Analysis
-
max time kernel
4294203s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
06-03-2022 02:41
Static task
static1
Behavioral task
behavioral1
Sample
ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe
Resource
win10v2004-en-20220112
General
-
Target
ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe
-
Size
1.2MB
-
MD5
87ab5f476d4351224d893e267cc30d3b
-
SHA1
22e1fefd40bde744c165d316db26e88b5f4e6e70
-
SHA256
ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab
-
SHA512
7eb4776b09d586364d88ab1992133d9a0788c2c6c2e3ea4993ed061f4d25db9c7a3755a8add4775273193b953ca79ada4167d4a3671abbf728a4d0a61dd4e183
Malware Config
Extracted
C:\README1.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README2.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README3.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README4.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README5.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README6.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README7.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README8.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README9.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README10.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\MergeRename.tiff ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe -
resource yara_rule behavioral1/memory/1924-56-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/1924-57-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 whatismyipaddress.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\C6CE7469C6CE7469.bmp" ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\currency.css ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\icon.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\38.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_cloudy.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\localizedStrings.js ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047x576black.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Microsoft Games\Chess\ChessMCE.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_down.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\v8_context_snapshot.bin ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_right.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\7-Zip\License.txt ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\cpu.js ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_s.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask_PAL.wmv ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\leftnav.gif ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\icon.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\pushplaysubpicture.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\weather.css ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_m.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\icon.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Common Files\System\ado\adovbs.inc ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1508 1244 WerFault.exe 12 -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2036 vssadmin.exe 784 vssadmin.exe 608 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1924 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 1924 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1616 vssvc.exe Token: SeRestorePrivilege 1616 vssvc.exe Token: SeAuditPrivilege 1616 vssvc.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1924 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1924 wrote to memory of 2036 1924 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 29 PID 1924 wrote to memory of 2036 1924 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 29 PID 1924 wrote to memory of 2036 1924 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 29 PID 1924 wrote to memory of 2036 1924 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 29 PID 1924 wrote to memory of 784 1924 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 33 PID 1924 wrote to memory of 784 1924 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 33 PID 1924 wrote to memory of 784 1924 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 33 PID 1924 wrote to memory of 784 1924 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 33 PID 1924 wrote to memory of 608 1924 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 35 PID 1924 wrote to memory of 608 1924 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 35 PID 1924 wrote to memory of 608 1924 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 35 PID 1924 wrote to memory of 608 1924 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 35 PID 1924 wrote to memory of 1752 1924 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 37 PID 1924 wrote to memory of 1752 1924 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 37 PID 1924 wrote to memory of 1752 1924 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 37 PID 1924 wrote to memory of 1752 1924 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 37 PID 1752 wrote to memory of 1588 1752 cmd.exe 39 PID 1752 wrote to memory of 1588 1752 cmd.exe 39 PID 1752 wrote to memory of 1588 1752 cmd.exe 39 PID 1752 wrote to memory of 1588 1752 cmd.exe 39 PID 1924 wrote to memory of 232 1924 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 41 PID 1924 wrote to memory of 232 1924 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 41 PID 1924 wrote to memory of 232 1924 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 41 PID 1924 wrote to memory of 232 1924 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 41 PID 232 wrote to memory of 1036 232 cmd.exe 43 PID 232 wrote to memory of 1036 232 cmd.exe 43 PID 232 wrote to memory of 1036 232 cmd.exe 43 PID 232 wrote to memory of 1036 232 cmd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe"C:\Users\Admin\AppData\Local\Temp\ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:2036
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:784
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:608
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\chcp.comchcp3⤵PID:1588
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\chcp.comchcp3⤵PID:1036
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1244 -s 31081⤵
- Program crash
PID:1508