Analysis
-
max time kernel
153s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
24/07/2022, 16:44
Static task
static1
Behavioral task
behavioral1
Sample
580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe
Resource
win7-20220715-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe
Resource
win10v2004-20220722-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe
-
Size
384KB
-
MD5
6e40ceedbbe126326e9f2c00a6bcea26
-
SHA1
589928e1e8d398a4be6a3e85270bd09bad9104d1
-
SHA256
580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148
-
SHA512
05da4dd8f16ee82988ddec7e5e5c09dbf21da944a72dc464cbd9cdaab6117080bde3409185a37d0d8aff82017b1bc43f77371d4afb899230365f5e6312e4957d
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\S-1-5-21-3463845317-933582289-45817732-1000\Recovery+pieom.txt
Family
teslacrypt
Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com
What happened to your files ?
All of your files were protected by a strong encryption with RSA-4096.
More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
How did this happen ?
!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server
What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1. http://tt54rfdjhb34rfbnknaerg.milerteddy.com/F7895A6BFBF13BB2
2. http://kkd47eh4hdjshb5t.angortra.at/F7895A6BFBF13BB2
3. http://ytrest84y5i456hghadefdsd.pontogrot.com/F7895A6BFBF13BB2
If for some reasons the addresses are not available, follow these steps:
1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2. After a successful installation, run the browser
3. Type in the address bar: xlowfznrg4wf7dli.onion/F7895A6BFBF13BB2
4. Follow the instructions on the site.
---------------- IMPORTANT INFORMATION------------------------
*-*-* Your personal pages:
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/F7895A6BFBF13BB2
http://kkd47eh4hdjshb5t.angortra.at/F7895A6BFBF13BB2
http://ytrest84y5i456hghadefdsd.pontogrot.com/F7895A6BFBF13BB2
*-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/F7895A6BFBF13BB2
URLs
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/F7895A6BFBF13BB2
http://kkd47eh4hdjshb5t.angortra.at/F7895A6BFBF13BB2
http://ytrest84y5i456hghadefdsd.pontogrot.com/F7895A6BFBF13BB2
http://xlowfznrg4wf7dli.ONION/F7895A6BFBF13BB2
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
pid Process 372 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation 580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation hyoqssilrsbi.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows\CurrentVersion\Run hyoqssilrsbi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\apxqfelusylq = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\hyoqssilrsbi.exe\"" hyoqssilrsbi.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1360 set thread context of 4092 1360 580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe 80 PID 372 set thread context of 2664 372 hyoqssilrsbi.exe 84 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\Recovery+pieom.txt hyoqssilrsbi.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ko.pak hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\Recovery+pieom.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-140.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-180.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sk.pak hyoqssilrsbi.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\Recovery+pieom.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\Recovery+pieom.txt hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\Recovery+pieom.txt hyoqssilrsbi.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sv-SE\Recovery+pieom.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\Recovery+pieom.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt hyoqssilrsbi.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt hyoqssilrsbi.exe File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\Recovery+pieom.html hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\Recovery+pieom.html hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css hyoqssilrsbi.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\Recovery+pieom.txt hyoqssilrsbi.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\lt.pak hyoqssilrsbi.exe File opened for modification C:\Program Files\Common Files\microsoft shared\TextConv\en-US\Recovery+pieom.html hyoqssilrsbi.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VC\Recovery+pieom.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\Recovery+pieom.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] hyoqssilrsbi.exe File opened for modification C:\Program Files\Common Files\DESIGNER\Recovery+pieom.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\Recovery+pieom.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\Recovery+pieom.html hyoqssilrsbi.exe File opened for modification C:\Program Files\Internet Explorer\it-IT\Recovery+pieom.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\Recovery+pieom.png hyoqssilrsbi.exe File opened for modification C:\Program Files\7-Zip\Lang\Recovery+pieom.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\Recovery+pieom.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\de.pak hyoqssilrsbi.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\Recovery+pieom.txt hyoqssilrsbi.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\Recovery+pieom.png hyoqssilrsbi.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\Recovery+pieom.html hyoqssilrsbi.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt hyoqssilrsbi.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\Recovery+pieom.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\Recovery+pieom.txt hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\Recovery+pieom.html hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\Recovery+pieom.txt hyoqssilrsbi.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\Recovery+pieom.html hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office15\Recovery+pieom.html hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\Recovery+pieom.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.White.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Internet Explorer\es-ES\Recovery+pieom.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\ffjcext.zip hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] hyoqssilrsbi.