Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
10/02/2022, 19:36
Static task
static1
Behavioral task
behavioral1
Sample
98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe
Resource
win10v2004-en-20220112
General
-
Target
98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe
-
Size
127KB
-
MD5
c731cbf04c68430f31ff0ab1b0b1f054
-
SHA1
f3c14e25584475f01f417e3ec45474aa8de4400d
-
SHA256
98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e
-
SHA512
1f188fa26c4554f4c3fdb73ea7c105b76a354f6444f4977eee5fc0b31df9b880118e912bb86bdf93874c55b081713ae51b32115ab600bdeda0ec62e61f3b7b61
Malware Config
Extracted
C:\Users\Admin\RECOVERY INFORMATION.txt
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1984 bcdedit.exe 1148 bcdedit.exe -
Modifies extensions of user files 16 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\BackupResolve.png => C:\Users\Admin\Pictures\BackupResolve.png.mallox 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File renamed C:\Users\Admin\Pictures\StopSet.tiff => C:\Users\Admin\Pictures\StopSet.tiff.mallox 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Users\Admin\Pictures\PushRemove.tiff 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Users\Admin\Pictures\CompleteRestart.tiff 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File renamed C:\Users\Admin\Pictures\WatchSet.tiff => C:\Users\Admin\Pictures\WatchSet.tiff.mallox 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File renamed C:\Users\Admin\Pictures\CompleteRestart.tiff => C:\Users\Admin\Pictures\CompleteRestart.tiff.mallox 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File renamed C:\Users\Admin\Pictures\UnlockCheckpoint.tiff => C:\Users\Admin\Pictures\UnlockCheckpoint.tiff.mallox 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Users\Admin\Pictures\ResolveExit.tiff 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Users\Admin\Pictures\StopSet.tiff 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File renamed C:\Users\Admin\Pictures\MeasureStep.raw => C:\Users\Admin\Pictures\MeasureStep.raw.mallox 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File renamed C:\Users\Admin\Pictures\ResolveExit.tiff => C:\Users\Admin\Pictures\ResolveExit.tiff.mallox 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File renamed C:\Users\Admin\Pictures\PushRemove.tiff => C:\Users\Admin\Pictures\PushRemove.tiff.mallox 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File renamed C:\Users\Admin\Pictures\InstallConvertTo.raw => C:\Users\Admin\Pictures\InstallConvertTo.raw.mallox 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Users\Admin\Pictures\UnlockCheckpoint.tiff 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File renamed C:\Users\Admin\Pictures\JoinDeny.crw => C:\Users\Admin\Pictures\JoinDeny.crw.mallox 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Users\Admin\Pictures\WatchSet.tiff 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\O: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\R: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\S: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\T: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\W: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\I: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\J: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\Z: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\K: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\Q: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\X: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\Y: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\A: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\H: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\G: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\L: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\U: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\E: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\F: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\P: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\V: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\B: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened (read-only) \??\N: 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Barbados 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\RECOVERY INFORMATION.txt 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0212957.WMF 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management-agent.jar 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jre7\lib\flavormap.properties 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21311_.GIF 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BREAK.JPG 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABMASK.BMP 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jre7\lib\jsse.jar 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\RECOVERY INFORMATION.txt 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149481.WMF 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS.XML 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Luxembourg 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jre7\lib\psfont.properties.ja 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01761_.WMF 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives_1.1.100.v20140523-0116.jar 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\core.jar 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\RECOVERY INFORMATION.txt 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\boot.jar 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfont.properties.ja 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-settings.jar 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185818.WMF 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR20F.GIF 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152894.WMF 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\RECOVERY INFORMATION.txt 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX9.x3d 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_zh_CN.jar 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\RECOVERY INFORMATION.txt 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SPRNG_01.MID 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBCOLOR.SCM 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04108_.WMF 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_decreaseindent.gif 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0280468.WMF 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-annotations-common.jar 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-options.jar 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Monaco 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECURE.CFG 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Assets.accdt 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01394_.WMF 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Godthab 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15136_.GIF 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382962.JPG 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\GRAY.pf 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginMergeFax.Dotx 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01152_.WMF 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00578_.WMF 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240389.profile.gz 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME29.CSS 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 848 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1620 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1620 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe Token: SeDebugPrivilege 1620 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe Token: SeBackupPrivilege 1944 vssvc.exe Token: SeRestorePrivilege 1944 vssvc.exe Token: SeAuditPrivilege 1944 vssvc.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1620 wrote to memory of 848 1620 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe 27 PID 1620 wrote to memory of 848 1620 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe 27 PID 1620 wrote to memory of 848 1620 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe 27 PID 1620 wrote to memory of 848 1620 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe 27 PID 1620 wrote to memory of 1084 1620 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe 28 PID 1620 wrote to memory of 1084 1620 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe 28 PID 1620 wrote to memory of 1084 1620 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe 28 PID 1620 wrote to memory of 1084 1620 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe 28 PID 1620 wrote to memory of 1068 1620 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe 29 PID 1620 wrote to memory of 1068 1620 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe 29 PID 1620 wrote to memory of 1068 1620 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe 29 PID 1620 wrote to memory of 1068 1620 98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe 29 PID 1068 wrote to memory of 1148 1068 cmd.exe 34 PID 1068 wrote to memory of 1148 1068 cmd.exe 34 PID 1068 wrote to memory of 1148 1068 cmd.exe 34 PID 1084 wrote to memory of 1984 1084 cmd.exe 33 PID 1084 wrote to memory of 1984 1084 cmd.exe 33 PID 1084 wrote to memory of 1984 1084 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe"C:\Users\Admin\AppData\Local\Temp\98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\system32\vssadmin.exe"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:848
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:1984
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:1148
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944