Analysis
-
max time kernel
169s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 03:34
Static task
static1
Behavioral task
behavioral1
Sample
421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe
Resource
win10v2004-20220414-en
General
-
Target
421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe
-
Size
344KB
-
MD5
1f311617d8a88f03e86576bd13680834
-
SHA1
53037f750f4c1cb4c527792c02b1878a5ffcf0e3
-
SHA256
421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4
-
SHA512
0b5408aa72b44c2a11d97ad936600ac968f0d34d2dc242614cf15bf83fc27e6d066c164bc901b29c4e303f4a43e4839c9dd8a110ac32819f0eb5203cc1c39939
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-2632097139-1792035885-811742494-1000\_RECOVERY_+weknd.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/E3274083A85CE13
http://tes543berda73i48fsdfsd.keratadze.at/E3274083A85CE13
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E3274083A85CE13
http://xlowfznrg4wf7dli.ONION/E3274083A85CE13
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
txbpwmaqhlij.exetxbpwmaqhlij.exepid Process 1792 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exetxbpwmaqhlij.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation txbpwmaqhlij.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
txbpwmaqhlij.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run txbpwmaqhlij.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\klltmlnxphjk = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\txbpwmaqhlij.exe\"" txbpwmaqhlij.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exetxbpwmaqhlij.exedescription pid Process procid_target PID 2964 set thread context of 3212 2964 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 81 PID 1792 set thread context of 1200 1792 txbpwmaqhlij.exe 89 -
Drops file in Program Files directory 64 IoCs
Processes:
txbpwmaqhlij.exedescription ioc Process File opened for modification C:\Program Files\7-Zip\Lang\sl.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\_RECOVERY_+weknd.png txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sv-SE\_RECOVERY_+weknd.html txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\_RECOVERY_+weknd.html txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\System\ado\it-IT\_RECOVERY_+weknd.png txbpwmaqhlij.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrome.7z txbpwmaqhlij.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ro-RO\_RECOVERY_+weknd.png txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\_RECOVERY_+weknd.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\System\ado\ja-JP\_RECOVERY_+weknd.html txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\_RECOVERY_+weknd.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\bg-BG\_RECOVERY_+weknd.html txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\_RECOVERY_+weknd.png txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-PT\_RECOVERY_+weknd.png txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\uk-UA\_RECOVERY_+weknd.html txbpwmaqhlij.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\_RECOVERY_+weknd.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\_RECOVERY_+weknd.png txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-BR\_RECOVERY_+weknd.html txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sv-SE\_RECOVERY_+weknd.png txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\zh-TW\_RECOVERY_+weknd.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\_RECOVERY_+weknd.png txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\_RECOVERY_+weknd.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\_RECOVERY_+weknd.png txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\System\ado\de-DE\_RECOVERY_+weknd.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Triedit\_RECOVERY_+weknd.html txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\_RECOVERY_+weknd.html txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\System\es-ES\_RECOVERY_+weknd.html txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\_RECOVERY_+weknd.png txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\_RECOVERY_+weknd.png txbpwmaqhlij.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\_RECOVERY_+weknd.