Analysis
-
max time kernel
174s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 22:10
Static task
static1
Behavioral task
behavioral1
Sample
37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe
Resource
win10v2004-20220414-en
General
-
Target
37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe
-
Size
352KB
-
MD5
2a6d24e8860bbd84be02f3062d16a753
-
SHA1
f7d4cf1c34c98c365b6d0db5da54fffc1f6cf70d
-
SHA256
37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1
-
SHA512
602cd0a0d3d3fc7c55a21fc43672e5611044f450e10b13df597504867ef62d58dbef4e1730fdff4c1d0c7bfe6d43503de3827d3f407788e937e886593bd2412b
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-2632097139-1792035885-811742494-1000\_RECOVERY_+cwgom.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E17F3E983B9C3E0
http://tes543berda73i48fsdfsd.keratadze.at/E17F3E983B9C3E0
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E17F3E983B9C3E0
http://xlowfznrg4wf7dli.ONION/E17F3E983B9C3E0
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
gielcxccwdtq.exegielcxccwdtq.exepid Process 4100 gielcxccwdtq.exe 5076 gielcxccwdtq.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exegielcxccwdtq.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation gielcxccwdtq.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
gielcxccwdtq.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run gielcxccwdtq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wocmgoiwkgjw = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\gielcxccwdtq.exe\"" gielcxccwdtq.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exegielcxccwdtq.exedescription pid Process procid_target PID 2172 set thread context of 3664 2172 37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe 79 PID 4100 set thread context of 5076 4100 gielcxccwdtq.exe 83 -
Drops file in Program Files directory 64 IoCs
Processes:
gielcxccwdtq.exedescription ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\_RECOVERY_+cwgom.png gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fi-FI\_RECOVERY_+cwgom.html gielcxccwdtq.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_200_percent.pak gielcxccwdtq.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\_RECOVERY_+cwgom.html gielcxccwdtq.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\_RECOVERY_+cwgom.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\_RECOVERY_+cwgom.png gielcxccwdtq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\_RECOVERY_+cwgom.txt gielcxccwdtq.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\lv-LV\_RECOVERY_+cwgom.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\_RECOVERY_+cwgom.png gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\_RECOVERY_+cwgom.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\_RECOVERY_+cwgom.html gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\_RECOVERY_+cwgom.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrome.7z gielcxccwdtq.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hu.pak gielcxccwdtq.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\mr.pak gielcxccwdtq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\_RECOVERY_+cwgom.png gielcxccwdtq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\_RECOVERY_+cwgom.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\_RECOVERY_+cwgom.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pl-PL\_RECOVERY_+cwgom.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\_RECOVERY_+cwgom.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\System\ja-JP\_RECOVERY_+cwgom.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\_RECOVERY_+cwgom.png gielcxccwdtq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_RECOVERY_+cwgom.txt gielcxccwdtq.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt gielcxccwdtq.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\_RECOVERY_+cwgom.png gielcxccwdtq.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\fil.pak gielcxccwdtq.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\nl.pak gielcxccwdtq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\Xusage.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_RECOVERY_+cwgom.png gielcxccwdtq.