Analysis
-
max time kernel
151s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 15:17
Static task
static1
Behavioral task
behavioral1
Sample
4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe
Resource
win10v2004-20220718-en
General
-
Target
4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe
-
Size
344KB
-
MD5
3403d7a8943208af02fcfdc6f78cbfc5
-
SHA1
7a0ed12ec4df575dd2b5e6105d3febe5aa10bdfe
-
SHA256
4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5
-
SHA512
d9d7ed904dfdfb80fff705a50f00a01728a469e40f4aad2ee7f74dd45882775db04b2976a70d747f5b43feba7412d54adde1644ed908de3f600c100852ad2196
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-2783062828-828903012-4218294845-1000\_RECOVERY_+dexld.txt
teslacrypt
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/14F361DAB091E6
http://tes543berda73i48fsdfsd.keratadze.at/14F361DAB091E6
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/14F361DAB091E6
http://xlowfznrg4wf7dli.ONION/14F361DAB091E6
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
pid Process 4628 oelpymieucps.exe 2512 oelpymieucps.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Control Panel\International\Geo\Nation 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe Key value queried \REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Control Panel\International\Geo\Nation oelpymieucps.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Software\Microsoft\Windows\CurrentVersion\Run oelpymieucps.exe Set value (str) \REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpbbiptqxseb = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\oelpymieucps.exe\"" oelpymieucps.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3632 set thread context of 2264 3632 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 78 PID 4628 set thread context of 2512 4628 oelpymieucps.exe 82 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\_RECOVERY_+dexld.txt oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css oelpymieucps.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt oelpymieucps.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txt oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt oelpymieucps.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt oelpymieucps.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\_RECOVERY_+dexld.png oelpymieucps.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\_RECOVERY_+dexld.txt oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\_RECOVERY_+dexld.txt oelpymieucps.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VC\_RECOVERY_+dexld.txt oelpymieucps.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\_RECOVERY_+dexld.png oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\_RECOVERY_+dexld.png oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt oelpymieucps.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\bg-BG\_RECOVERY_+dexld.png oelpymieucps.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-CA\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_RECOVERY_+dexld.txt oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_RECOVERY_+dexld.txt oelpymieucps.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt oelpymieucps.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\fa.pak oelpymieucps.exe File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\_RECOVERY_+dexld.txt oelpymieucps.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ca.pak oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\_RECOVERY_+dexld.png oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\_RECOVERY_+dexld.png oelpymieucps.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_RECOVERY_+dexld.txt oelpymieucps.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sk.pak oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\_RECOVERY_+dexld.png oelpymieucps.exe File opened for modification C:\Program Files\Common Files\System\ado\ja-JP\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\_RECOVERY_+dexld.txt oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\7-Zip\License.txt oelpymieucps.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_RECOVERY_+dexld.png oelpymieucps.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\am.pak oelpymieucps.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\zh-CN.pak oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\_RECOVERY_+dexld.txt oelpymieucps.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\plugin2\_RECOVERY_+dexld.txt oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_RECOVERY_+dexld.txt oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\_RECOVERY_+dexld.png oelpymieucps.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\Common Files\System\ado\ja-JP\_RECOVERY_+dexld.png oelpymieucps.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\_RECOVERY_+dexld.html oelpymieucps.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\_RECOVERY_+dexld.txt oelpymieucps.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt oelpymieucps.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\_RECOVERY_+dexld.png oelpymieucps.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\oelpymieucps.exe 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe File opened for modification C:\Windows\oelpymieucps.exe 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe 2512 oelpymieucps.