Analysis
-
max time kernel
93s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 21:29
Static task
static1
Behavioral task
behavioral1
Sample
205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
Resource
win10v2004-20220414-en
General
-
Target
205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe
-
Size
9.5MB
-
MD5
0ec29d2e49bae6f922b735be7259d3cc
-
SHA1
0a806b4918388a56e877ca92559d15725df439f2
-
SHA256
205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60
-
SHA512
486507b682227fae304280c96a7f6f6ee6a08615cbcbac7754acfd5ee74eb24325ab1cfb8c010b9663cd108b882f78cff9b344515df01c6574e77ac01341be2c
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
17D56CD9.EXE8DAAA769.EXE17D56CD9.EXEpid process 3448 17D56CD9.EXE 4432 8DAAA769.EXE 1396 17D56CD9.EXE -
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
17D56CD9.EXE8DAAA769.EXE17D56CD9.EXE205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 17D56CD9.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8DAAA769.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8DAAA769.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 17D56CD9.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 17D56CD9.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 17D56CD9.EXE -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe17D56CD9.EXE8DAAA769.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 17D56CD9.EXE Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 8DAAA769.EXE -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe17D56CD9.EXE17D56CD9.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Wine 205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Wine 17D56CD9.EXE Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Wine 17D56CD9.EXE -
Processes:
8DAAA769.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8DAAA769.EXE -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
8DAAA769.EXEdescription ioc process File opened for modification \??\PhysicalDrive0 8DAAA769.EXE -
Drops file in System32 directory 2 IoCs
Processes:
8DAAA769.EXEdescription ioc process File created C:\Windows\SysWOW64\libcrypto-1_1.dll 8DAAA769.EXE File opened for modification C:\Windows\SysWOW64\libcrypto-1_1.dll 8DAAA769.EXE -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe17D56CD9.EXE8DAAA769.EXE17D56CD9.EXEpid process 2588 205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe 3448 17D56CD9.EXE 4432 8DAAA769.EXE 1396 17D56CD9.EXE -
Drops file in Windows directory 64 IoCs
Processes:
8DAAA769.EXE17D56CD9.EXEdescription ioc process File opened for modification C:\Windows\Prefetch\NGEN.EXE-AE594A6B.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-11FFA705.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\ReadyBoot 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-08AF006C.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7BB97BF6.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-B2C296EF.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\SMCONFIGINSTALLER.EXE-EC979AE0.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\TRUSTEDINSTALLER.EXE-3CC531E5.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\DLLHOST.EXE-A73FB9CB.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7194EF5E.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\SEARCHINDEXER.EXE-4A6353B9.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-641DCE1C.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7BCB4814.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7EF4A0DD.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-99F89D15.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-005D3145.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-06226CEB.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-DF3D779F.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\AgAppLaunch.db 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\AgGlFgAppHistory.db 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\DLLHOST.EXE-FC981FFE.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-61696F68.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-894C9E34.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\COMPPKGSRV.EXE-21DBED9C.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-32DA767E.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\SEARCHAPP.EXE-840F7E5A.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-033BBABB.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-D217A328.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\DLLHOST.EXE-570206E5.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-16AF9B6E.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-18665B15.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-4EFE6110.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-8AFD300C.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\ASPNET_REGIIS.EXE-A5891C91.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\MSEDGE.EXE-78F14B8D.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\ReadyBoot\Trace2.fx 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-C8D69DC6.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-4BA0E729.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\TIWORKER.EXE-C101ABCD.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\ASPNET_REGIIS.EXE-945CDB73.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\FILESYNCCONFIG.EXE-CB60E6FA.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\Op-MSEDGE.EXE-78F14B85-00000001.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-5AC380EC.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-EDE0F878.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\ReadyBoot 17D56CD9.EXE File opened for modification C:\Windows\Prefetch\BACKGROUNDTRANSFERHOST.EXE-CF5B50C1.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\MOUSOCOREWORKER.EXE-681A8FEE.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-DB926CB0.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\SETTINGSYNCHOST.EXE-2521C7ED.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\SMCONFIGINSTALLER.EXE-039D5D2E.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\WMIADAP.EXE-F8DFDFA2.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\WMIPRVSE.EXE-1628051C.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\DLLHOST.EXE-28A8211F.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\ResPriHMStaticDb.ebd 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-002D6F84.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-C4B5739C.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-21A1C618.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\ 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\AgRobust.db 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\LOGONUI.EXE-09140401.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-4DE02988.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-72C0C855.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-94A02D86.pf 8DAAA769.EXE File opened for modification C:\Windows\Prefetch\BACKGROUNDTASKHOST.EXE-ACEF2FA2.pf 8DAAA769.EXE -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
17D56CD9.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E 17D56CD9.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd 17D56CD9.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe17D56CD9.EXE8DAAA769.EXE17D56CD9.EXEpid process 2588 205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe 2588 205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe 3448 17D56CD9.EXE 3448 17D56CD9.EXE 4432 8DAAA769.EXE 4432 8DAAA769.EXE 1396 17D56CD9.EXE 1396 17D56CD9.EXE 1396 17D56CD9.EXE 1396 17D56CD9.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8DAAA769.EXE17D56CD9.EXEdescription pid process Token: SeDebugPrivilege 4432 8DAAA769.EXE Token: SeDebugPrivilege 1396 17D56CD9.EXE -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
8DAAA769.EXE17D56CD9.EXEpid process 4432 8DAAA769.EXE 4432 8DAAA769.EXE 4432 8DAAA769.EXE 4432 8DAAA769.EXE 1396 17D56CD9.EXE 1396 17D56CD9.EXE 1396 17D56CD9.EXE 1396 17D56CD9.EXE -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
8DAAA769.EXE17D56CD9.EXEpid process 4432 8DAAA769.EXE 4432 8DAAA769.EXE 4432 8DAAA769.EXE 4432 8DAAA769.EXE 1396 17D56CD9.EXE 1396 17D56CD9.EXE 1396 17D56CD9.EXE 1396 17D56CD9.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe17D56CD9.EXE8DAAA769.EXE17D56CD9.EXEpid process 2588 205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe 2588 205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe 3448 17D56CD9.EXE 3448 17D56CD9.EXE 4432 8DAAA769.EXE 4432 8DAAA769.EXE 4432 8DAAA769.EXE 4432 8DAAA769.EXE 1396 17D56CD9.EXE 1396 17D56CD9.EXE 1396 17D56CD9.EXE 1396 17D56CD9.