Analysis
-
max time kernel
175s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 17:13
Static task
static1
Behavioral task
behavioral1
Sample
4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe
Resource
win10v2004-20220718-en
General
-
Target
4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe
-
Size
375KB
-
MD5
47a349dd2ab3dde3fa0ec7c7364dd794
-
SHA1
84f7080c82e16ff7ad72e86f949fefe6af567625
-
SHA256
4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69
-
SHA512
0fd9e1ce3ac5c89c69d268f981f7171a70dace77c1ec83bd1454312ab4cb3c7fd34e1e83853fff16c1395bacbd8c63a583eecc3ca9fbe7b4b406b4d6c3c8aa59
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-1178428168-2939480073-3055857545-1000\_RECoVERY_+rpfbj.txt
teslacrypt
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/8050C061CF654DD2
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/8050C061CF654DD2
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/8050C061CF654DD2
http://xlowfznrg4wf7dli.ONION/8050C061CF654DD2
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
pid Process 4168 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Control Panel\International\Geo\Nation 4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe Key value queried \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Control Panel\International\Geo\Nation sequgmgrbxjq.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Windows\CurrentVersion\Run sequgmgrbxjq.exe Set value (str) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\betbplsqrwyb = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\sequgmgrbxjq.exe\"" sequgmgrbxjq.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5040 set thread context of 892 5040 4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe 75 PID 4168 set thread context of 3424 4168 sequgmgrbxjq.exe 79 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\_RECoVERY_+rpfbj.html sequgmgrbxjq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\_RECoVERY_+rpfbj.txt sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_RECoVERY_+rpfbj.html sequgmgrbxjq.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt sequgmgrbxjq.exe File opened for modification C:\Program Files\ExpandLock.rar sequgmgrbxjq.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\cs.pak sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_RECoVERY_+rpfbj.txt sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_RECoVERY_+rpfbj.html sequgmgrbxjq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\_RECoVERY_+rpfbj.png sequgmgrbxjq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png sequgmgrbxjq.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt sequgmgrbxjq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\_RECoVERY_+rpfbj.txt sequgmgrbxjq.exe File opened for modification C:\Program Files\Common Files\System\de-DE\_RECoVERY_+rpfbj.html sequgmgrbxjq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\_RECoVERY_+rpfbj.png sequgmgrbxjq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\zh-CN\_RECoVERY_+rpfbj.png sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\_RECoVERY_+rpfbj.png sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png sequgmgrbxjq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\BI-Report.png sequgmgrbxjq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-100.png sequgmgrbxjq.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\_RECoVERY_+rpfbj.html sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\_RECoVERY_+rpfbj.png sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\_RECoVERY_+rpfbj.html sequgmgrbxjq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\_RECoVERY_+rpfbj.txt sequgmgrbxjq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\_RECoVERY_+rpfbj.html sequgmgrbxjq.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\_RECoVERY_+rpfbj.txt sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\_RECoVERY_+rpfbj.html sequgmgrbxjq.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\_RECoVERY_+rpfbj.png sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\_RECoVERY_+rpfbj.txt sequgmgrbxjq.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\_RECoVERY_+rpfbj.txt sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_RECoVERY_+rpfbj.png sequgmgrbxjq.