crypvault | 5f0798cdb628b90fa0507427cfad23ac606c781d630526e15c20e0150a9ece04

General

Target

5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe
Size

218KB
MD5

eb6009f8d970345d2bda321bda243b06
SHA1

0d77001fd776db124b2e01abfef61720d3708763
SHA256

5f0798cdb628b90fa0507427cfad23ac606c781d630526e15c20e0150a9ece04
SHA512

01fac880e92ead6fe3127a680549b4ecae013a0bab95c086b4c1399cfc892deee16af6dddf2edd8d20f8b62891dfae3a909023b4940ef010e07fadcc7b2f4059

Score

10^/10

crypvault pony collection discovery evasion ransomware rat spyware stealer suricata upx

Malware Config

Extracted

Family

pony

C2

http://dinom.spb.ru/api/index.php

Signatures

CrypVault
Ransomware family which makes encrypted files look like they have been quarantined by AV.
ransomware crypvault
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 724 cmd.exe
suricata: ET MALWARE Fareit/Pony Downloader Checkin 2
suricata: ET MALWARE Fareit/Pony Downloader Checkin 2
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4272 bcdedit.exe
4064 bcdedit.exe
Executes dropped EXE 2 IoCs

Processes:

0150CEAF8E32.exe0150CEAF8E32.exe

pid process

400 0150CEAF8E32.exe
1608 0150CEAF8E32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	724	cmd.exe

pid	process
4272	bcdedit.exe
4064	bcdedit.exe

pid	process
400	0150CEAF8E32.exe
1608	0150CEAF8E32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1608-142-0x0000000000400000-0x0000000000E28000-memory.dmp	upx
behavioral2/memory/1608-148-0x0000000000400000-0x0000000000E28000-memory.dmp	upx
behavioral2/memory/1608-149-0x0000000000400000-0x0000000000E28000-memory.dmp	upx
behavioral2/memory/1608-153-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/1608-167-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe0150CEAF8E32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	0150CEAF8E32.exe

Drops startup file 2 IoCs

Processes:

0150CEAF8E32.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta	0150CEAF8E32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta	0150CEAF8E32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

0150CEAF8E32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	0150CEAF8E32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

0150CEAF8E32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	0150CEAF8E32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

0150CEAF8E32.exe

description pid process target process

PID 400 set thread context of 1608 400 0150CEAF8E32.exe 0150CEAF8E32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 400 set thread context of 1608	400	0150CEAF8E32.exe	0150CEAF8E32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1296 vssadmin.exe

pid	process
1296	vssadmin.exe

Modifies registry class 2 IoCs

Processes:

5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe0150CEAF8E32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	0150CEAF8E32.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1720 WINWORD.EXE
1720 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

0150CEAF8E32.exe0150CEAF8E32.exe

pid process

400 0150CEAF8E32.exe
400 0150CEAF8E32.exe
1608 0150CEAF8E32.exe
1608 0150CEAF8E32.exe

pid	process
1720	WINWORD.EXE
1720	WINWORD.EXE

pid	process
400	0150CEAF8E32.exe
400	0150CEAF8E32.exe
1608	0150CEAF8E32.exe
1608	0150CEAF8E32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

