Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
09-05-2022 10:14
Static task
static1
Behavioral task
behavioral1
Sample
f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exe
Resource
win10v2004-20220414-en
General
-
Target
f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exe
-
Size
264KB
-
MD5
27b9b35abc164a0069db22730527cffa
-
SHA1
fba9d7ee4a5022723ec4514eb8505a1acd7a68e9
-
SHA256
f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92
-
SHA512
f041ad173be500b6ab8a06177c7fc97e193fa8acc167510f11a183f05f8559b7595c73e7e079e7820efa744f8aa06d0a5fe30b776b2c8b28724260714761ee66
Malware Config
Extracted
smokeloader
2020
http://hanfinvest.at/upload/
http://phunilbeauty.com/upload/
http://spbdg.ru/upload/
http://tnt-az.com/upload/
http://casagenaro.com/upload/
http://girneotel.com/upload/
http://zennclinic.com/upload/
http://mordo.ru/forum/
http://piratia-life.ru/upload/
http://pkodev.net/upload/
http://monsutiur4.com/
http://nusurionuy5ff.at/
http://moroitomo4.net/
http://susuerulianita1.net/
http://cucumbetuturel4.com/
http://nunuslushau.com/
http://linislominyt11.at/
http://luxulixionus.net/
http://lilisjjoer44.com/
http://nikogminut88.at/
http://limo00ruling.org/
http://mini55tunul.com/
http://samnutu11nuli.com/
http://nikogkojam.org/
https://ny-city-mall.com/search.php
https://fresh-cars.net/search.php
Extracted
djvu
http://ugll.org/lancer/get.php
-
extension
.egfg
-
offline_id
QcVY9rkapJoL3nQkZAsvfTFVYLmscrM1v1QxGWt1
-
payload_url
http://zerit.top/dl/build2.exe
http://ugll.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-6Ti2DxXR3I Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: manager@time2mail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0474JIjdm
Extracted
vidar
52
1333
https://t.me/hollandracing
https://busshi.moe/@ronxik321
-
profile_id
1333
Signatures
-
Detected Djvu ransomware 5 IoCs
Processes:
resource yara_rule behavioral1/memory/3928-171-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3928-173-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4880-176-0x0000000002250000-0x000000000236B000-memory.dmp family_djvu behavioral1/memory/3928-175-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3928-178-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2656-180-0x0000000000400000-0x00000000004FB000-memory.dmp family_vidar behavioral1/memory/2656-179-0x0000000000870000-0x00000000008BD000-memory.dmp family_vidar -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
B1BC.exeE782.exe84EC.exe8E25.exe95B7.exe84EC.exepid process 2748 B1BC.exe 3136 E782.exe 4880 84EC.exe 2656 8E25.exe 2340 95B7.exe 3928 84EC.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
84EC.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\9a0812e1-e4f2-437a-b877-8e6ff25cd448\\84EC.exe\" --AutoStart" 84EC.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 289 api.2ip.ua 291 api.2ip.ua -
Suspicious use of SetThreadContext 1 IoCs
Processes:
84EC.exedescription pid process target process PID 4880 set thread context of 3928 4880 84EC.exe 84EC.exe -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
