Analysis
-
max time kernel
130s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 04:16
Static task
static1
Behavioral task
behavioral1
Sample
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe
Resource
win7-20220414-en
General
-
Target
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe
-
Size
568KB
-
MD5
f040245046d2f8db8a02400f6416122f
-
SHA1
baaefd2b0624f910c010587b0b45dde7b691dd7e
-
SHA256
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89
-
SHA512
4680860d5607ef4cd9b93d9c33516805040e6a4999109c7cee124755c8334c726c81072423d62abd5240400e5b451f329d7d24f5a9c501b931bfebec01a35809
Malware Config
Extracted
C:\MBVGK-DECRYPT.txt
http://gandcrabmfe6mnef.onion/a53076ae950c11d
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exedescription ioc process File renamed C:\Users\Admin\Pictures\FindInitialize.png => C:\Users\Admin\Pictures\FindInitialize.png.mbvgk 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File renamed C:\Users\Admin\Pictures\HideDisable.png => C:\Users\Admin\Pictures\HideDisable.png.mbvgk 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Users\Admin\Pictures\StartConvertFrom.tiff 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File renamed C:\Users\Admin\Pictures\StartConvertFrom.tiff => C:\Users\Admin\Pictures\StartConvertFrom.tiff.mbvgk 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File renamed C:\Users\Admin\Pictures\WatchAssert.raw => C:\Users\Admin\Pictures\WatchAssert.raw.mbvgk 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File renamed C:\Users\Admin\Pictures\AssertExpand.tif => C:\Users\Admin\Pictures\AssertExpand.tif.mbvgk 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File renamed C:\Users\Admin\Pictures\BackupResize.tif => C:\Users\Admin\Pictures\BackupResize.tif.mbvgk 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File renamed C:\Users\Admin\Pictures\ConvertClear.crw => C:\Users\Admin\Pictures\ConvertClear.crw.mbvgk 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe -
Drops startup file 2 IoCs
Processes:
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\MBVGK-DECRYPT.txt 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\e950c6fee950c11c20.lock 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exedescription ioc process File opened (read-only) \??\E: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\H: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\I: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\J: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\Q: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\Y: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\B: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\F: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\M: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\R: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\S: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\T: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\U: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\A: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\O: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\P: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\W: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\X: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\Z: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\G: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\K: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\L: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\N: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\V: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exedescription pid process target process PID 4216 set thread context of 2224 4216 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe -
Drops file in Program Files directory 30 IoCs
Processes:
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exedescription ioc process File opened for modification C:\Program Files\CompareRequest.rar 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\CompressWrite.midi 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\InstallUnprotect.clr 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\StepGrant.pot 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File created C:\Program Files\e950c6fee950c11c20.lock 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\ApproveInvoke.dib 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\JoinConvertTo.mp4 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\SubmitDebug.m4v 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\UseResolve.avi 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File created C:\Program Files (x86)\MBVGK-DECRYPT.txt 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\CheckpointSubmit.vst 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\ReceiveLimit.docx 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\RemoveCopy.m3u 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File created C:\Program Files (x86)\e950c6fee950c11c20.lock 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\DisableExpand.mpeg2 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\ImportSave.avi 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\SaveWait.ppt 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File created C:\Program Files\MBVGK-DECRYPT.txt 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\CompareOpen.avi 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\NewConvertTo.vdw 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\CompressOptimize.dotm 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\RestoreRequest.xlsm 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\CompleteRestart.ADT 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\ConnectConvert.xls 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\EnableRemove.xlsm 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\DisconnectPush.001 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\EnterOpen.bmp 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\JoinSync.ttf 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\LockGrant.ps1xml 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\SaveRestore.vsdm 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe -
Processes:
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 0f0000000100000010000000824bae7c7cb3a15ce851a396760574a30b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000006200000001000000200000005f0b62eab5e353ea6521651658fbb65359f443280a4afbd104d77d10f9f04c07090000000100000020000000301e06082b0601050507030306082b0601050507030406082b06010505070301140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c1d0000000100000010000000d06bc27453aa4f6d586437e5d3b377986800000001000000080000000000876ace99d1010300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a194520000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 0400000001000000100000008f5d770627c4983c5b9378e7d77d9bcc0300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a19456800000001000000080000000000876ace99d1011d0000000100000010000000d06bc27453aa4f6d586437e5d3b37798140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c090000000100000020000000301e06082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000005f0b62eab5e353ea6521651658fbb65359f443280a4afbd104d77d10f9f04c070b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000000f0000000100000010000000824bae7c7cb3a15ce851a396760574a320000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 190000000100000010000000e559465e28a60e5499846f194087b0e50f0000000100000010000000824bae7c7cb3a15ce851a396760574a30b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000006200000001000000200000005f0b62eab5e353ea6521651658fbb65359f443280a4afbd104d77d10f9f04c07090000000100000020000000301e06082b0601050507030306082b0601050507030406082b06010505070301140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c1d0000000100000010000000d06bc27453aa4f6d586437e5d3b377986800000001000000080000000000876ace99d1010300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a19450400000001000000100000008f5d770627c4983c5b9378e7d77d9bcc20000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 5c0000000100000004000000000400000400000001000000100000008f5d770627c4983c5b9378e7d77d9bcc0300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a19456800000001000000080000000000876ace99d1011d0000000100000010000000d06bc27453aa4f6d586437e5d3b37798140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c090000000100000020000000301e06082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000005f0b62eab5e353ea6521651658fbb65359f443280a4afbd104d77d10f9f04c070b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000000f0000000100000010000000824bae7c7cb3a15ce851a396760574a3190000000100000010000000e559465e28a60e5499846f194087b0e520000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exepid process 2224 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe 2224 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe 2224 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe 2224 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1240 wmic.exe Token: SeSecurityPrivilege 1240 wmic.exe Token: SeTakeOwnershipPrivilege 1240 wmic.exe Token: SeLoadDriverPrivilege 1240 wmic.exe Token: SeSystemProfilePrivilege 1240 wmic.exe Token: SeSystemtimePrivilege 1240 wmic.exe Token: SeProfSingleProcessPrivilege 1240 wmic.exe Token: SeIncBasePriorityPrivilege 1240 wmic.exe Token: SeCreatePagefilePrivilege 1240 wmic.exe Token: SeBackupPrivilege 1240 wmic.exe Token: SeRestorePrivilege 1240 wmic.exe Token: SeShutdownPrivilege 1240 wmic.exe Token: SeDebugPrivilege 1240 wmic.exe Token: SeSystemEnvironmentPrivilege 1240 wmic.exe Token: SeRemoteShutdownPrivilege 1240 wmic.exe Token: SeUndockPrivilege 1240 wmic.exe Token: SeManageVolumePrivilege 1240 wmic.exe Token: 33 1240 wmic.exe Token: 34 1240 wmic.exe Token: 35 1240 wmic.exe Token: 36 1240 wmic.exe Token: SeIncreaseQuotaPrivilege 1240 wmic.exe Token: SeSecurityPrivilege 1240 wmic.exe Token: SeTakeOwnershipPrivilege 1240 wmic.exe Token: SeLoadDriverPrivilege 1240 wmic.exe Token: SeSystemProfilePrivilege 1240 wmic.exe Token: SeSystemtimePrivilege 1240 wmic.exe Token: SeProfSingleProcessPrivilege 1240 wmic.exe Token: SeIncBasePriorityPrivilege 1240 wmic.exe Token: SeCreatePagefilePrivilege 1240 wmic.exe Token: SeBackupPrivilege 1240 wmic.exe Token: SeRestorePrivilege 1240 wmic.exe Token: SeShutdownPrivilege 1240 wmic.exe Token: SeDebugPrivilege 1240 wmic.exe Token: SeSystemEnvironmentPrivilege 1240 wmic.exe Token: SeRemoteShutdownPrivilege 1240 wmic.exe Token: SeUndockPrivilege 1240 wmic.exe Token: SeManageVolumePrivilege 1240 wmic.exe Token: 33 1240 wmic.exe Token: 34 1240 wmic.exe Token: 35 1240 wmic.exe Token: 36 1240 wmic.exe Token: SeBackupPrivilege 364 vssvc.exe Token: SeRestorePrivilege 364 vssvc.exe Token: SeAuditPrivilege 364 vssvc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exepid process 4216 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exedescription pid process target process PID 4216 wrote to memory of 2224 4216 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe PID 4216 wrote to memory of 2224 4216 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe PID 4216 wrote to memory of 2224 4216 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe PID 2224 wrote to memory of 1240 2224 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe wmic.exe PID 2224 wrote to memory of 1240 2224 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe wmic.exe PID 2224 wrote to memory of 1240 2224 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe"C:\Users\Admin\AppData\Local\Temp\41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exeC:\Users\Admin\AppData\Local\Temp\41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe"2⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1240-138-0x0000000000000000-mapping.dmp
-
memory/2224-133-0x0000000000000000-mapping.dmp
-
memory/2224-136-0x0000000077290000-0x0000000077433000-memory.dmpFilesize
1.6MB
-
memory/2224-137-0x0000000077290000-0x0000000077433000-memory.dmpFilesize
1.6MB
-
memory/4216-132-0x00000000021C0000-0x00000000021C8000-memory.dmpFilesize
32KB
-
memory/4216-134-0x0000000077290000-0x0000000077433000-memory.dmpFilesize
1.6MB