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\_RECOVERY_+cwgom.html gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\_RECOVERY_+cwgom.html gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\_RECOVERY_+cwgom.png gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\System\ado\es-ES\_RECOVERY_+cwgom.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\System\ado\_RECOVERY_+cwgom.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\System\ja-JP\_RECOVERY_+cwgom.html gielcxccwdtq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hu-HU\_RECOVERY_+cwgom.html gielcxccwdtq.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\_RECOVERY_+cwgom.html gielcxccwdtq.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_RECOVERY_+cwgom.png gielcxccwdtq.exe File opened for modification C:\Program Files\Internet Explorer\en-US\_RECOVERY_+cwgom.png gielcxccwdtq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\_RECOVERY_+cwgom.html gielcxccwdtq.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hu-HU\_RECOVERY_+cwgom.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\_RECOVERY_+cwgom.png gielcxccwdtq.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_100_percent.pak gielcxccwdtq.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ja.pak gielcxccwdtq.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\_RECOVERY_+cwgom.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\System\fr-FR\_RECOVERY_+cwgom.html gielcxccwdtq.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\_RECOVERY_+cwgom.html gielcxccwdtq.exe File opened for modification C:\Program Files\Internet Explorer\images\_RECOVERY_+cwgom.html gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\_RECOVERY_+cwgom.txt gielcxccwdtq.exe File opened for modification C:\Program Files\7-Zip\_RECOVERY_+cwgom.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\_RECOVERY_+cwgom.png gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Triedit\_RECOVERY_+cwgom.html gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\_RECOVERY_+cwgom.png gielcxccwdtq.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hr.pak gielcxccwdtq.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt gielcxccwdtq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sl-SI\_RECOVERY_+cwgom.html gielcxccwdtq.exe -
Drops file in Windows directory 2 IoCs
Processes:
37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exedescription ioc Process File created C:\Windows\gielcxccwdtq.exe 37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe File opened for modification C:\Windows\gielcxccwdtq.exe 37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
gielcxccwdtq.exepid Process 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe 5076 gielcxccwdtq.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exegielcxccwdtq.exeWMIC.exevssvc.exedescription pid Process Token: SeDebugPrivilege 3664 37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe Token: SeDebugPrivilege 5076 gielcxccwdtq.exe Token: SeIncreaseQuotaPrivilege 3836 WMIC.exe Token: SeSecurityPrivilege 3836 WMIC.exe Token: SeTakeOwnershipPrivilege 3836 WMIC.exe Token: SeLoadDriverPrivilege 3836 WMIC.exe Token: SeSystemProfilePrivilege 3836 WMIC.exe Token: SeSystemtimePrivilege 3836 WMIC.exe Token: SeProfSingleProcessPrivilege 3836 WMIC.exe Token: SeIncBasePriorityPrivilege 3836 WMIC.exe Token: SeCreatePagefilePrivilege 3836 WMIC.exe Token: SeBackupPrivilege 3836 WMIC.exe Token: SeRestorePrivilege 3836 WMIC.exe Token: SeShutdownPrivilege 3836 WMIC.exe Token: SeDebugPrivilege 3836 WMIC.exe Token: SeSystemEnvironmentPrivilege 3836 WMIC.exe Token: SeRemoteShutdownPrivilege 3836 WMIC.exe Token: SeUndockPrivilege 3836 WMIC.exe Token: SeManageVolumePrivilege 3836 WMIC.exe Token: 33 3836 WMIC.exe Token: 34 3836 WMIC.exe Token: 35 3836 WMIC.exe Token: 36 3836 WMIC.exe Token: SeIncreaseQuotaPrivilege 3836 WMIC.exe Token: SeSecurityPrivilege 3836 WMIC.exe Token: SeTakeOwnershipPrivilege 3836 WMIC.exe Token: SeLoadDriverPrivilege 3836 WMIC.exe Token: SeSystemProfilePrivilege 3836 WMIC.exe Token: SeSystemtimePrivilege 3836 WMIC.exe Token: SeProfSingleProcessPrivilege 3836 WMIC.exe Token: SeIncBasePriorityPrivilege 3836 WMIC.exe Token: SeCreatePagefilePrivilege 3836 WMIC.exe Token: SeBackupPrivilege 3836 WMIC.exe Token: SeRestorePrivilege 3836 WMIC.exe Token: SeShutdownPrivilege 3836 WMIC.exe Token: SeDebugPrivilege 3836 WMIC.exe Token: SeSystemEnvironmentPrivilege 3836 WMIC.exe Token: SeRemoteShutdownPrivilege 3836 WMIC.exe Token: SeUndockPrivilege 3836 WMIC.exe Token: SeManageVolumePrivilege 3836 WMIC.exe Token: 33 3836 WMIC.exe Token: 34 3836 WMIC.exe Token: 35 3836 WMIC.exe Token: 36 3836 WMIC.exe Token: SeBackupPrivilege 4936 vssvc.exe Token: SeRestorePrivilege 4936 vssvc.exe Token: SeAuditPrivilege 4936 vssvc.