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe17D56CD9.EXE8DAAA769.EXEdescription pid process target process PID 2588 wrote to memory of 2580 2588 205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe sc.exe PID 2588 wrote to memory of 2580 2588 205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe sc.exe PID 2588 wrote to memory of 2580 2588 205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe sc.exe PID 2588 wrote to memory of 3448 2588 205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe 17D56CD9.EXE PID 2588 wrote to memory of 3448 2588 205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe 17D56CD9.EXE PID 2588 wrote to memory of 3448 2588 205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe 17D56CD9.EXE PID 3448 wrote to memory of 4308 3448 17D56CD9.EXE sc.exe PID 3448 wrote to memory of 4308 3448 17D56CD9.EXE sc.exe PID 3448 wrote to memory of 4308 3448 17D56CD9.EXE sc.exe PID 3448 wrote to memory of 4432 3448 17D56CD9.EXE 8DAAA769.EXE PID 3448 wrote to memory of 4432 3448 17D56CD9.EXE 8DAAA769.EXE PID 3448 wrote to memory of 4432 3448 17D56CD9.EXE 8DAAA769.EXE PID 4432 wrote to memory of 1396 4432 8DAAA769.EXE 17D56CD9.EXE PID 4432 wrote to memory of 1396 4432 8DAAA769.EXE 17D56CD9.EXE PID 4432 wrote to memory of 1396 4432 8DAAA769.EXE 17D56CD9.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe"C:\Users\Admin\AppData\Local\Temp\205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config Winmgmt start=auto2⤵
-
C:\Users\Admin\AppData\Local\Temp\17D56CD9.EXE"C:\Users\Admin\AppData\Local\Temp\17D56CD9.EXE" C:\Users\Admin\AppData\Local\Temp\205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config Winmgmt start=auto3⤵
-
C:\Users\Admin\AppData\Local\Temp\8DAAA769.EXE"C:\Users\Admin\AppData\Local\Temp\8DAAA769.EXE"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\17D56CD9.EXE"C:\Users\Admin\AppData\Local\Temp\17D56CD9.EXE" C:\Users\Admin\AppData\Local\Temp\8DAAA769.EXE4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD5876bb087b3eb935a4da2e5e7b74dc034
SHA13a4887eefbec2a9c06fac1f54ac0e91d96878e15
SHA2560b332fabb7d73fba30142fb2a062431ac432bd49fbf7bd71416b00a368770e64
SHA51298fdf68279a4eb3b26e0fdab0ed19a516d6ceab3e809b3dff0a770238e18b83963e510368a326f0ab87fd669bfaeceb2e395b246aed1f1bcaba8a882487fd4a1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
724B
MD55a11c6099b9e5808dfb08c5c9570c92f
SHA1e5dc219641146d1839557973f348037fa589fd18
SHA25691291a5edc4e10a225d3c23265d236ecc74473d9893be5bd07e202d95b3fb172
SHA512c2435b6619464a14c65ab116ab83a6e0568bdf7abc5e5a5e19f3deaf56c70a46360965da8b60e1256e9c8656aef9751adb9e762731bb8dbab145f1c8224ac8f9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_665120A0D9C414754DD0F4487D79F885Filesize
472B
MD5e67f07efe64e042f3d0002b701b185c1
SHA176c83ee5886c59f4b9c921afc01687534cdbe397
SHA256b0aa13e6d7b664cdf7129fda741441dfe9d93d09dd2347efa69e36e4c0687b3e
SHA512e2f24cd78d0671495dacb2d76e81cd1d63abf177cfb5abd870ae4d44921c1ecf986c7b6fdebf922b2b694807c93f34bc967a1ae858d6595f0969276d23a6e0f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD57cbbea9199daff048104997684cc0e85
SHA1ba8c990009594ba0c19441bd7df95ebdb1c80798
SHA256f4d72d42a153a4338cc63a5cabd8efee52a76e4bf78c439a7cfa584159a65000
SHA5123947ff6d8a86684af1b243b881cd4393b42664c6e4317ba4b290eddd424c1a18ec401705f27f2e7b8039bb198b269ca05bee8d99f37f8241f1455c2accbd2b2f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
392B
MD57272fbd0ca2672929512a20fd667952b
SHA19f61dcd800d5cc877fb9c059bc349c41c406fd5b
SHA2563011f1c8727062351572f5d8bfcde394882a9f43bcb39280d24edea21d259a17
SHA512357a759faf538f3e1e9249234b96ddeb5b0a6e8d383e4d0dfed398c4bbe09bd3bd9ec5f189005751dc38f05dc402f018a3f008630635fbd6273b5052d19d8cb2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_665120A0D9C414754DD0F4487D79F885Filesize
406B
MD54701054224bdbf49bc8b75f8132dba28
SHA1e202e5dfe482f6e39306447dc57e5b96cde9ba20
SHA256b85a39e29da8d288a381c643cb7cfad9cc2a33d531e61bcf0db1963b26720b0a
SHA512e29c744f0ce392e8ec609828b2e634ae4f32a162c3b3ec51e7cea2c287c3d58273206836f69d3acb7607154bcbee51a120a2879ff2a74084133845c6b52fe30a
-
C:\Users\Admin\AppData\Local\Temp\17D56CD9.EXEFilesize
7.0MB
MD57ec4a713694d351a0a8cb0bace19be2f
SHA1de0da87dff6f4563b0e716c5533231e58c844a40
SHA2567ce16dd164e7e6afa8958e993583a5edee588c89717d57c1b9d18175b7723806
SHA5129ebe7825e90fdb33cbd53c2af7ba52c19661f2edae2464932ba00054dfd291d32d69a846d07a439653a29aaa959b5985265728f6fec749401c35894b780c7f38