E782.exeB1BC.exef5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI E782.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI E782.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI B1BC.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI B1BC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI E782.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI B1BC.exe -
Modifies registry class 3 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ -
Processes:
84EC.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 84EC.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 84EC.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exepid process 4944 f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exe 4944 f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exe 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 3148 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3148 -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exeB1BC.exeE782.exepid process 4944 f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exe 2748 B1BC.exe 3136 E782.exe 3148 3148 3148 3148 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeShutdownPrivilege 3148 Token: SeCreatePagefilePrivilege 3148 Token: SeShutdownPrivilege 3148 Token: SeCreatePagefilePrivilege 3148 Token: SeShutdownPrivilege 3148 Token: SeCreatePagefilePrivilege 3148 Token: SeIncreaseQuotaPrivilege 1820 WMIC.exe Token: SeSecurityPrivilege 1820 WMIC.exe Token: SeTakeOwnershipPrivilege 1820 WMIC.exe Token: SeLoadDriverPrivilege 1820 WMIC.exe Token: SeSystemProfilePrivilege 1820 WMIC.exe Token: SeSystemtimePrivilege 1820 WMIC.exe Token: SeProfSingleProcessPrivilege 1820 WMIC.exe Token: SeIncBasePriorityPrivilege 1820 WMIC.exe Token: SeCreatePagefilePrivilege 1820 WMIC.exe Token: SeBackupPrivilege 1820 WMIC.exe Token: SeRestorePrivilege 1820 WMIC.exe Token: SeShutdownPrivilege 1820 WMIC.exe Token: SeDebugPrivilege 1820 WMIC.exe Token: SeSystemEnvironmentPrivilege 1820 WMIC.exe Token: SeRemoteShutdownPrivilege 1820 WMIC.exe Token: SeUndockPrivilege 1820 WMIC.exe Token: SeManageVolumePrivilege 1820 WMIC.exe Token: 33 1820 WMIC.exe Token: 34 1820 WMIC.exe Token: 35 1820 WMIC.exe Token: 36 1820 WMIC.exe Token: SeIncreaseQuotaPrivilege 1820 WMIC.exe Token: SeSecurityPrivilege 1820 WMIC.exe Token: SeTakeOwnershipPrivilege 1820 WMIC.exe Token: SeLoadDriverPrivilege 1820 WMIC.exe Token: SeSystemProfilePrivilege 1820 WMIC.exe Token: SeSystemtimePrivilege 1820 WMIC.exe Token: SeProfSingleProcessPrivilege 1820 WMIC.exe Token: SeIncBasePriorityPrivilege 1820 WMIC.exe Token: SeCreatePagefilePrivilege 1820 WMIC.exe Token: SeBackupPrivilege 1820 WMIC.exe Token: SeRestorePrivilege 1820 WMIC.exe Token: SeShutdownPrivilege 1820 WMIC.exe Token: SeDebugPrivilege 1820 WMIC.exe Token: SeSystemEnvironmentPrivilege 1820 WMIC.exe Token: SeRemoteShutdownPrivilege 1820 WMIC.exe Token: SeUndockPrivilege 1820 WMIC.exe Token: SeManageVolumePrivilege 1820 WMIC.exe Token: 33 1820 WMIC.exe Token: 34 1820 WMIC.exe Token: 35 1820 WMIC.exe Token: 36 1820 WMIC.exe Token: SeIncreaseQuotaPrivilege 3916 WMIC.exe Token: SeSecurityPrivilege 3916 WMIC.exe Token: SeTakeOwnershipPrivilege 3916 