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\Recovery+pieom.txt hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\Recovery+pieom.html hyoqssilrsbi.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\Recovery+pieom.txt hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\Recovery+pieom.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\Recovery+pieom.txt hyoqssilrsbi.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\Recovery+pieom.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\Recovery+pieom.txt hyoqssilrsbi.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\Recovery+pieom.txt hyoqssilrsbi.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\th-TH\Recovery+pieom.html hyoqssilrsbi.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\images\Recovery+pieom.png hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\Office16\Recovery+pieom.txt hyoqssilrsbi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\Recovery+pieom.html hyoqssilrsbi.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\hyoqssilrsbi.exe 580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe File created C:\Windows\hyoqssilrsbi.exe 580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe 2664 hyoqssilrsbi.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 4092 580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe Token: SeDebugPrivilege 2664 hyoqssilrsbi.exe Token: SeIncreaseQuotaPrivilege 4148 WMIC.exe Token: SeSecurityPrivilege 4148 WMIC.exe Token: SeTakeOwnershipPrivilege 4148 WMIC.exe Token: SeLoadDriverPrivilege 4148 WMIC.exe Token: SeSystemProfilePrivilege 4148 WMIC.exe Token: SeSystemtimePrivilege 4148 WMIC.exe Token: SeProfSingleProcessPrivilege 4148 WMIC.exe Token: SeIncBasePriorityPrivilege 4148 WMIC.exe Token: SeCreatePagefilePrivilege 4148 WMIC.exe Token: SeBackupPrivilege 4148 WMIC.exe Token: SeRestorePrivilege 4148 WMIC.exe Token: SeShutdownPrivilege 4148 WMIC.exe Token: SeDebugPrivilege 4148 WMIC.exe Token: SeSystemEnvironmentPrivilege 4148 WMIC.exe Token: SeRemoteShutdownPrivilege 4148 WMIC.exe Token: SeUndockPrivilege 4148 WMIC.exe Token: SeManageVolumePrivilege 4148 WMIC.exe Token: 33 4148 WMIC.exe Token: 34 4148 WMIC.exe Token: 35 4148 WMIC.exe Token: 36 4148 WMIC.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1360 wrote to memory of 4092 1360 580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe 80 PID 1360 wrote to memory of 4092 1360 580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe 80 PID 1360 wrote to memory of 4092 1360 580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe 80 PID 1360 wrote to memory of 4092 1360 580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe 80 PID 1360 wrote to memory of 4092 1360 580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe 80 PID 1360 wrote to memory of 4092 1360 580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe 80 PID 1360 wrote to memory of 4092 1360 580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe 80 PID 1360 wrote to memory of 4092 1360 580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe 80 PID 1360 wrote to memory of 4092 1360 580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe 80 PID 1360 wrote to memory of 4092 1360 580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe 80 PID 4092 wrote to memory of 372 4092 580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe 81 PID 4092 wrote to memory of 372 4092 580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe 81 PID 4092 wrote to memory of 372 4092 580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe 81 PID 4092 wrote to memory of 4976 4092 580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe 82 PID 4092 wrote to memory of 4976 4092 580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe 82 PID 4092 wrote to memory of 4976 4092 580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe 82 PID 372 wrote to memory of 2664 372 hyoqssilrsbi.exe 84 PID 372 wrote to memory of 2664 372 hyoqssilrsbi.exe 84 PID 372 wrote to memory of 2664 372 hyoqssilrsbi.exe 84 PID 372 wrote to memory of 2664 372 hyoqssilrsbi.exe 84 PID 372 wrote to memory of 2664 372 hyoqssilrsbi.exe 84 PID 372 wrote to memory of 2664 372 hyoqssilrsbi.exe 84 PID 372 wrote to memory of 2664 372 hyoqssilrsbi.exe 84 PID 372 wrote to memory of 2664 372 hyoqssilrsbi.exe 84 PID 372 wrote to memory of 2664 372 hyoqssilrsbi.exe 84 PID 372 wrote to memory of 2664 372 hyoqssilrsbi.exe 84 PID 2664 wrote to memory of 4148 2664 hyoqssilrsbi.exe 85 PID 2664 wrote to memory of 4148 2664 hyoqssilrsbi.exe 85 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System hyoqssilrsbi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" hyoqssilrsbi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe"C:\Users\Admin\AppData\Local\Temp\580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe"C:\Users\Admin\AppData\Local\Temp\580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\hyoqssilrsbi.exeC:\Windows\hyoqssilrsbi.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\hyoqssilrsbi.exeC:\Windows\hyoqssilrsbi.exe4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2664 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4148
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\580484~1.EXE3⤵PID:4976
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD56e40ceedbbe126326e9f2c00a6bcea26
SHA1589928e1e8d398a4be6a3e85270bd09bad9104d1
SHA256580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148
SHA51205da4dd8f16ee82988ddec7e5e5c09dbf21da944a72dc464cbd9cdaab6117080bde3409185a37d0d8aff82017b1bc43f77371d4afb899230365f5e6312e4957d
-
Filesize
384KB
MD56e40ceedbbe126326e9f2c00a6bcea26
SHA1589928e1e8d398a4be6a3e85270bd09bad9104d1
SHA256580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148
SHA51205da4dd8f16ee82988ddec7e5e5c09dbf21da944a72dc464cbd9cdaab6117080bde3409185a37d0d8aff82017b1bc43f77371d4afb899230365f5e6312e4957d
-
Filesize
384KB
MD56e40ceedbbe126326e9f2c00a6bcea26
SHA1589928e1e8d398a4be6a3e85270bd09bad9104d1
SHA256580484e4aa95bfa8e5b86b568b57e76625a8fe648bbe1093517281ac8cd0f148
SHA51205da4dd8f16ee82988ddec7e5e5c09dbf21da944a72dc464cbd9cdaab6117080bde3409185a37d0d8aff82017b1bc43f77371d4afb899230365f5e6312e4957d