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sl-SI\_RECOVERY_+weknd.png txbpwmaqhlij.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\el-GR\_RECOVERY_+weknd.png txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\nl-NL\_RECOVERY_+weknd.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\da-DK\_RECOVERY_+weknd.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\_RECOVERY_+weknd.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\TextConv\en-US\_RECOVERY_+weknd.png txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VC\_RECOVERY_+weknd.html txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\_RECOVERY_+weknd.png txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\_RECOVERY_+weknd.html txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\_RECOVERY_+weknd.png txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\_RECOVERY_+weknd.html txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\_RECOVERY_+weknd.html txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\he-IL\_RECOVERY_+weknd.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\_RECOVERY_+weknd.png txbpwmaqhlij.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\_RECOVERY_+weknd.png txbpwmaqhlij.exe File opened for modification C:\Program Files\7-Zip\History.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\_RECOVERY_+weknd.png txbpwmaqhlij.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\_RECOVERY_+weknd.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\System\es-ES\_RECOVERY_+weknd.png txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\_RECOVERY_+weknd.html txbpwmaqhlij.exe File opened for modification C:\Program Files\7-Zip\Lang\_RECOVERY_+weknd.txt txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\zh-CN\_RECOVERY_+weknd.html txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\_RECOVERY_+weknd.png txbpwmaqhlij.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-CA\_RECOVERY_+weknd.html txbpwmaqhlij.exe File opened for modification C:\Program Files\7-Zip\Lang\_RECOVERY_+weknd.png txbpwmaqhlij.exe -
Drops file in Windows directory 2 IoCs
Processes:
421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exedescription ioc Process File created C:\Windows\txbpwmaqhlij.exe 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe File opened for modification C:\Windows\txbpwmaqhlij.exe 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
txbpwmaqhlij.exepid Process 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe 1200 txbpwmaqhlij.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exetxbpwmaqhlij.exeWMIC.exevssvc.exedescription pid Process Token: SeDebugPrivilege 3212 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe Token: SeDebugPrivilege 1200 txbpwmaqhlij.exe Token: SeIncreaseQuotaPrivilege 1140 WMIC.exe Token: SeSecurityPrivilege 1140 WMIC.exe Token: SeTakeOwnershipPrivilege 1140 WMIC.exe Token: SeLoadDriverPrivilege 1140 WMIC.exe Token: SeSystemProfilePrivilege 1140 WMIC.exe Token: SeSystemtimePrivilege 1140 WMIC.exe Token: SeProfSingleProcessPrivilege 1140 WMIC.exe Token: SeIncBasePriorityPrivilege 1140 WMIC.exe Token: SeCreatePagefilePrivilege 1140 WMIC.exe Token: SeBackupPrivilege 1140 WMIC.exe Token: SeRestorePrivilege 1140 WMIC.exe Token: SeShutdownPrivilege 1140 WMIC.exe Token: SeDebugPrivilege 1140 WMIC.exe Token: SeSystemEnvironmentPrivilege 1140 WMIC.exe Token: SeRemoteShutdownPrivilege 1140 WMIC.exe Token: SeUndockPrivilege 1140 WMIC.exe Token: SeManageVolumePrivilege 1140 WMIC.exe Token: 33 1140 WMIC.exe Token: 34 1140 WMIC.exe Token: 35 1140 WMIC.exe Token: 36 1140 WMIC.exe Token: SeIncreaseQuotaPrivilege 1140 WMIC.exe Token: SeSecurityPrivilege 1140 WMIC.exe Token: SeTakeOwnershipPrivilege 1140 WMIC.exe Token: SeLoadDriverPrivilege 1140 WMIC.exe Token: SeSystemProfilePrivilege 1140 WMIC.exe Token: SeSystemtimePrivilege 1140 WMIC.exe Token: SeProfSingleProcessPrivilege 1140 WMIC.exe Token: SeIncBasePriorityPrivilege 1140 WMIC.exe Token: SeCreatePagefilePrivilege 1140 WMIC.exe Token: SeBackupPrivilege 1140 WMIC.exe Token: SeRestorePrivilege 1140 WMIC.exe Token: SeShutdownPrivilege 1140 WMIC.exe Token: SeDebugPrivilege 1140 WMIC.exe Token: SeSystemEnvironmentPrivilege 1140 WMIC.exe Token: SeRemoteShutdownPrivilege 1140 WMIC.exe Token: SeUndockPrivilege 1140 WMIC.exe Token: SeManageVolumePrivilege 1140 WMIC.exe Token: 33 1140 WMIC.exe Token: 34 1140 WMIC.exe Token: 35 1140 WMIC.exe Token: 36 1140 WMIC.exe Token: SeBackupPrivilege 3780 vssvc.exe Token: SeRestorePrivilege 3780 vssvc.exe Token: SeAuditPrivilege 3780 vssvc.