WMIC.exe Token: SeLoadDriverPrivilege 3916 WMIC.exe Token: SeSystemProfilePrivilege 3916 WMIC.exe Token: SeSystemtimePrivilege 3916 WMIC.exe Token: SeProfSingleProcessPrivilege 3916 WMIC.exe Token: SeIncBasePriorityPrivilege 3916 WMIC.exe Token: SeCreatePagefilePrivilege 3916 WMIC.exe Token: SeBackupPrivilege 3916 WMIC.exe Token: SeRestorePrivilege 3916 WMIC.exe Token: SeShutdownPrivilege 3916 WMIC.exe Token: SeDebugPrivilege 3916 WMIC.exe Token: SeSystemEnvironmentPrivilege 3916 WMIC.exe Token: SeRemoteShutdownPrivilege 3916 WMIC.exe Token: SeUndockPrivilege 3916 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3148 3148 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exe84EC.exe84EC.exedescription pid process target process PID 3148 wrote to memory of 2748 3148 B1BC.exe PID 3148 wrote to memory of 2748 3148 B1BC.exe PID 3148 wrote to memory of 2748 3148 B1BC.exe PID 3148 wrote to memory of 3136 3148 E782.exe PID 3148 wrote to memory of 3136 3148 E782.exe PID 3148 wrote to memory of 3136 3148 E782.exe PID 3148 wrote to memory of 3232 3148 cmd.exe PID 3148 wrote to memory of 3232 3148 cmd.exe PID 3232 wrote to memory of 1820 3232 cmd.exe WMIC.exe PID 3232 wrote to memory of 1820 3232 cmd.exe WMIC.exe PID 3232 wrote to memory of 3916 3232 cmd.exe WMIC.exe PID 3232 wrote to memory of 3916 3232 cmd.exe WMIC.exe PID 3232 wrote to memory of 4732 3232 cmd.exe WMIC.exe PID 3232 wrote to memory of 4732 3232 cmd.exe WMIC.exe PID 3232 wrote to memory of 4900 3232 cmd.exe WMIC.exe PID 3232 wrote to memory of 4900 3232 cmd.exe WMIC.exe PID 3232 wrote to memory of 600 3232 cmd.exe WMIC.exe PID 3232 wrote to memory of 600 3232 cmd.exe WMIC.exe PID 3232 wrote to memory of 4796 3232 cmd.exe WMIC.exe PID 3232 wrote to memory of 4796 3232 cmd.exe WMIC.exe PID 3148 wrote to memory of 4880 3148 84EC.exe PID 3148 wrote to memory of 4880 3148 84EC.exe PID 3148 wrote to memory of 4880 3148 84EC.exe PID 3232 wrote to memory of 4784 3232 cmd.exe WMIC.exe PID 3232 wrote to memory of 4784 3232 cmd.exe WMIC.exe PID 3232 wrote to memory of 444 3232 cmd.exe WMIC.exe PID 3232 wrote to memory of 444 3232 cmd.exe WMIC.exe PID 3232 wrote to memory of 5060 3232 cmd.exe WMIC.exe PID 3232 wrote to memory of 5060 3232 cmd.exe WMIC.exe PID 3148 wrote to memory of 2656 3148 8E25.exe PID 3148 wrote to memory of 2656 3148 8E25.exe PID 3148 wrote to memory of 2656 3148 8E25.exe PID 3232 wrote to memory of 4412 3232 cmd.exe WMIC.exe PID 3232 wrote to memory of 4412 3232 cmd.exe WMIC.exe PID 3232 wrote to memory of 3608 3232 cmd.exe WMIC.exe PID 3232 wrote to memory of 3608 3232 cmd.exe WMIC.exe PID 3148 wrote to memory of 2340 3148 95B7.exe PID 3148 wrote to memory of 2340 3148 95B7.exe PID 3148 wrote to memory of 2340 3148 95B7.exe PID 4880 wrote to memory of 3928 4880 84EC.exe 84EC.exe PID 4880 wrote to memory of 3928 4880 84EC.exe 84EC.exe PID 4880 wrote to memory of 3928 4880 84EC.exe 84EC.exe PID 4880 wrote to memory of 3928 4880 84EC.exe 84EC.exe PID 4880 wrote to memory of 3928 4880 84EC.exe 84EC.exe PID 4880 wrote to memory of 3928 4880 84EC.exe 84EC.exe PID 4880 wrote to memory of 3928 4880 