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 2264 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe Token: SeDebugPrivilege 2512 oelpymieucps.exe Token: SeIncreaseQuotaPrivilege 4300 WMIC.exe Token: SeSecurityPrivilege 4300 WMIC.exe Token: SeTakeOwnershipPrivilege 4300 WMIC.exe Token: SeLoadDriverPrivilege 4300 WMIC.exe Token: SeSystemProfilePrivilege 4300 WMIC.exe Token: SeSystemtimePrivilege 4300 WMIC.exe Token: SeProfSingleProcessPrivilege 4300 WMIC.exe Token: SeIncBasePriorityPrivilege 4300 WMIC.exe Token: SeCreatePagefilePrivilege 4300 WMIC.exe Token: SeBackupPrivilege 4300 WMIC.exe Token: SeRestorePrivilege 4300 WMIC.exe Token: SeShutdownPrivilege 4300 WMIC.exe Token: SeDebugPrivilege 4300 WMIC.exe Token: SeSystemEnvironmentPrivilege 4300 WMIC.exe Token: SeRemoteShutdownPrivilege 4300 WMIC.exe Token: SeUndockPrivilege 4300 WMIC.exe Token: SeManageVolumePrivilege 4300 WMIC.exe Token: 33 4300 WMIC.exe Token: 34 4300 WMIC.exe Token: 35 4300 WMIC.exe Token: 36 4300 WMIC.exe Token: SeIncreaseQuotaPrivilege 4300 WMIC.exe Token: SeSecurityPrivilege 4300 WMIC.exe Token: SeTakeOwnershipPrivilege 4300 WMIC.exe Token: SeLoadDriverPrivilege 4300 WMIC.exe Token: SeSystemProfilePrivilege 4300 WMIC.exe Token: SeSystemtimePrivilege 4300 WMIC.exe Token: SeProfSingleProcessPrivilege 4300 WMIC.exe Token: SeIncBasePriorityPrivilege 4300 WMIC.exe Token: SeCreatePagefilePrivilege 4300 WMIC.exe Token: SeBackupPrivilege 4300 WMIC.exe Token: SeRestorePrivilege 4300 WMIC.exe Token: SeShutdownPrivilege 4300 WMIC.exe Token: SeDebugPrivilege 4300 WMIC.exe Token: SeSystemEnvironmentPrivilege 4300 WMIC.exe Token: SeRemoteShutdownPrivilege 4300 WMIC.exe Token: SeUndockPrivilege 4300 WMIC.exe Token: SeManageVolumePrivilege 4300 WMIC.exe Token: 33 4300 WMIC.exe Token: 34 4300 WMIC.exe Token: 35 4300 WMIC.exe Token: 36 4300 WMIC.exe Token: SeBackupPrivilege 440 vssvc.exe Token: SeRestorePrivilege 440 vssvc.exe Token: SeAuditPrivilege 440 vssvc.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3632 wrote to memory of 2264 3632 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 78 PID 3632 wrote to memory of 2264 3632 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 78 PID 3632 wrote to memory of 2264 3632 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 78 PID 3632 wrote to memory of 2264 3632 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 78 PID 3632 wrote to memory of 2264 3632 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 78 PID 3632 wrote to memory of 2264 3632 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 78 PID 3632 wrote to memory of 2264 3632 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 78 PID 3632 wrote to memory of 2264 3632 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 78 PID 3632 wrote to memory of 2264 3632 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 78 PID 2264 wrote to memory of 4628 2264 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 79 PID 2264 wrote to memory of 4628 2264 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 79 PID 2264 wrote to memory of 4628 2264 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 79 PID 2264 wrote to memory of 4712 2264 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 80 PID 2264 wrote to memory of 4712 2264 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 80 PID 2264 wrote to memory of 4712 2264 4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe 80 PID 4628 wrote to memory of 2512 4628 oelpymieucps.exe 82 PID 4628 wrote to memory of 2512 4628 oelpymieucps.exe 82 PID 4628 wrote to memory of 2512 4628 oelpymieucps.exe 82 PID 4628 wrote to memory of 2512 4628 oelpymieucps.exe 82 PID 4628 wrote to memory of 2512 4628 oelpymieucps.exe 82 PID 4628 wrote to memory of 2512 4628 oelpymieucps.exe 82 PID 4628 wrote to memory of 2512 4628 oelpymieucps.exe 82 PID 4628 wrote to memory of 2512 4628 oelpymieucps.exe 82 PID 4628 wrote to memory of 2512 4628 oelpymieucps.exe 82 PID 2512 wrote to memory of 4300 2512 oelpymieucps.exe 83 PID 2512 wrote to memory of 4300 2512 oelpymieucps.exe 83 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System oelpymieucps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" oelpymieucps.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe"C:\Users\Admin\AppData\Local\Temp\4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Users\Admin\AppData\Local\Temp\4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe"C:\Users\Admin\AppData\Local\Temp\4f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\oelpymieucps.exeC:\Windows\oelpymieucps.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\oelpymieucps.exeC:\Windows\oelpymieucps.exe4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2512 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4300
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4F2928~1.EXE3⤵PID:4712
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:440
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344KB
MD53403d7a8943208af02fcfdc6f78cbfc5
SHA17a0ed12ec4df575dd2b5e6105d3febe5aa10bdfe
SHA2564f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5
SHA512d9d7ed904dfdfb80fff705a50f00a01728a469e40f4aad2ee7f74dd45882775db04b2976a70d747f5b43feba7412d54adde1644ed908de3f600c100852ad2196
-
Filesize
344KB
MD53403d7a8943208af02fcfdc6f78cbfc5
SHA17a0ed12ec4df575dd2b5e6105d3febe5aa10bdfe
SHA2564f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5
SHA512d9d7ed904dfdfb80fff705a50f00a01728a469e40f4aad2ee7f74dd45882775db04b2976a70d747f5b43feba7412d54adde1644ed908de3f600c100852ad2196
-
Filesize
344KB
MD53403d7a8943208af02fcfdc6f78cbfc5
SHA17a0ed12ec4df575dd2b5e6105d3febe5aa10bdfe
SHA2564f292888693babedc7ebc4f904a2a898dd9d128c0213bf472a50c405fb3b4fc5
SHA512d9d7ed904dfdfb80fff705a50f00a01728a469e40f4aad2ee7f74dd45882775db04b2976a70d747f5b43feba7412d54adde1644ed908de3f600c100852ad2196