Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
06-03-2022 02:41
Static task
static1
Behavioral task
behavioral1
Sample
ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe
Resource
win10v2004-en-20220112
General
-
Target
ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe
-
Size
1.2MB
-
MD5
87ab5f476d4351224d893e267cc30d3b
-
SHA1
22e1fefd40bde744c165d316db26e88b5f4e6e70
-
SHA256
ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab
-
SHA512
7eb4776b09d586364d88ab1992133d9a0788c2c6c2e3ea4993ed061f4d25db9c7a3755a8add4775273193b953ca79ada4167d4a3671abbf728a4d0a61dd4e183
Malware Config
Extracted
C:\README1.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README2.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README3.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README4.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README5.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README6.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README7.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README8.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README9.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README10.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
resource yara_rule behavioral2/memory/3532-131-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3532-132-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\LargeTile.scale-100.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ClippingTool.targetsize-32.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-actions.xml ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_contrast-white.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\import_google_contacts\googleImportNoResults.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare71x71Logo.scale-100_contrast-white.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_contrast-white.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ShareProvider_CopyFile24x24.scale-100.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_Tracing.jpg ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosStoreLogo.contrast-black.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-150.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\169.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WideTile.scale-200_contrast-white.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\SmallTile.scale-100.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-125.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-24_altform-colorize.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-40_altform-unplated.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\Pitchbook.potx ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-100_contrast-high.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppCore\Location\Shifter\Relicensing Statement.txt ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xea23.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Snooze.scale-80.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-125.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\AppxManifest.xml ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-125.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-125.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-72_altform-fullcolor.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\IsoRight.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-48_contrast-black.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_altform-unplated_contrast-white.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsLargeTile.scale-200.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-64_altform-unplated_contrast-black.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-150.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\icon_done.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-60_altform-colorize.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteSmallTile.scale-200.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\SmallTile.scale-125.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-100_contrast-white.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1851_32x32x32.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-400.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreWideTile.scale-200.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-100.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_contrast-black.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailWideTile.scale-125.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-black_scale-200.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_tr.json ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileSway32x32.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-150.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Outlook.scale-150.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\[email protected] ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-48.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_altform-unplated_contrast-white.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionWideTile.scale-200.png ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2876 2460 WerFault.exe 35 -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 844 vssadmin.exe 3916 vssadmin.exe 3436 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3532 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 3532 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 3532 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 3532 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2268 vssvc.exe Token: SeRestorePrivilege 2268 vssvc.exe Token: SeAuditPrivilege 2268 vssvc.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3532 wrote to memory of 844 3532 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 67 PID 3532 wrote to memory of 844 3532 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 67 PID 3532 wrote to memory of 3916 3532 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 71 PID 3532 wrote to memory of 3916 3532 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 71 PID 3532 wrote to memory of 3436 3532 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 73 PID 3532 wrote to memory of 3436 3532 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 73 PID 3532 wrote to memory of 2604 3532 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 75 PID 3532 wrote to memory of 2604 3532 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 75 PID 3532 wrote to memory of 2604 3532 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 75 PID 2604 wrote to memory of 1412 2604 cmd.exe 77 PID 2604 wrote to memory of 1412 2604 cmd.exe 77 PID 2604 wrote to memory of 1412 2604 cmd.exe 77 PID 3532 wrote to memory of 772 3532 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 78 PID 3532 wrote to memory of 772 3532 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 78 PID 3532 wrote to memory of 772 3532 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe 78 PID 772 wrote to memory of 3920 772 cmd.exe 80 PID 772 wrote to memory of 3920 772 cmd.exe 80 PID 772 wrote to memory of 3920 772 cmd.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe"C:\Users\Admin\AppData\Local\Temp\ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:844
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:3916
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:3436
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\chcp.comchcp3⤵PID:1412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\chcp.comchcp3⤵PID:3920
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 416 -p 2460 -ip 24601⤵PID:1688
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2460 -s 35241⤵
- Program crash
PID:2876