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\_RECoVERY_+rpfbj.html sequgmgrbxjq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-80.png sequgmgrbxjq.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\_RECoVERY_+rpfbj.png sequgmgrbxjq.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\es-419.pak sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\applet\_RECoVERY_+rpfbj.png sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\_RECoVERY_+rpfbj.txt sequgmgrbxjq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\_RECoVERY_+rpfbj.html sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_RECoVERY_+rpfbj.txt sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css sequgmgrbxjq.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\_RECoVERY_+rpfbj.txt sequgmgrbxjq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\_RECoVERY_+rpfbj.png sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\_RECoVERY_+rpfbj.txt sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_RECoVERY_+rpfbj.png sequgmgrbxjq.exe File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4 sequgmgrbxjq.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\fr.pak sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\_RECoVERY_+rpfbj.txt sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css sequgmgrbxjq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile_large.png sequgmgrbxjq.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt sequgmgrbxjq.exe File opened for modification C:\Program Files\Common Files\System\ado\_RECoVERY_+rpfbj.txt sequgmgrbxjq.exe File opened for modification C:\Program Files\Common Files\System\it-IT\_RECoVERY_+rpfbj.txt sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_RECoVERY_+rpfbj.png sequgmgrbxjq.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt sequgmgrbxjq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\_RECoVERY_+rpfbj.txt sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\_RECoVERY_+rpfbj.html sequgmgrbxjq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Document Parts\_RECoVERY_+rpfbj.txt sequgmgrbxjq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\_RECoVERY_+rpfbj.html sequgmgrbxjq.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\_RECoVERY_+rpfbj.html sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_RECoVERY_+rpfbj.html sequgmgrbxjq.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_RECoVERY_+rpfbj.html sequgmgrbxjq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png sequgmgrbxjq.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\sequgmgrbxjq.exe 4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe File opened for modification C:\Windows\sequgmgrbxjq.exe 4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe 3424 sequgmgrbxjq.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 892 4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe Token: SeDebugPrivilege 3424 sequgmgrbxjq.exe Token: SeIncreaseQuotaPrivilege 3848 WMIC.exe Token: SeSecurityPrivilege 3848 WMIC.exe Token: SeTakeOwnershipPrivilege 3848 WMIC.exe Token: SeLoadDriverPrivilege 3848 WMIC.exe Token: SeSystemProfilePrivilege 3848 WMIC.exe Token: SeSystemtimePrivilege 3848 WMIC.exe Token: SeProfSingleProcessPrivilege 3848 WMIC.exe Token: SeIncBasePriorityPrivilege 3848 WMIC.exe Token: SeCreatePagefilePrivilege 3848 WMIC.exe Token: SeBackupPrivilege 3848 WMIC.exe Token: SeRestorePrivilege 3848 WMIC.exe Token: SeShutdownPrivilege 3848 WMIC.exe Token: SeDebugPrivilege 3848 WMIC.exe Token: SeSystemEnvironmentPrivilege 3848 WMIC.exe Token: SeRemoteShutdownPrivilege 3848 WMIC.exe Token: SeUndockPrivilege 3848 WMIC.exe Token: SeManageVolumePrivilege 3848 WMIC.exe Token: 33 3848 WMIC.exe Token: 34 3848 WMIC.exe Token: 35 3848 WMIC.exe Token: 36 3848 WMIC.exe Token: SeIncreaseQuotaPrivilege 3848 WMIC.exe Token: SeSecurityPrivilege 3848 WMIC.exe Token: SeTakeOwnershipPrivilege 3848 WMIC.exe Token: SeLoadDriverPrivilege 3848 WMIC.exe Token: SeSystemProfilePrivilege 3848 WMIC.exe Token: SeSystemtimePrivilege 3848 WMIC.exe Token: SeProfSingleProcessPrivilege 3848 WMIC.exe Token: SeIncBasePriorityPrivilege 3848 WMIC.exe Token: SeCreatePagefilePrivilege 3848 WMIC.exe Token: SeBackupPrivilege 3848 WMIC.exe Token: SeRestorePrivilege 3848 WMIC.exe Token: SeShutdownPrivilege 3848 WMIC.exe Token: SeDebugPrivilege 3848 WMIC.exe Token: SeSystemEnvironmentPrivilege 3848 WMIC.exe Token: SeRemoteShutdownPrivilege 3848 WMIC.exe Token: SeUndockPrivilege 3848 WMIC.exe Token: SeManageVolumePrivilege 3848 WMIC.exe Token: 33 3848 WMIC.exe Token: 34 3848 WMIC.exe Token: 35 3848 WMIC.exe Token: 36 3848 WMIC.exe Token: SeBackupPrivilege 4400 vssvc.exe Token: SeRestorePrivilege 4400 vssvc.exe Token: SeAuditPrivilege 4400 vssvc.