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exetxbpwmaqhlij.exetxbpwmaqhlij.exedescription pid Process procid_target PID 2964 wrote to memory of 3212 2964 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 81 PID 2964 wrote to memory of 3212 2964 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 81 PID 2964 wrote to memory of 3212 2964 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 81 PID 2964 wrote to memory of 3212 2964 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 81 PID 2964 wrote to memory of 3212 2964 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 81 PID 2964 wrote to memory of 3212 2964 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 81 PID 2964 wrote to memory of 3212 2964 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 81 PID 2964 wrote to memory of 3212 2964 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 81 PID 2964 wrote to memory of 3212 2964 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 81 PID 3212 wrote to memory of 1792 3212 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 82 PID 3212 wrote to memory of 1792 3212 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 82 PID 3212 wrote to memory of 1792 3212 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 82 PID 3212 wrote to memory of 4468 3212 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 83 PID 3212 wrote to memory of 4468 3212 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 83 PID 3212 wrote to memory of 4468 3212 421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe 83 PID 1792 wrote to memory of 1200 1792 txbpwmaqhlij.exe 89 PID 1792 wrote to memory of 1200 1792 txbpwmaqhlij.exe 89 PID 1792 wrote to memory of 1200 1792 txbpwmaqhlij.exe 89 PID 1792 wrote to memory of 1200 1792 txbpwmaqhlij.exe 89 PID 1792 wrote to memory of 1200 1792 txbpwmaqhlij.exe 89 PID 1792 wrote to memory of 1200 1792 txbpwmaqhlij.exe 89 PID 1792 wrote to memory of 1200 1792 txbpwmaqhlij.exe 89 PID 1792 wrote to memory of 1200 1792 txbpwmaqhlij.exe 89 PID 1792 wrote to memory of 1200 1792 txbpwmaqhlij.exe 89 PID 1200 wrote to memory of 1140 1200 txbpwmaqhlij.exe 90 PID 1200 wrote to memory of 1140 1200 txbpwmaqhlij.exe 90 -
System policy modification 1 TTPs 2 IoCs
Processes:
txbpwmaqhlij.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System txbpwmaqhlij.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" txbpwmaqhlij.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe"C:\Users\Admin\AppData\Local\Temp\421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe"C:\Users\Admin\AppData\Local\Temp\421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\txbpwmaqhlij.exeC:\Windows\txbpwmaqhlij.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\txbpwmaqhlij.exeC:\Windows\txbpwmaqhlij.exe4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1200 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\421F75~1.EXE3⤵PID:4468
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD51f311617d8a88f03e86576bd13680834
SHA153037f750f4c1cb4c527792c02b1878a5ffcf0e3
SHA256421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4
SHA5120b5408aa72b44c2a11d97ad936600ac968f0d34d2dc242614cf15bf83fc27e6d066c164bc901b29c4e303f4a43e4839c9dd8a110ac32819f0eb5203cc1c39939
-
Filesize
344KB
MD51f311617d8a88f03e86576bd13680834
SHA153037f750f4c1cb4c527792c02b1878a5ffcf0e3
SHA256421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4
SHA5120b5408aa72b44c2a11d97ad936600ac968f0d34d2dc242614cf15bf83fc27e6d066c164bc901b29c4e303f4a43e4839c9dd8a110ac32819f0eb5203cc1c39939
-
Filesize
344KB
MD51f311617d8a88f03e86576bd13680834
SHA153037f750f4c1cb4c527792c02b1878a5ffcf0e3
SHA256421f75f77c368d6cddcc41d6b90583d23c7a4bdcff60fef41c465758d36995e4
SHA5120b5408aa72b44c2a11d97ad936600ac968f0d34d2dc242614cf15bf83fc27e6d066c164bc901b29c4e303f4a43e4839c9dd8a110ac32819f0eb5203cc1c39939