84EC.exe 84EC.exe PID 4880 wrote to memory of 3928 4880 84EC.exe 84EC.exe PID 4880 wrote to memory of 3928 4880 84EC.exe 84EC.exe PID 4880 wrote to memory of 3928 4880 84EC.exe 84EC.exe PID 3232 wrote to memory of 3784 3232 cmd.exe WMIC.exe PID 3232 wrote to memory of 3784 3232 cmd.exe WMIC.exe PID 3232 wrote to memory of 3888 3232 cmd.exe WMIC.exe PID 3232 wrote to memory of 3888 3232 cmd.exe WMIC.exe PID 3148 wrote to memory of 3672 3148 explorer.exe PID 3148 wrote to memory of 3672 3148 explorer.exe PID 3148 wrote to memory of 3672 3148 explorer.exe PID 3148 wrote to memory of 3672 3148 explorer.exe PID 3232 wrote to memory of 3812 3232 cmd.exe WMIC.exe PID 3232 wrote to memory of 3812 3232 cmd.exe WMIC.exe PID 3148 wrote to memory of 4344 3148 explorer.exe PID 3148 wrote to memory of 4344 3148 explorer.exe PID 3148 wrote to memory of 4344 3148 explorer.exe PID 3928 wrote to memory of 932 3928 84EC.exe icacls.exe PID 3928 wrote to memory of 932 3928 84EC.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exe"C:\Users\Admin\AppData\Local\Temp\f5c85ce9f9bafb9b32c90b81b454adc0ad06e4395c04a417130a97dbaad56c92.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\B1BC.exeC:\Users\Admin\AppData\Local\Temp\B1BC.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\E782.exeC:\Users\Admin\AppData\Local\Temp\E782.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
-
C:\Windows\system32\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv2⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Users\Admin\AppData\Local\Temp\84EC.exeC:\Users\Admin\AppData\Local\Temp\84EC.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\84EC.exeC:\Users\Admin\AppData\Local\Temp\84EC.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\9a0812e1-e4f2-437a-b877-8e6ff25cd448" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\8E25.exeC:\Users\Admin\AppData\Local\Temp\8E25.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\95B7.exeC:\Users\Admin\AppData\Local\Temp\95B7.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3672 -ip 36721⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\9a0812e1-e4f2-437a-b877-8e6ff25cd448\84EC.exeFilesize
793KB
MD563af65fe36babc095e343bf05cff70cc
SHA197c72008b97c8d043336b76c55dd62b5b16393a8
SHA256a0cc5a24c9107b52177d612d342172612662287ad8ced1243966cf9ef5a687a3
SHA51207f65fa77ca068d86435b039a29c3af8f3c61f83d89db1047bb80f4beb6c5755c666e8a1056b23de1cc3557bcc272cabd7e1fb7e6ded17b5dd584c94f51d5cb3
-
C:\Users\Admin\AppData\Local\Temp\84EC.exeFilesize
793KB
MD563af65fe36babc095e343bf05cff70cc
SHA197c72008b97c8d043336b76c55dd62b5b16393a8
SHA256a0cc5a24c9107b52177d612d342172612662287ad8ced1243966cf9ef5a687a3
SHA51207f65fa77ca068d86435b039a29c3af8f3c61f83d89db1047bb80f4beb6c5755c666e8a1056b23de1cc3557bcc272cabd7e1fb7e6ded17b5dd584c94f51d5cb3
-
C:\Users\Admin\AppData\Local\Temp\84EC.exeFilesize
793KB
MD563af65fe36babc095e343bf05cff70cc
SHA197c72008b97c8d043336b76c55dd62b5b16393a8
SHA256a0cc5a24c9107b52177d612d342172612662287ad8ced1243966cf9ef5a687a3
SHA51207f65fa77ca068d86435b039a29c3af8f3c61f83d89db1047bb80f4beb6c5755c666e8a1056b23de1cc3557bcc272cabd7e1fb7e6ded17b5dd584c94f51d5cb3
-
C:\Users\Admin\AppData\Local\Temp\84EC.exeFilesize
793KB
MD563af65fe36babc095e343bf05cff70cc
SHA197c72008b97c8d043336b76c55dd62b5b16393a8
SHA256a0cc5a24c9107b52177d612d342172612662287ad8ced1243966cf9ef5a687a3
SHA51207f65fa77ca068d86435b039a29c3af8f3c61f83d89db1047bb80f4beb6c5755c666e8a1056b23de1cc3557bcc272cabd7e1fb7e6ded17b5dd584c94f51d5cb3
-
C:\Users\Admin\AppData\Local\Temp\8E25.exeFilesize
411KB
MD54d4aacaaac0146811970c85ce456cc2a
SHA1bb25d5c6d7a9cc289c5195e13b2a0575289e6134
SHA256771e19ccac62a39284a2e7e6929b5b3d770c151f0e1e79b54a987e41a02595e9
SHA5124a0483cb4622240c6d9ad321e3e653f8bb0bc983feb20237473a63865eb5b284710081a06e563af5be69416b0e019c5da22a3bd6fd0dc91f6c009f01032ddef4
-
C:\Users\Admin\AppData\Local\Temp\8E25.exeFilesize
411KB
MD54d4aacaaac0146811970c85ce456cc2a
SHA1bb25d5c6d7a9cc289c5195e13b2a0575289e6134
SHA256771e19ccac62a39284a2e7e6929b5b3d770c151f0e1e79b54a987e41a02595e9
SHA5124a0483cb4622240c6d9ad321e3e653f8bb0bc983feb20237473a63865eb5b284710081a06e563af5be69416b0e019c5da22a3bd6fd0dc91f6c009f01032ddef4
-
C:\Users\Admin\AppData\Local\Temp\95B7.exeFilesize
407KB
MD55ef73af10fb910fc299f3cf06afcb80f
SHA116023f3aeb0cb8ae109e4b7426d794a4e528ab53
SHA256cd0b029bada1e06fb3853c385b45659a318147795643ac8f515735e8fe8993d5
SHA512df00f89114a22da949f904d89b5037993697dae52d07f21de239f90e5ed34b20995206c0d349932148a8c9fed0d4f70f4629a35be5355a18cb8833efb4199a34
-
C:\Users\Admin\AppData\Local\Temp\95B7.exeFilesize
407KB
MD55ef73af10fb910fc299f3cf06afcb80f
SHA116023f3aeb0cb8ae109e4b7426d794a4e528ab53
SHA256cd0b029bada1e06fb3853c385b45659a318147795643ac8f515735e8fe8993d5
SHA512df00f89114a22da949f904d89b5037993697dae52d07f21de239f90e5ed34b20995206c0d349932148a8c9fed0d4f70f4629a35be5355a18cb8833efb4199a34
-
C:\Users\Admin\AppData\Local\Temp\B1BC.exeFilesize
263KB
MD5e28cd04a78015bdfb321cd01b595d09e
SHA11d14781d6a028f9f2b106752bb43c6e9f1fdee41
SHA2563000a39fd47456cf8b06f1b1d1790ba7102864f8a007f892a4e9f430ac626814
SHA512f613216b42bfaae20a3fa36f5e98c984c0b7819d4af83580f18b774f9cd5eab7bd60940bf8ea753bedcbad7b5db918c453c19fd25e0b6cad328c6e30246ddad2
-
C:\Users\Admin\AppData\Local\Temp\B1BC.exeFilesize
263KB
MD5e28cd04a78015bdfb321cd01b595d09e
SHA11d14781d6a028f9f2b106752bb43c6e9f1fdee41
SHA2563000a39fd47456cf8b06f1b1d1790ba7102864f8a007f892a4e9f430ac626814
SHA512f613216b42bfaae20a3fa36f5e98c984c0b7819d4af83580f18b774f9cd5eab7bd60940bf8ea753bedcbad7b5db918c453c19fd25e0b6cad328c6e30246ddad2
-
C:\Users\Admin\AppData\Local\Temp\E782.exeFilesize
264KB
MD522c3d3f270c4a12fa47bf1ef418d8a93
SHA1e610e38fb080b8d6953e4df87774f2274f116941
SHA2568a8d0488e526efaa56e5b9e48d6e4e434926ff60dc7e449c0763380c70da487f
SHA51296da82e6cacc1248bd576313fbb1a265a747feae5fbbb8311fd2f4e433b708b3ebc9bdc866427449df944edac09c7f5e416495d89e2d9a01554bbe2d6870092a
-
C:\Users\Admin\AppData\Local\Temp\E782.exeFilesize
264KB
MD522c3d3f270c4a12fa47bf1ef418d8a93
SHA1e610e38fb080b8d6953e4df87774f2274f116941
SHA2568a8d0488e526efaa56e5b9e48d6e4e434926ff60dc7e449c0763380c70da487f
SHA51296da82e6cacc1248bd576313fbb1a265a747feae5fbbb8311fd2f4e433b708b3ebc9bdc866427449df944edac09c7f5e416495d89e2d9a01554bbe2d6870092a
-
memory/444-160-0x0000000000000000-mapping.dmp
-
memory/600-154-0x0000000000000000-mapping.dmp
-
memory/932-186-0x0000000000000000-mapping.dmp
-
memory/1820-150-0x0000000000000000-mapping.dmp
-
memory/2340-188-0x00000000009C0000-0x00000000009FA000-memory.dmpFilesize
232KB
-
memory/2340-167-0x0000000000000000-mapping.dmp
-
memory/2340-189-0x0000000000400000-0x00000000004FA000-memory.dmpFilesize
1000KB
-
memory/2340-187-0x00000000006DC000-0x0000000000709000-memory.dmpFilesize
180KB
-
memory/2656-179-0x0000000000870000-0x00000000008BD000-memory.dmpFilesize
308KB
-
memory/2656-177-0x000000000068C000-0x00000000006BA000-memory.dmpFilesize
184KB
-
memory/2656-180-0x0000000000400000-0x00000000004FB000-memory.dmpFilesize
1004KB
-
memory/2656-162-0x0000000000000000-mapping.dmp
-
memory/2748-139-0x0000000000400000-0x0000000000483000-memory.dmpFilesize
524KB
-
memory/2748-138-0x00000000005E0000-0x00000000005E9000-memory.dmpFilesize
36KB
-
memory/2748-137-0x0000000000657000-0x0000000000667000-memory.dmpFilesize
64KB
-
memory/2748-134-0x0000000000000000-mapping.dmp
-
memory/3136-145-0x00000000005E0000-0x00000000005E9000-memory.dmpFilesize
36KB
-
memory/3136-141-0x0000000000000000-mapping.dmp
-
memory/3136-146-0x0000000000400000-0x0000000000483000-memory.dmpFilesize
524KB
-
memory/3136-144-0x00000000006B7000-0x00000000006C7000-memory.dmpFilesize
64KB
-
memory/3148-147-0x0000000008350000-0x0000000008366000-memory.dmpFilesize
88KB
-
memory/3148-133-0x00000000003A0000-0x00000000003B6000-memory.dmpFilesize
88KB
-
memory/3148-140-0x0000000002C40000-0x0000000002C56000-memory.dmpFilesize
88KB
-
memory/3148-148-0x0000000007FE0000-0x0000000007FEF000-memory.dmpFilesize
60KB
-
memory/3232-149-0x0000000000000000-mapping.dmp
-
memory/3608-166-0x0000000000000000-mapping.dmp
-
memory/3672-183-0x0000000000000000-mapping.dmp
-
memory/3784-181-0x0000000000000000-mapping.dmp
-
memory/3812-184-0x0000000000000000-mapping.dmp
-
memory/3888-182-0x0000000000000000-mapping.dmp
-
memory/3916-151-0x0000000000000000-mapping.dmp
-
memory/3928-178-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3928-173-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3928-170-0x0000000000000000-mapping.dmp
-
memory/3928-171-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3928-175-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4344-185-0x0000000000000000-mapping.dmp
-
memory/4412-165-0x0000000000000000-mapping.dmp
-
memory/4732-152-0x0000000000000000-mapping.dmp
-
memory/4784-159-0x0000000000000000-mapping.dmp
-
memory/4796-155-0x0000000000000000-mapping.dmp
-
memory/4880-176-0x0000000002250000-0x000000000236B000-memory.dmpFilesize
1.1MB
-
memory/4880-174-0x0000000002053000-0x00000000020E4000-memory.dmpFilesize
580KB
-
memory/4880-156-0x0000000000000000-mapping.dmp
-
memory/4900-153-0x0000000000000000-mapping.dmp
-
memory/4944-130-0x00000000005F7000-0x0000000000608000-memory.dmpFilesize
68KB
-
memory/4944-132-0x0000000000400000-0x0000000000483000-memory.dmpFilesize
524KB
-
memory/4944-131-0x0000000000500000-0x0000000000509000-memory.dmpFilesize
36KB
-
memory/5060-161-0x0000000000000000-mapping.dmp