-
C:\Users\Admin\AppData\Local\Temp\17D56CD9.EXEFilesize
7.0MB
MD57ec4a713694d351a0a8cb0bace19be2f
SHA1de0da87dff6f4563b0e716c5533231e58c844a40
SHA2567ce16dd164e7e6afa8958e993583a5edee588c89717d57c1b9d18175b7723806
SHA5129ebe7825e90fdb33cbd53c2af7ba52c19661f2edae2464932ba00054dfd291d32d69a846d07a439653a29aaa959b5985265728f6fec749401c35894b780c7f38
-
C:\Users\Admin\AppData\Local\Temp\17D56CD9.EXEFilesize
9.5MB
MD50ec29d2e49bae6f922b735be7259d3cc
SHA10a806b4918388a56e877ca92559d15725df439f2
SHA256205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60
SHA512486507b682227fae304280c96a7f6f6ee6a08615cbcbac7754acfd5ee74eb24325ab1cfb8c010b9663cd108b882f78cff9b344515df01c6574e77ac01341be2c
-
C:\Users\Admin\AppData\Local\Temp\17D56CD9.EXEFilesize
9.5MB
MD50ec29d2e49bae6f922b735be7259d3cc
SHA10a806b4918388a56e877ca92559d15725df439f2
SHA256205d8d1f507486f177b51f794200a3514ca6de7a01bf4294724a14a724e3cd60
SHA512486507b682227fae304280c96a7f6f6ee6a08615cbcbac7754acfd5ee74eb24325ab1cfb8c010b9663cd108b882f78cff9b344515df01c6574e77ac01341be2c
-
C:\Users\Admin\AppData\Local\Temp\8DAAA769.EXEFilesize
7.5MB
MD5d17fedcbd09fb98051fcf96da18a8aac
SHA16a523cff8b733d02ad9f65028b994fdc470897c8
SHA256ff374aeb654183a0b28d453bbc33cfc01148167a61b05e9aeff600e227475cf7
SHA51223d5f522da1609159fdb6ff9eba9d443a4f0f9819b517c6e5a9813e9eee571ab94c00c80eedfa9a4883c84b02acf4f0db2c5099c83a3cda649ec1b5572f9f095
-
C:\Users\Admin\AppData\Local\Temp\8DAAA769.EXEFilesize
7.5MB
MD5d17fedcbd09fb98051fcf96da18a8aac
SHA16a523cff8b733d02ad9f65028b994fdc470897c8
SHA256ff374aeb654183a0b28d453bbc33cfc01148167a61b05e9aeff600e227475cf7
SHA51223d5f522da1609159fdb6ff9eba9d443a4f0f9819b517c6e5a9813e9eee571ab94c00c80eedfa9a4883c84b02acf4f0db2c5099c83a3cda649ec1b5572f9f095
-
C:\Windows\SysWOW64\libcrypto-1_1.dllFilesize
2.4MB
MD5c58b2589b88c5da34df20f737b7ac50c
SHA105ed6edafd5342b546fb5d5a6162695f11f5d4da
SHA25649b26d14cf68a370de47f8f3724e46e61bff98aba7dd7b8a7c1f87e83bb44064
SHA5124e2db4133fdb69dcc7a03201810b10cf9519dd7cdea8ff3fc496779d84556502cdb562d67f60a0503493705b622d1cb772fc9acb4935aa4fb6a6cbdf7b4b211f
-
memory/1396-170-0x0000000010000000-0x000000001007E000-memory.dmpFilesize
504KB
-
memory/1396-178-0x0000000010000000-0x000000001007E000-memory.dmpFilesize
504KB
-
memory/1396-189-0x0000000000400000-0x000000000111B000-memory.dmpFilesize
13.1MB
-
memory/1396-185-0x0000000077BB0000-0x0000000077D53000-memory.dmpFilesize
1.6MB
-
memory/1396-182-0x0000000010000000-0x000000001007E000-memory.dmpFilesize
504KB
-
memory/1396-161-0x0000000000000000-mapping.dmp
-
memory/1396-169-0x0000000010000000-0x000000001007E000-memory.dmpFilesize
504KB
-
memory/1396-181-0x0000000010000000-0x000000001007E000-memory.dmpFilesize
504KB
-
memory/1396-171-0x0000000010000000-0x000000001007E000-memory.dmpFilesize
504KB
-
memory/1396-173-0x0000000010000000-0x000000001007E000-memory.dmpFilesize
504KB
-
memory/1396-174-0x0000000010000000-0x000000001007E000-memory.dmpFilesize
504KB
-
memory/1396-175-0x0000000010000000-0x000000001007E000-memory.dmpFilesize
504KB
-
memory/1396-172-0x0000000010000000-0x000000001007E000-memory.dmpFilesize
504KB
-
memory/1396-176-0x0000000010000000-0x000000001007E000-memory.dmpFilesize
504KB
-
memory/1396-177-0x0000000010000000-0x000000001007E000-memory.dmpFilesize
504KB
-
memory/1396-180-0x0000000010000000-0x000000001007E000-memory.dmpFilesize
504KB
-
memory/1396-179-0x0000000010000000-0x000000001007E000-memory.dmpFilesize
504KB
-
memory/2580-135-0x0000000000000000-mapping.dmp
-
memory/2588-130-0x0000000077BB0000-0x0000000077D53000-memory.dmpFilesize
1.6MB
-
memory/2588-134-0x0000000000400000-0x000000000106E000-memory.dmpFilesize
12.4MB
-
memory/3448-136-0x0000000000000000-mapping.dmp
-
memory/3448-142-0x0000000077BB0000-0x0000000077D53000-memory.dmpFilesize
1.6MB
-
memory/3448-143-0x0000000000400000-0x000000000106E000-memory.dmpFilesize
12.4MB
-
memory/4308-144-0x0000000000000000-mapping.dmp
-
memory/4432-148-0x0000000077BB0000-0x0000000077D53000-memory.dmpFilesize
1.6MB
-
memory/4432-151-0x0000000000401000-0x00000000004A4000-memory.dmpFilesize
652KB
-
memory/4432-156-0x0000000010000000-0x000000001007E000-memory.dmpFilesize
504KB
-
memory/4432-145-0x0000000000000000-mapping.dmp
-
memory/4432-150-0x0000000000400000-0x00000000015C0000-memory.dmpFilesize
17.8MB
-
memory/4432-149-0x0000000000400000-0x00000000015C0000-memory.dmpFilesize
17.8MB