0150CEAF8E32.exeWMIC.exevssvc.exe

description	pid	process
Token: SeImpersonatePrivilege	1608	0150CEAF8E32.exe
Token: SeTcbPrivilege	1608	0150CEAF8E32.exe
Token: SeChangeNotifyPrivilege	1608	0150CEAF8E32.exe
Token: SeCreateTokenPrivilege	1608	0150CEAF8E32.exe
Token: SeBackupPrivilege	1608	0150CEAF8E32.exe
Token: SeRestorePrivilege	1608	0150CEAF8E32.exe
Token: SeIncreaseQuotaPrivilege	1608	0150CEAF8E32.exe
Token: SeAssignPrimaryTokenPrivilege	1608	0150CEAF8E32.exe
Token: SeIncreaseQuotaPrivilege	4484	WMIC.exe
Token: SeSecurityPrivilege	4484	WMIC.exe
Token: SeTakeOwnershipPrivilege	4484	WMIC.exe
Token: SeLoadDriverPrivilege	4484	WMIC.exe
Token: SeSystemProfilePrivilege	4484	WMIC.exe
Token: SeSystemtimePrivilege	4484	WMIC.exe
Token: SeProfSingleProcessPrivilege	4484	WMIC.exe
Token: SeIncBasePriorityPrivilege	4484	WMIC.exe
Token: SeCreatePagefilePrivilege	4484	WMIC.exe
Token: SeBackupPrivilege	4484	WMIC.exe
Token: SeRestorePrivilege	4484	WMIC.exe
Token: SeShutdownPrivilege	4484	WMIC.exe
Token: SeDebugPrivilege	4484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4484	WMIC.exe
Token: SeRemoteShutdownPrivilege	4484	WMIC.exe
Token: SeUndockPrivilege	4484	WMIC.exe
Token: SeManageVolumePrivilege	4484	WMIC.exe
Token: 33	4484	WMIC.exe
Token: 34	4484	WMIC.exe
Token: 35	4484	WMIC.exe
Token: 36	4484	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4484	WMIC.exe
Token: SeSecurityPrivilege	4484	WMIC.exe
Token: SeTakeOwnershipPrivilege	4484	WMIC.exe
Token: SeLoadDriverPrivilege	4484	WMIC.exe
Token: SeSystemProfilePrivilege	4484	WMIC.exe
Token: SeSystemtimePrivilege	4484	WMIC.exe
Token: SeProfSingleProcessPrivilege	4484	WMIC.exe
Token: SeIncBasePriorityPrivilege	4484	WMIC.exe
Token: SeCreatePagefilePrivilege	4484	WMIC.exe
Token: SeBackupPrivilege	4484	WMIC.exe
Token: SeRestorePrivilege	4484	WMIC.exe
Token: SeShutdownPrivilege	4484	WMIC.exe
Token: SeDebugPrivilege	4484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4484	WMIC.exe
Token: SeRemoteShutdownPrivilege	4484	WMIC.exe
Token: SeUndockPrivilege	4484	WMIC.exe
Token: SeManageVolumePrivilege	4484	WMIC.exe
Token: 33	4484	WMIC.exe
Token: 34	4484	WMIC.exe
Token: 35	4484	WMIC.exe
Token: 36	4484	WMIC.exe
Token: SeBackupPrivilege	2672	vssvc.exe
Token: SeRestorePrivilege	2672	vssvc.exe
Token: SeAuditPrivilege	2672	vssvc.exe
Token: SeImpersonatePrivilege	1608	0150CEAF8E32.exe
Token: SeTcbPrivilege	1608	0150CEAF8E32.exe
Token: SeChangeNotifyPrivilege	1608	0150CEAF8E32.exe
Token: SeCreateTokenPrivilege	1608	0150CEAF8E32.exe
Token: SeBackupPrivilege	1608	0150CEAF8E32.exe
Token: SeRestorePrivilege	1608	0150CEAF8E32.exe
Token: SeIncreaseQuotaPrivilege	1608	0150CEAF8E32.exe
Token: SeAssignPrimaryTokenPrivilege	1608	0150CEAF8E32.exe
Token: SeImpersonatePrivilege	1608	0150CEAF8E32.exe
Token: SeTcbPrivilege	1608	0150CEAF8E32.exe
Token: SeChangeNotifyPrivilege	1608	0150CEAF8E32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

0150CEAF8E32.exeWINWORD.EXE

pid process

400 0150CEAF8E32.exe
400 0150CEAF8E32.exe
1720 WINWORD.EXE
1720 WINWORD.EXE
1720 WINWORD.EXE
1720 WINWORD.EXE

pid	process
400	0150CEAF8E32.exe
400	0150CEAF8E32.exe
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe0150CEAF8E32.exe0150CEAF8E32.execmd.exe