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exegielcxccwdtq.exegielcxccwdtq.exedescription pid Process procid_target PID 2172 wrote to memory of 3664 2172 37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe 79 PID 2172 wrote to memory of 3664 2172 37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe 79 PID 2172 wrote to memory of 3664 2172 37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe 79 PID 2172 wrote to memory of 3664 2172 37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe 79 PID 2172 wrote to memory of 3664 2172 37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe 79 PID 2172 wrote to memory of 3664 2172 37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe 79 PID 2172 wrote to memory of 3664 2172 37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe 79 PID 2172 wrote to memory of 3664 2172 37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe 79 PID 2172 wrote to memory of 3664 2172 37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe 79 PID 3664 wrote to memory of 4100 3664 37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe 80 PID 3664 wrote to memory of 4100 3664 37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe 80 PID 3664 wrote to memory of 4100 3664 37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe 80 PID 3664 wrote to memory of 1484 3664 37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe 81 PID 3664 wrote to memory of 1484 3664 37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe 81 PID 3664 wrote to memory of 1484 3664 37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe 81 PID 4100 wrote to memory of 5076 4100 gielcxccwdtq.exe 83 PID 4100 wrote to memory of 5076 4100 gielcxccwdtq.exe 83 PID 4100 wrote to memory of 5076 4100 gielcxccwdtq.exe 83 PID 4100 wrote to memory of 5076 4100 gielcxccwdtq.exe 83 PID 4100 wrote to memory of 5076 4100 gielcxccwdtq.exe 83 PID 4100 wrote to memory of 5076 4100 gielcxccwdtq.exe 83 PID 4100 wrote to memory of 5076 4100 gielcxccwdtq.exe 83 PID 4100 wrote to memory of 5076 4100 gielcxccwdtq.exe 83 PID 4100 wrote to memory of 5076 4100 gielcxccwdtq.exe 83 PID 5076 wrote to memory of 3836 5076 gielcxccwdtq.exe 84 PID 5076 wrote to memory of 3836 5076 gielcxccwdtq.exe 84 -
System policy modification 1 TTPs 2 IoCs
Processes:
gielcxccwdtq.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gielcxccwdtq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" gielcxccwdtq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe"C:\Users\Admin\AppData\Local\Temp\37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe"C:\Users\Admin\AppData\Local\Temp\37c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\gielcxccwdtq.exeC:\Windows\gielcxccwdtq.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\gielcxccwdtq.exeC:\Windows\gielcxccwdtq.exe4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5076 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\37C840~1.EXE3⤵PID:1484
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4936
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
352KB
MD52a6d24e8860bbd84be02f3062d16a753
SHA1f7d4cf1c34c98c365b6d0db5da54fffc1f6cf70d
SHA25637c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1
SHA512602cd0a0d3d3fc7c55a21fc43672e5611044f450e10b13df597504867ef62d58dbef4e1730fdff4c1d0c7bfe6d43503de3827d3f407788e937e886593bd2412b
-
Filesize
352KB
MD52a6d24e8860bbd84be02f3062d16a753
SHA1f7d4cf1c34c98c365b6d0db5da54fffc1f6cf70d
SHA25637c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1
SHA512602cd0a0d3d3fc7c55a21fc43672e5611044f450e10b13df597504867ef62d58dbef4e1730fdff4c1d0c7bfe6d43503de3827d3f407788e937e886593bd2412b
-
Filesize
352KB
MD52a6d24e8860bbd84be02f3062d16a753
SHA1f7d4cf1c34c98c365b6d0db5da54fffc1f6cf70d
SHA25637c84094c452b235cc310346dea26829afe3e714383ccfa03beeaadd952200e1
SHA512602cd0a0d3d3fc7c55a21fc43672e5611044f450e10b13df597504867ef62d58dbef4e1730fdff4c1d0c7bfe6d43503de3827d3f407788e937e886593bd2412b