Analysis Overview
SHA256
2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0
Threat Level: Known bad
The file 2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe was found to be: Known bad.
Malicious Activity Summary
DarkSide
Modifies extensions of user files
Drops file in System32 directory
Sets desktop wallpaper using registry
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Control Panel
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-15 21:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-15 21:56
Reported
2022-03-15 21:59
Platform
win7-20220311-en
Max time kernel
4294085s
Max time network
29s
Command Line
Signatures
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Control Panel\International | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe
"C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe"
C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe
"C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe"
C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe
"C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe"
Network
Files
memory/520-54-0x0000000075841000-0x0000000075843000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-15 21:56
Reported
2022-03-15 21:59
Platform
win10v2004-en-20220113
Max time kernel
83s
Max time network
88s
Command Line
Signatures
DarkSide
Modifies extensions of user files
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\prTwKQEGjdn5[1].htm | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\btluxR8iiA[1].htm | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9F909B7BD589CDDA5B1BBEF5FBC3017E | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9B83F31C534BECB745A153E1FF527379 | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9F909B7BD589CDDA5B1BBEF5FBC3017E | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9B83F31C534BECB745A153E1FF527379 | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\f6cf1b4f.BMP" | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000 | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 2e9828007ef735fe063e8e9adc19ea409c9416453398838e85b4a2e8713915a1 | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1" | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700320000000000 | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000 | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d002e0062006c00660000000000 | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\f6cf1b4f.BMP" | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 41faaa7e1bca993b8e3ab9c0243289062d9f5cdae31a00b514a510ceb79f3121 | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 819e5f80964b2c3de2c5dea51c9f7891656b6214ae397a59797b51ce965f1333 | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Control Panel\International | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 4df18028130890a80afc380ba40d114d6f22f5b1af418cc3537c12cf8e70c60d | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 8c110000f0d0afd0b738d801 | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = e00ec958707bf32df6950cd7e3606cbb52ffce9766b3fd12071b342bcd31317a | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000 | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 2264f2b6150a342f7843333406dddee118dc3a5aa76bef79de6ed1dbd42d7c0e | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = a119f58838a8d587b779ebd2fab5a3478f7b256115c8990fbc01be5e357e739d | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = f248c441d0e75f4e22efab1a01f43de112b5f57bac6ad7ac560ca626ccb90e97 | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 41228c75d22988299afdb5cb93742d3782c9a900dcf5755794f7f948790539b9 | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 64639d3d13351f73140c1dea878d68e8b58589bcf1c0632b5ba5a6754fd3f5be | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.f6cf1b4f | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.f6cf1b4f\ = "f6cf1b4f" | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\f6cf1b4f\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\f6cf1b4f | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\f6cf1b4f\DefaultIcon\ = "C:\\ProgramData\\f6cf1b4f.ico" | C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe
"C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe"
C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe
"C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe"
C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe
"C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe
C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe -work worker0 job0-4708
Network
| Country | Destination | Domain | Proto |
| US | 72.21.81.240:80 | tcp | |
| US | 72.21.81.240:80 | tcp | |
| US | 8.8.8.8:53 | baroquetees.com | udp |
| US | 103.224.182.242:443 | baroquetees.com | tcp |
| US | 8.8.8.8:53 | api.msn.com | udp |
| US | 204.79.197.203:443 | api.msn.com | tcp |
| US | 103.224.182.242:443 | baroquetees.com | tcp |
| US | 8.8.8.8:53 | ww17.baroquetees.com | udp |
| US | 199.191.50.190:80 | ww17.baroquetees.com | tcp |
| US | 8.8.8.8:53 | rumahsia.com | udp |
| NL | 185.107.56.199:443 | rumahsia.com | tcp |
| US | 8.8.8.8:53 | survey-smiles.com | udp |
| US | 199.59.243.200:80 | survey-smiles.com | tcp |
| US | 103.224.182.242:443 | baroquetees.com | tcp |
| NL | 185.107.56.199:443 | rumahsia.com | tcp |
| US | 199.59.243.200:80 | survey-smiles.com | tcp |