description	pid	process	target process
PID 4780 wrote to memory of 5104	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	cmd.exe
PID 4780 wrote to memory of 5104	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	cmd.exe
PID 4780 wrote to memory of 5104	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	cmd.exe
PID 4780 wrote to memory of 4936	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	cmd.exe
PID 4780 wrote to memory of 4936	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	cmd.exe
PID 4780 wrote to memory of 4936	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	cmd.exe
PID 4780 wrote to memory of 5112	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	cmd.exe
PID 4780 wrote to memory of 5112	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	cmd.exe
PID 4780 wrote to memory of 5112	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	cmd.exe
PID 4780 wrote to memory of 4504	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	cmd.exe
PID 4780 wrote to memory of 4504	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	cmd.exe
PID 4780 wrote to memory of 4504	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	cmd.exe
PID 4780 wrote to memory of 400	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	0150CEAF8E32.exe
PID 4780 wrote to memory of 400	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	0150CEAF8E32.exe
PID 4780 wrote to memory of 400	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	0150CEAF8E32.exe
PID 4780 wrote to memory of 2116	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	cmd.exe
PID 4780 wrote to memory of 2116	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	cmd.exe
PID 4780 wrote to memory of 2116	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	cmd.exe
PID 4780 wrote to memory of 384	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	cmd.exe
PID 4780 wrote to memory of 384	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	cmd.exe
PID 4780 wrote to memory of 384	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	cmd.exe
PID 400 wrote to memory of 1608	400	0150CEAF8E32.exe	0150CEAF8E32.exe
PID 400 wrote to memory of 1608	400	0150CEAF8E32.exe	0150CEAF8E32.exe
PID 400 wrote to memory of 1608	400	0150CEAF8E32.exe	0150CEAF8E32.exe
PID 400 wrote to memory of 1608	400	0150CEAF8E32.exe	0150CEAF8E32.exe
PID 400 wrote to memory of 1608	400	0150CEAF8E32.exe	0150CEAF8E32.exe
PID 400 wrote to memory of 1608	400	0150CEAF8E32.exe	0150CEAF8E32.exe
PID 400 wrote to memory of 1608	400	0150CEAF8E32.exe	0150CEAF8E32.exe
PID 400 wrote to memory of 1608	400	0150CEAF8E32.exe	0150CEAF8E32.exe
PID 400 wrote to memory of 1608	400	0150CEAF8E32.exe	0150CEAF8E32.exe
PID 400 wrote to memory of 1608	400	0150CEAF8E32.exe	0150CEAF8E32.exe
PID 400 wrote to memory of 1608	400	0150CEAF8E32.exe	0150CEAF8E32.exe
PID 4780 wrote to memory of 1720	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	WINWORD.EXE
PID 4780 wrote to memory of 1720	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	WINWORD.EXE
PID 4780 wrote to memory of 1124	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	cmd.exe
PID 4780 wrote to memory of 1124	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	cmd.exe
PID 4780 wrote to memory of 1124	4780	5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe	cmd.exe
PID 1608 wrote to memory of 4484	1608	0150CEAF8E32.exe	WMIC.exe
PID 1608 wrote to memory of 4484	1608	0150CEAF8E32.exe	WMIC.exe
PID 1608 wrote to memory of 4484	1608	0150CEAF8E32.exe	WMIC.exe
PID 1608 wrote to memory of 208	1608	0150CEAF8E32.exe	mshta.exe
PID 1608 wrote to memory of 208	1608	0150CEAF8E32.exe	mshta.exe
PID 1608 wrote to memory of 208	1608	0150CEAF8E32.exe	mshta.exe
PID 3016 wrote to memory of 1296	3016	cmd.exe	vssadmin.exe
PID 3016 wrote to memory of 1296	3016	cmd.exe	vssadmin.exe
PID 3016 wrote to memory of 4272	3016	cmd.exe	bcdedit.exe
PID 3016 wrote to memory of 4272	3016	cmd.exe	bcdedit.exe
PID 3016 wrote to memory of 4064	3016	cmd.exe	bcdedit.exe
PID 3016 wrote to memory of 4064	3016	cmd.exe	bcdedit.exe

outlook_win_path 1 IoCs

Processes:

0150CEAF8E32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	0150CEAF8E32.exe

C:\Users\Admin\AppData\Local\Temp\5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe
"C:\Users\Admin\AppData\Local\Temp\5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo 0150CEAF8E32
  2⤵
  PID:5104
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32" 0150CEAF8E32.exe
  2⤵
  PID:5112
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo 3319E07358
  2⤵
  PID:4936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo 0150CEAF8E32
  2⤵
  PID:4504
- C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe
  "C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe
    C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops startup file
    - Accesses Microsoft Outlook accounts
    - Accesses Microsoft Outlook profiles
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_win_path
    PID:1608
  - - C:\Windows\SysWOW64\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4484
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\VAULT.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      4⤵
      PID:208
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\3319E07358" 3319E07358.doc
  2⤵
  PID:2116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo 0150CEAF8E32
  2⤵
  PID:384
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3319E07358.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo 0150CEAF8E323319E07358
  2⤵
  PID:1124

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1296
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4272
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32

Filesize
148KB

MD5
d1f6d486c4afb6aca38ee45ed8ae4e3c

SHA1
3343a6203db587c257252d5b493ea16d5ac93e13

SHA256
d7430680c994bc488209aa05c2e72de9ffe5d858111404a2ffb7715bae4f0758

SHA512
634e77f6dc9ff159742cabb90d9c3ce62c5f392b96f2cb01b93d86989369e374e9a473327ece255fc784348e9c3ac710a9e18192b686fc3b264793470d36208d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe

Filesize
148KB

MD5
d1f6d486c4afb6aca38ee45ed8ae4e3c

SHA1
3343a6203db587c257252d5b493ea16d5ac93e13

SHA256
d7430680c994bc488209aa05c2e72de9ffe5d858111404a2ffb7715bae4f0758

SHA512
634e77f6dc9ff159742cabb90d9c3ce62c5f392b96f2cb01b93d86989369e374e9a473327ece255fc784348e9c3ac710a9e18192b686fc3b264793470d36208d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe

Filesize
148KB

MD5
d1f6d486c4afb6aca38ee45ed8ae4e3c

SHA1
3343a6203db587c257252d5b493ea16d5ac93e13

SHA256
d7430680c994bc488209aa05c2e72de9ffe5d858111404a2ffb7715bae4f0758

SHA512
634e77f6dc9ff159742cabb90d9c3ce62c5f392b96f2cb01b93d86989369e374e9a473327ece255fc784348e9c3ac710a9e18192b686fc3b264793470d36208d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3319E07358

Filesize
23KB

MD5
3d495e763086f50096365b14d0037cb0

SHA1
bf29341e57e15abf6d3433ebbaf7c3ecda33fa71

SHA256
bfe141ce37886121d25e706cc9217d8311e104016162eb23509d178f43fc2a46

SHA512
e896016bfbd30fa00ed3ea89062c51a6d490d54c543930d3b655c3270a5240a64c50ad0a42649f8e1621a429d6274f7c9e88aa168ba0178722acb669352da267

Download Submit
C:\Users\Admin\Desktop\VAULT.hta

Filesize
4KB

MD5
b71751d104ed8f256ae64a7d02821be0

SHA1
bc3e6ac19bf1431a5872597684b2982b8ba07d87

SHA256
6a37244fbabb6238f178c7b769b3d0f15c93d70fece941b416c8e71140538004

SHA512
b3bee8dd51f874f5677dbb37989077776d0169d97760395d38ab52ac422ce3a9db78df3970a6c1ac6e18538d8e014fc72f3481964976a5f26b2c7e63efe0ffdf

Download Submit
memory/208-161-0x0000000000000000-mapping.dmp

Download
memory/384-140-0x0000000000000000-mapping.dmp

Download
memory/400-146-0x0000000000590000-0x0000000000595000-memory.dmp

Filesize
20KB

Download
memory/400-136-0x0000000000000000-mapping.dmp

Download
memory/1124-147-0x0000000000000000-mapping.dmp

Download
memory/1296-164-0x0000000000000000-mapping.dmp

Download
memory/1608-153-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1608-150-0x0000000000F80000-0x0000000000F8F000-memory.dmp

Filesize
60KB

Download
memory/1608-142-0x0000000000400000-0x0000000000E28000-memory.dmp

Filesize
10.2MB

Download
memory/1608-167-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1608-148-0x0000000000400000-0x0000000000E28000-memory.dmp

Filesize
10.2MB

Download
memory/1608-141-0x0000000000000000-mapping.dmp

Download
memory/1608-149-0x0000000000400000-0x0000000000E28000-memory.dmp

Filesize
10.2MB

Download
memory/1720-154-0x00007FFA65B10000-0x00007FFA65B20000-memory.dmp

Filesize
64KB

Download
memory/1720-143-0x0000000000000000-mapping.dmp

Download
memory/1720-172-0x00007FFA65B10000-0x00007FFA65B20000-memory.dmp

Filesize
64KB

Download
memory/1720-171-0x00007FFA65B10000-0x00007FFA65B20000-memory.dmp

Filesize
64KB

Download
memory/1720-157-0x00007FFA65B10000-0x00007FFA65B20000-memory.dmp

Filesize
64KB

Download
memory/1720-158-0x00007FFA65B10000-0x00007FFA65B20000-memory.dmp

Filesize
64KB

Download
memory/1720-156-0x00007FFA65B10000-0x00007FFA65B20000-memory.dmp

Filesize
64KB

Download
memory/1720-155-0x00007FFA65B10000-0x00007FFA65B20000-memory.dmp

Filesize
64KB

Download
memory/1720-170-0x00007FFA65B10000-0x00007FFA65B20000-memory.dmp

Filesize
64KB

Download
memory/1720-160-0x00007FFA63940000-0x00007FFA63950000-memory.dmp

Filesize
64KB

Download
memory/1720-169-0x00007FFA65B10000-0x00007FFA65B20000-memory.dmp

Filesize
64KB

Download
memory/1720-163-0x00007FFA63940000-0x00007FFA63950000-memory.dmp

Filesize
64KB

Download
memory/2116-138-0x0000000000000000-mapping.dmp

Download
memory/4064-166-0x0000000000000000-mapping.dmp

Download
memory/4272-165-0x0000000000000000-mapping.dmp

Download
memory/4484-159-0x0000000000000000-mapping.dmp

Download
memory/4504-135-0x0000000000000000-mapping.dmp

Download
memory/4780-152-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4780-130-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4936-132-0x0000000000000000-mapping.dmp

Download
memory/5104-131-0x0000000000000000-mapping.dmp

Download
memory/5112-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads