Malware Analysis Report

2024-10-18 23:00

Sample ID 220524-a3nndaaec9
Target 935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c
SHA256 935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c
Tags
globeimposter lockbit persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c

Threat Level: Known bad

The file 935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c was found to be: Known bad.

Malicious Activity Summary

globeimposter lockbit persistence ransomware spyware stealer

Lockbit

GlobeImposter

Executes dropped EXE

Modifies extensions of user files

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies system certificate store

NTFS ADS

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-24 00:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-24 00:44

Reported

2022-05-24 00:47

Platform

win7-20220414-en

Max time kernel

151s

Max time network

78s

Command Line

"C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe"

Signatures

GlobeImposter

ransomware globeimposter

Lockbit

ransomware lockbit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe" C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Local\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe\:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1276 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
PID 1276 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
PID 1276 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
PID 1276 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
PID 1276 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
PID 1276 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
PID 1276 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe

"C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe:Zone.Identifier"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe:Zone.Identifier"

C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe

"C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe"

Network

Files

memory/1276-54-0x0000000000CD0000-0x0000000000D3A000-memory.dmp

memory/1276-55-0x0000000075E41000-0x0000000075E43000-memory.dmp

memory/1276-56-0x0000000000440000-0x000000000046A000-memory.dmp

memory/1640-57-0x0000000000000000-mapping.dmp

memory/1276-58-0x0000000004180000-0x0000000004188000-memory.dmp

memory/660-59-0x0000000000000000-mapping.dmp

memory/1276-60-0x0000000004190000-0x000000000419C000-memory.dmp

memory/1276-61-0x00000000041C0000-0x00000000041CC000-memory.dmp

\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe

MD5 ca5f6009311c61f27ad3be2914b9fc59
SHA1 d20a8fef26ee4d833ee81c2bd6aaa8a06f322562
SHA256 935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c
SHA512 4823125186d614a40b5356b042ea893a71be12930e5b5f454a6fb0b99ba90cf00f29919fe9ac9f9f793ae7a51cf8a2334a31727e14bbfdb393566ad3023eabfa

memory/744-63-0x0000000000400000-0x000000000040E000-memory.dmp

memory/744-64-0x0000000000400000-0x000000000040E000-memory.dmp

memory/744-66-0x0000000000400000-0x000000000040E000-memory.dmp

memory/744-67-0x0000000000409F20-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe

MD5 ca5f6009311c61f27ad3be2914b9fc59
SHA1 d20a8fef26ee4d833ee81c2bd6aaa8a06f322562
SHA256 935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c
SHA512 4823125186d614a40b5356b042ea893a71be12930e5b5f454a6fb0b99ba90cf00f29919fe9ac9f9f793ae7a51cf8a2334a31727e14bbfdb393566ad3023eabfa

memory/744-71-0x0000000000400000-0x000000000040E000-memory.dmp

memory/744-72-0x0000000000400000-0x000000000040E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-24 00:44

Reported

2022-05-24 00:47

Platform

win10v2004-20220414-en

Max time kernel

151s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe"

Signatures

GlobeImposter

ransomware globeimposter

Lockbit

ransomware lockbit

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\EnableFormat.tiff => C:\Users\Admin\Pictures\EnableFormat.tiff.DOCM C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File renamed C:\Users\Admin\Pictures\MoveTrace.tif => C:\Users\Admin\Pictures\MoveTrace.tif.DOCM C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File renamed C:\Users\Admin\Pictures\RestoreTrace.png => C:\Users\Admin\Pictures\RestoreTrace.png.DOCM C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File renamed C:\Users\Admin\Pictures\SendUse.raw => C:\Users\Admin\Pictures\SendUse.raw.DOCM C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File renamed C:\Users\Admin\Pictures\StopProtect.png => C:\Users\Admin\Pictures\StopProtect.png.DOCM C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Admin\Pictures\EnableFormat.tiff C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File renamed C:\Users\Admin\Pictures\LimitRestore.png => C:\Users\Admin\Pictures\LimitRestore.png.DOCM C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File renamed C:\Users\Admin\Pictures\RevokeMove.raw => C:\Users\Admin\Pictures\RevokeMove.raw.DOCM C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File renamed C:\Users\Admin\Pictures\SplitUnlock.png => C:\Users\Admin\Pictures\SplitUnlock.png.DOCM C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe" C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe\:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
PID 2192 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
PID 2192 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
PID 2192 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
PID 2192 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
PID 2192 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
PID 2192 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
PID 2192 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
PID 2192 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe

"C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe:Zone.Identifier"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe:Zone.Identifier"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc

C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe

"C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe"

C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe

"C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
NL 178.79.208.1:80 tcp
FR 2.18.109.224:443 tcp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
US 8.8.8.8:53 tsfe.trafficshaping.dsp.mp.microsoft.com udp
IE 20.54.110.119:443 tsfe.trafficshaping.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 dl.delivery.mp.microsoft.com udp
US 93.184.221.240:80 dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 tlu.dl.delivery.mp.microsoft.com udp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 dl.delivery.mp.microsoft.com tcp
US 93.184.221.240:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 20.189.173.1:443 tcp
US 13.107.21.200:443 tcp
US 104.18.25.243:80 tcp
NL 178.79.208.1:80 tcp

Files

memory/2192-130-0x0000000000220000-0x000000000028A000-memory.dmp

memory/2192-131-0x0000000005870000-0x00000000058D6000-memory.dmp

memory/2712-132-0x0000000000000000-mapping.dmp

memory/2192-133-0x0000000005F50000-0x0000000006112000-memory.dmp

memory/2192-134-0x0000000005DE0000-0x0000000005E02000-memory.dmp

memory/2192-135-0x00000000066D0000-0x0000000006C74000-memory.dmp

memory/4708-136-0x0000000000000000-mapping.dmp

memory/2192-137-0x0000000006120000-0x00000000061B2000-memory.dmp

memory/2192-138-0x0000000000A00000-0x0000000000A9C000-memory.dmp

memory/1552-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe

MD5 ca5f6009311c61f27ad3be2914b9fc59
SHA1 d20a8fef26ee4d833ee81c2bd6aaa8a06f322562
SHA256 935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c
SHA512 4823125186d614a40b5356b042ea893a71be12930e5b5f454a6fb0b99ba90cf00f29919fe9ac9f9f793ae7a51cf8a2334a31727e14bbfdb393566ad3023eabfa

memory/3436-141-0x0000000000000000-mapping.dmp

memory/3436-142-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe

MD5 ca5f6009311c61f27ad3be2914b9fc59
SHA1 d20a8fef26ee4d833ee81c2bd6aaa8a06f322562
SHA256 935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c
SHA512 4823125186d614a40b5356b042ea893a71be12930e5b5f454a6fb0b99ba90cf00f29919fe9ac9f9f793ae7a51cf8a2334a31727e14bbfdb393566ad3023eabfa

memory/3436-145-0x0000000000400000-0x000000000040E000-memory.dmp

memory/3436-146-0x0000000000400000-0x000000000040E000-memory.dmp