Malware Analysis Report

2024-10-16 03:28

Sample ID 220315-1tr8bagca5
Target 2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe
SHA256 2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0
Tags
darkside ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0

Threat Level: Known bad

The file 2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe was found to be: Known bad.

Malicious Activity Summary

darkside ransomware

DarkSide

Modifies extensions of user files

Drops file in System32 directory

Sets desktop wallpaper using registry

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Control Panel

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-15 21:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-15 21:56

Reported

2022-03-15 21:59

Platform

win7-20220311-en

Max time kernel

4294085s

Max time network

29s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe

"C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe"

C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe

"C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe"

C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe

"C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe"

Network

N/A

Files

memory/520-54-0x0000000075841000-0x0000000075843000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-15 21:56

Reported

2022-03-15 21:59

Platform

win10v2004-en-20220113

Max time kernel

83s

Max time network

88s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe"

Signatures

DarkSide

ransomware darkside

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ApproveUnblock.crw => C:\Users\Admin\Pictures\ApproveUnblock.crw.f6cf1b4f C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File renamed C:\Users\Admin\Pictures\CompleteApprove.tif => C:\Users\Admin\Pictures\CompleteApprove.tif.f6cf1b4f C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File renamed C:\Users\Admin\Pictures\FindInstall.tif => C:\Users\Admin\Pictures\FindInstall.tif.f6cf1b4f C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File opened for modification C:\Users\Admin\Pictures\FindInstall.tif.f6cf1b4f C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File renamed C:\Users\Admin\Pictures\StepSkip.png => C:\Users\Admin\Pictures\StepSkip.png.f6cf1b4f C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File renamed C:\Users\Admin\Pictures\UndoTrace.png => C:\Users\Admin\Pictures\UndoTrace.png.f6cf1b4f C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File opened for modification C:\Users\Admin\Pictures\ApproveUnblock.crw.f6cf1b4f C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File opened for modification C:\Users\Admin\Pictures\CompleteApprove.tif.f6cf1b4f C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File opened for modification C:\Users\Admin\Pictures\StepSkip.png.f6cf1b4f C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File opened for modification C:\Users\Admin\Pictures\UndoTrace.png.f6cf1b4f C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\prTwKQEGjdn5[1].htm C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\btluxR8iiA[1].htm C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9F909B7BD589CDDA5B1BBEF5FBC3017E C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9B83F31C534BECB745A153E1FF527379 C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9F909B7BD589CDDA5B1BBEF5FBC3017E C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9B83F31C534BECB745A153E1FF527379 C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\f6cf1b4f.BMP" C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000 C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 2e9828007ef735fe063e8e9adc19ea409c9416453398838e85b4a2e8713915a1 C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1" C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700320000000000 C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000 C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d002e0062006c00660000000000 C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\f6cf1b4f.BMP" C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 41faaa7e1bca993b8e3ab9c0243289062d9f5cdae31a00b514a510ceb79f3121 C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 819e5f80964b2c3de2c5dea51c9f7891656b6214ae397a59797b51ce965f1333 C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Control Panel\International C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 4df18028130890a80afc380ba40d114d6f22f5b1af418cc3537c12cf8e70c60d C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 8c110000f0d0afd0b738d801 C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = e00ec958707bf32df6950cd7e3606cbb52ffce9766b3fd12071b342bcd31317a C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000 C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 2264f2b6150a342f7843333406dddee118dc3a5aa76bef79de6ed1dbd42d7c0e C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = a119f58838a8d587b779ebd2fab5a3478f7b256115c8990fbc01be5e357e739d C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = f248c441d0e75f4e22efab1a01f43de112b5f57bac6ad7ac560ca626ccb90e97 C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 41228c75d22988299afdb5cb93742d3782c9a900dcf5755794f7f948790539b9 C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 64639d3d13351f73140c1dea878d68e8b58589bcf1c0632b5ba5a6754fd3f5be C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.f6cf1b4f C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.f6cf1b4f\ = "f6cf1b4f" C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\f6cf1b4f\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\f6cf1b4f C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\f6cf1b4f\DefaultIcon\ = "C:\\ProgramData\\f6cf1b4f.ico" C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4088 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe
PID 4088 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe
PID 4088 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe
PID 4708 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe
PID 4708 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe
PID 4708 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe

"C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe"

C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe

"C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe"

C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe

"C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe

C:\Users\Admin\AppData\Local\Temp\2d82be244e23001148ed5a6d83856b6f7cd20c3f7786481303d5d584c51ff5f0.exe -work worker0 job0-4708

Network

Country Destination Domain Proto
US 72.21.81.240:80 tcp
US 72.21.81.240:80 tcp
US 8.8.8.8:53 baroquetees.com udp
US 103.224.182.242:443 baroquetees.com tcp
US 8.8.8.8:53 api.msn.com udp
US 204.79.197.203:443 api.msn.com tcp
US 103.224.182.242:443 baroquetees.com tcp
US 8.8.8.8:53 ww17.baroquetees.com udp
US 199.191.50.190:80 ww17.baroquetees.com tcp
US 8.8.8.8:53 rumahsia.com udp
NL 185.107.56.199:443 rumahsia.com tcp
US 8.8.8.8:53 survey-smiles.com udp
US 199.59.243.200:80 survey-smiles.com tcp
US 103.224.182.242:443 baroquetees.com tcp
NL 185.107.56.199:443 rumahsia.com tcp
US 199.59.243.200:80 survey-smiles.com tcp

Files

N/A