrivilege	1740	wmic.exe
Token: SeRestorePrivilege	1740	wmic.exe
Token: SeShutdownPrivilege	1740	wmic.exe
Token: SeDebugPrivilege	1740	wmic.exe
Token: SeSystemEnvironmentPrivilege	1740	wmic.exe
Token: SeRemoteShutdownPrivilege	1740	wmic.exe
Token: SeUndockPrivilege	1740	wmic.exe
Token: SeManageVolumePrivilege	1740	wmic.exe
Token: 33	1740	wmic.exe
Token: 34	1740	wmic.exe
Token: 35	1740	wmic.exe
Token: 36	1740	wmic.exe
Token: SeBackupPrivilege	3948	vssvc.exe
Token: SeRestorePrivilege	3948	vssvc.exe
Token: SeAuditPrivilege	3948	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

iexplore.exe

pid process

3548 iexplore.exe
3548 iexplore.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe

pid process

1484 4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe

pid	process
3548	iexplore.exe
3548	iexplore.exe

pid	process
1484	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exeiexplore.exe

description	pid	process	target process
PID 1560 wrote to memory of 1484	1560	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe
PID 1560 wrote to memory of 1484	1560	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe
PID 1560 wrote to memory of 1484	1560	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe
PID 1484 wrote to memory of 3548	1484	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe	iexplore.exe
PID 1484 wrote to memory of 3548	1484	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe	iexplore.exe
PID 3548 wrote to memory of 3308	3548	iexplore.exe	IEXPLORE.EXE
PID 3548 wrote to memory of 3308	3548	iexplore.exe	IEXPLORE.EXE
PID 3548 wrote to memory of 3308	3548	iexplore.exe	IEXPLORE.EXE
PID 1560 wrote to memory of 1740	1560	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe	wmic.exe
PID 1560 wrote to memory of 1740	1560	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe	wmic.exe
PID 1560 wrote to memory of 1740	1560	4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe
"C:\Users\Admin\AppData\Local\Temp\4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409f.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1560

C:\Users\Admin\AppData\Local\Temp\4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe
C:\Users\Admin\AppData\Local\Temp\4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1484

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3548

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3548 CREDAT:82945 /prefetch:2
4⤵
PID:3308

C:\Windows\SysWOW64\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

1

T1107

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe
MD5
53879f5fd7af722a70627f9e4b5adce5

SHA1
69de5fa9e86e2c7925a1a2b99fd8afca5f490297

SHA256
db2ac1b0d85aef160b4bdab57c3ebe3fb53eec7345ef703bc1a328f803ea3075

SHA512
d354a713c6912cec8df4203a69bc048a267ed3b357e1cb24aa96f6d910e1c96a946f8ea82524c0253f2395727efadc55c6672ebf0b0dac66dc4872d2161f55bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\4aab275b3318ccc3432c065561a1911c7f7b9d3b5d7aa7ec1d8e5bffa6c7409fmgr.exe
MD5
53879f5fd7af722a70627f9e4b5adce5

SHA1
69de5fa9e86e2c7925a1a2b99fd8afca5f490297

SHA256
db2ac1b0d85aef160b4bdab57c3ebe3fb53eec7345ef703bc1a328f803ea3075

SHA512
d354a713c6912cec8df4203a69bc048a267ed3b357e1cb24aa96f6d910e1c96a946f8ea82524c0253f2395727efadc55c6672ebf0b0dac66dc4872d2161f55bc

Download Submit
memory/1484-121-0x0000000000410000-0x0000000000419000-memory.dmp

Filesize
36KB

Download
memory/1484-122-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1484-120-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1484-123-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1484-124-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1484-125-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads