Analysis
-
max time kernel
151s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-07-2022 05:17
Static task
static1
Behavioral task
behavioral1
Sample
4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe
-
Size
388KB
-
MD5
596cbbbf42f77c3b512ad0277718329d
-
SHA1
5bc4358cbbea466e2d661c53cf7b5cb83e34feed
-
SHA256
4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa
-
SHA512
8db5bf21f28031adbc1355116bbcb75c44e911ef4e43ed17570293d1f3e83694c67254ff1958850e65c065a2d4cfdec3297358647a35f8470905459a1fb07dd7
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\Recovery+eswgp.txt
Family
teslacrypt
Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com
What happened to your files ?
All of your files were protected by a strong encryption with RSA-4096.
More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
How did this happen ?
!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server
What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/431F5092339AA2F8
2. http://kkd47eh4hdjshb5t.angortra.at/431F5092339AA2F8
3. http://ytrest84y5i456hghadefdsd.pontogrot.com/431F5092339AA2F8
If for some reasons the addresses are not available, follow these steps:
1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2. After a successful installation, run the browser
3. Type in the address bar: xlowfznrg4wf7dli.onion/431F5092339AA2F8
4. Follow the instructions on the site.
---------------- IMPORTANT INFORMATION------------------------
*-*-* Your personal pages:
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/431F5092339AA2F8
http://kkd47eh4hdjshb5t.angortra.at/431F5092339AA2F8
http://ytrest84y5i456hghadefdsd.pontogrot.com/431F5092339AA2F8
*-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/431F5092339AA2F8
URLs
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/431F5092339AA2F8
http://kkd47eh4hdjshb5t.angortra.at/431F5092339AA2F8
http://ytrest84y5i456hghadefdsd.pontogrot.com/431F5092339AA2F8
http://xlowfznrg4wf7dli.ONION/431F5092339AA2F8
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
axseexqqmgwk.exeaxseexqqmgwk.exepid Process 2040 axseexqqmgwk.exe 888 axseexqqmgwk.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 796 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
axseexqqmgwk.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run axseexqqmgwk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\sgsuatnymxpv = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\axseexqqmgwk.exe\"" axseexqqmgwk.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exeaxseexqqmgwk.exedescription pid Process procid_target PID 1984 set thread context of 1120 1984 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 27 PID 2040 set thread context of 888 2040 axseexqqmgwk.exe 31 -
Drops file in Program Files directory 64 IoCs
Processes:
axseexqqmgwk.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\Recovery+eswgp.html axseexqqmgwk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\Recovery+eswgp.html axseexqqmgwk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\Recovery+eswgp.html axseexqqmgwk.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\Recovery+eswgp.png axseexqqmgwk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\Recovery+eswgp.png axseexqqmgwk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\Recovery+eswgp.png axseexqqmgwk.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\Recovery+eswgp.png axseexqqmgwk.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ms.pak axseexqqmgwk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\Recovery+eswgp.html axseexqqmgwk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\Recovery+eswgp.html axseexqqmgwk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\Recovery+eswgp.png axseexqqmgwk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\Recovery+eswgp.png axseexqqmgwk.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Recovery+eswgp.txt axseexqqmgwk.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\de-DE\Recovery+eswgp.txt axseexqqmgwk.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\Recovery+eswgp.png axseexqqmgwk.exe File opened for modification C:\Program Files\Internet Explorer\SIGNUP\Recovery+eswgp.html axseexqqmgwk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\Recovery+eswgp.txt axseexqqmgwk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\README.txt axseexqqmgwk.exe File opened for modification C:\Program Files\Microsoft Games\More Games\es-ES\Recovery+eswgp.txt axseexqqmgwk.exe File opened for modification C:\Program Files\Common Files\System\ado\ja-JP\Recovery+eswgp.txt axseexqqmgwk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png axseexqqmgwk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png axseexqqmgwk.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\Recovery+eswgp.txt axseexqqmgwk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\Recovery+eswgp.txt axseexqqmgwk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg axseexqqmgwk.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\af\Recovery+eswgp.png axseexqqmgwk.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\Recovery+eswgp.png axseexqqmgwk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\rollinghills.png axseexqqmgwk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\Recovery+eswgp.txt axseexqqmgwk.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\es-ES\Recovery+eswgp.txt axseexqqmgwk.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\Recovery+eswgp.html axseexqqmgwk.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\Recovery+eswgp.txt axseexqqmgwk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png axseexqqmgwk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png axseexqqmgwk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png axseexqqmgwk.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\Recovery+eswgp.txt axseexqqmgwk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\Recovery+eswgp.png axseexqqmgwk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\Recovery+eswgp.html axseexqqmgwk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Recovery+eswgp.html axseexqqmgwk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png axseexqqmgwk.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\Recovery+eswgp.txt axseexqqmgwk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\Recovery+eswgp.txt axseexqqmgwk.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt axseexqqmgwk.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\Recovery+eswgp.png axseexqqmgwk.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoBeta.png axseexqqmgwk.exe File opened for modification C:\Program Files\DVD Maker\it-IT\Recovery+eswgp.png axseexqqmgwk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\Recovery+eswgp.html axseexqqmgwk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv axseexqqmgwk.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\Recovery+eswgp.html axseexqqmgwk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\Recovery+eswgp.txt axseexqqmgwk.exe File opened for modification C:\Program Files\Microsoft Games\Chess\de-DE\Recovery+eswgp.html axseexqqmgwk.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\Recovery+eswgp.png axseexqqmgwk.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Recovery+eswgp.txt axseexqqmgwk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png axseexqqmgwk.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\de-DE\Recovery+eswgp.png axseexqqmgwk.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\it-IT\Recovery+eswgp.txt axseexqqmgwk.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Recovery+eswgp.txt axseexqqmgwk.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\Recovery+eswgp.txt axseexqqmgwk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\Recovery+eswgp.html axseexqqmgwk.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\en-US\Recovery+eswgp.txt axseexqqmgwk.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\Recovery+eswgp.png axseexqqmgwk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\Recovery+eswgp.txt axseexqqmgwk.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\fr-FR\Recovery+eswgp.html axseexqqmgwk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\Recovery+eswgp.png axseexqqmgwk.exe -
Drops file in Windows directory 2 IoCs
Processes:
4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exedescription ioc Process File created C:\Windows\axseexqqmgwk.exe 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe File opened for modification C:\Windows\axseexqqmgwk.exe 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
axseexqqmgwk.exedescription ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e axseexqqmgwk.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e axseexqqmgwk.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e axseexqqmgwk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 axseexqqmgwk.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
axseexqqmgwk.exepid Process 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe 888 axseexqqmgwk.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exeaxseexqqmgwk.exeWMIC.exedescription pid Process Token: SeDebugPrivilege 1120 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe Token: SeDebugPrivilege 888 axseexqqmgwk.exe Token: SeIncreaseQuotaPrivilege 1396 WMIC.exe Token: SeSecurityPrivilege 1396 WMIC.exe Token: SeTakeOwnershipPrivilege 1396 WMIC.exe Token: SeLoadDriverPrivilege 1396 WMIC.exe Token: SeSystemProfilePrivilege 1396 WMIC.exe Token: SeSystemtimePrivilege 1396 WMIC.exe Token: SeProfSingleProcessPrivilege 1396 WMIC.exe Token: SeIncBasePriorityPrivilege 1396 WMIC.exe Token: SeCreatePagefilePrivilege 1396 WMIC.exe Token: SeBackupPrivilege 1396 WMIC.exe Token: SeRestorePrivilege 1396 WMIC.exe Token: SeShutdownPrivilege 1396 WMIC.exe Token: SeDebugPrivilege 1396 WMIC.exe Token: SeSystemEnvironmentPrivilege 1396 WMIC.exe Token: SeRemoteShutdownPrivilege 1396 WMIC.exe Token: SeUndockPrivilege 1396 WMIC.exe Token: SeManageVolumePrivilege 1396 WMIC.exe Token: 33 1396 WMIC.exe Token: 34 1396 WMIC.exe Token: 35 1396 WMIC.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exeaxseexqqmgwk.exeaxseexqqmgwk.exedescription pid Process procid_target PID 1984 wrote to memory of 1120 1984 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 27 PID 1984 wrote to memory of 1120 1984 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 27 PID 1984 wrote to memory of 1120 1984 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 27 PID 1984 wrote to memory of 1120 1984 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 27 PID 1984 wrote to memory of 1120 1984 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 27 PID 1984 wrote to memory of 1120 1984 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 27 PID 1984 wrote to memory of 1120 1984 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 27 PID 1984 wrote to memory of 1120 1984 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 27 PID 1984 wrote to memory of 1120 1984 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 27 PID 1984 wrote to memory of 1120 1984 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 27 PID 1984 wrote to memory of 1120 1984 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 27 PID 1120 wrote to memory of 2040 1120 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 28 PID 1120 wrote to memory of 2040 1120 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 28 PID 1120 wrote to memory of 2040 1120 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 28 PID 1120 wrote to memory of 2040 1120 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 28 PID 1120 wrote to memory of 796 1120 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 29 PID 1120 wrote to memory of 796 1120 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 29 PID 1120 wrote to memory of 796 1120 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 29 PID 1120 wrote to memory of 796 1120 4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe 29 PID 2040 wrote to memory of 888 2040 axseexqqmgwk.exe 31 PID 2040 wrote to memory of 888 2040 axseexqqmgwk.exe 31 PID 2040 wrote to memory of 888 2040 axseexqqmgwk.exe 31 PID 2040 wrote to memory of 888 2040 axseexqqmgwk.exe 31 PID 2040 wrote to memory of 888 2040 axseexqqmgwk.exe 31 PID 2040 wrote to memory of 888 2040 axseexqqmgwk.exe 31 PID 2040 wrote to memory of 888 2040 axseexqqmgwk.exe 31 PID 2040 wrote to memory of 888 2040 axseexqqmgwk.exe 31 PID 2040 wrote to memory of 888 2040 axseexqqmgwk.exe 31 PID 2040 wrote to memory of 888 2040 axseexqqmgwk.exe 31 PID 2040 wrote to memory of 888 2040 axseexqqmgwk.exe 31 PID 888 wrote to memory of 1396 888 axseexqqmgwk.exe 32 PID 888 wrote to memory of 1396 888 axseexqqmgwk.exe 32 PID 888 wrote to memory of 1396 888 axseexqqmgwk.exe 32 PID 888 wrote to memory of 1396 888 axseexqqmgwk.exe 32 -
System policy modification 1 TTPs 2 IoCs
Processes:
axseexqqmgwk.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" axseexqqmgwk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System axseexqqmgwk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe"C:\Users\Admin\AppData\Local\Temp\4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe"C:\Users\Admin\AppData\Local\Temp\4cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\axseexqqmgwk.exeC:\Windows\axseexqqmgwk.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\axseexqqmgwk.exeC:\Windows\axseexqqmgwk.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:888 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4CBB26~1.EXE3⤵
- Deletes itself
PID:796
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
388KB
MD5596cbbbf42f77c3b512ad0277718329d
SHA15bc4358cbbea466e2d661c53cf7b5cb83e34feed
SHA2564cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa
SHA5128db5bf21f28031adbc1355116bbcb75c44e911ef4e43ed17570293d1f3e83694c67254ff1958850e65c065a2d4cfdec3297358647a35f8470905459a1fb07dd7
-
Filesize
388KB
MD5596cbbbf42f77c3b512ad0277718329d
SHA15bc4358cbbea466e2d661c53cf7b5cb83e34feed
SHA2564cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa
SHA5128db5bf21f28031adbc1355116bbcb75c44e911ef4e43ed17570293d1f3e83694c67254ff1958850e65c065a2d4cfdec3297358647a35f8470905459a1fb07dd7
-
Filesize
388KB
MD5596cbbbf42f77c3b512ad0277718329d
SHA15bc4358cbbea466e2d661c53cf7b5cb83e34feed
SHA2564cbb264537f6d1082bdfabf35cd3f901832e1c03b47e45390126689b89f183aa
SHA5128db5bf21f28031adbc1355116bbcb75c44e911ef4e43ed17570293d1f3e83694c67254ff1958850e65c065a2d4cfdec3297358647a35f8470905459a1fb07dd7