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 5040 wrote to memory of 892 5040 4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe 75 PID 5040 wrote to memory of 892 5040 4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe 75 PID 5040 wrote to memory of 892 5040 4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe 75 PID 5040 wrote to memory of 892 5040 4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe 75 PID 5040 wrote to memory of 892 5040 4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe 75 PID 5040 wrote to memory of 892 5040 4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe 75 PID 5040 wrote to memory of 892 5040 4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe 75 PID 5040 wrote to memory of 892 5040 4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe 75 PID 5040 wrote to memory of 892 5040 4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe 75 PID 892 wrote to memory of 4168 892 4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe 76 PID 892 wrote to memory of 4168 892 4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe 76 PID 892 wrote to memory of 4168 892 4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe 76 PID 892 wrote to memory of 752 892 4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe 77 PID 892 wrote to memory of 752 892 4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe 77 PID 892 wrote to memory of 752 892 4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe 77 PID 4168 wrote to memory of 3424 4168 sequgmgrbxjq.exe 79 PID 4168 wrote to memory of 3424 4168 sequgmgrbxjq.exe 79 PID 4168 wrote to memory of 3424 4168 sequgmgrbxjq.exe 79 PID 4168 wrote to memory of 3424 4168 sequgmgrbxjq.exe 79 PID 4168 wrote to memory of 3424 4168 sequgmgrbxjq.exe 79 PID 4168 wrote to memory of 3424 4168 sequgmgrbxjq.exe 79 PID 4168 wrote to memory of 3424 4168 sequgmgrbxjq.exe 79 PID 4168 wrote to memory of 3424 4168 sequgmgrbxjq.exe 79 PID 4168 wrote to memory of 3424 4168 sequgmgrbxjq.exe 79 PID 3424 wrote to memory of 3848 3424 sequgmgrbxjq.exe 80 PID 3424 wrote to memory of 3848 3424 sequgmgrbxjq.exe 80 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System sequgmgrbxjq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" sequgmgrbxjq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe"C:\Users\Admin\AppData\Local\Temp\4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe"C:\Users\Admin\AppData\Local\Temp\4e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\sequgmgrbxjq.exeC:\Windows\sequgmgrbxjq.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\sequgmgrbxjq.exeC:\Windows\sequgmgrbxjq.exe4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3424 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3848
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4E90AB~1.EXE3⤵PID:752
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4400
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
375KB
MD547a349dd2ab3dde3fa0ec7c7364dd794
SHA184f7080c82e16ff7ad72e86f949fefe6af567625
SHA2564e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69
SHA5120fd9e1ce3ac5c89c69d268f981f7171a70dace77c1ec83bd1454312ab4cb3c7fd34e1e83853fff16c1395bacbd8c63a583eecc3ca9fbe7b4b406b4d6c3c8aa59
-
Filesize
375KB
MD547a349dd2ab3dde3fa0ec7c7364dd794
SHA184f7080c82e16ff7ad72e86f949fefe6af567625
SHA2564e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69
SHA5120fd9e1ce3ac5c89c69d268f981f7171a70dace77c1ec83bd1454312ab4cb3c7fd34e1e83853fff16c1395bacbd8c63a583eecc3ca9fbe7b4b406b4d6c3c8aa59
-
Filesize
375KB
MD547a349dd2ab3dde3fa0ec7c7364dd794
SHA184f7080c82e16ff7ad72e86f949fefe6af567625
SHA2564e90abdfc99b858205724c854478d92cca84194a5809f8a75e77a1694df19d69
SHA5120fd9e1ce3ac5c89c69d268f981f7171a70dace77c1ec83bd1454312ab4cb3c7fd34e1e83853fff16c1395bacbd8c63a583eecc3ca9fbe7b4b406b4d6c3c8aa59