Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 04:50
Static task
static1
Behavioral task
behavioral1
Sample
5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
Resource
win10v2004-20220721-en
General
-
Target
5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
-
Size
416KB
-
MD5
121e0d2c092d76e599e925f0b96746a3
-
SHA1
6b0311750c7e712b4de156dda496bb88705c8e1b
-
SHA256
5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b
-
SHA512
b9fd5ceb2b8ef2375dbd6698fa12e98e8ce184801dcbfa7bcf9196aaf91ac875b3b8972f686801c9988d543d423adbd46bd8a6dd616238db47aeb9a96ba324a4
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-1101907861-274115917-2188613224-1000\Recovery+aqsdn.txt
http://p57gest54celltraf743knjf.mottesapo.com/9DBF1B10D7701699
http://k4restportgonst34d23r.oftpony.at/9DBF1B10D7701699
http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/9DBF1B10D7701699
http://fwgrhsao3aoml7ej.onion/9DBF1B10D7701699
http://fwgrhsao3aoml7ej.ONION/9DBF1B10D7701699
Signatures
-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 3 IoCs
Processes:
pfvvraltodor.exepfvvraltodor.exedlnyr.exepid process 2452 pfvvraltodor.exe 2456 pfvvraltodor.exe 1640 dlnyr.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
pfvvraltodor.exedescription ioc process File renamed C:\Users\Admin\Pictures\MergeClose.png => C:\Users\Admin\Pictures\MergeClose.png.mp3 pfvvraltodor.exe File renamed C:\Users\Admin\Pictures\RedoGet.raw => C:\Users\Admin\Pictures\RedoGet.raw.mp3 pfvvraltodor.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exedlnyr.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation dlnyr.exe -
Drops startup file 6 IoCs
Processes:
pfvvraltodor.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+aqsdn.png pfvvraltodor.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+aqsdn.txt pfvvraltodor.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+aqsdn.html pfvvraltodor.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+aqsdn.png pfvvraltodor.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+aqsdn.txt pfvvraltodor.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+aqsdn.html pfvvraltodor.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
pfvvraltodor.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows\CurrentVersion\Run pfvvraltodor.exe Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12_23-dst = "C:\\Windows\\pfvvraltodor.exe" pfvvraltodor.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exepfvvraltodor.exedescription pid process target process PID 3996 set thread context of 1944 3996 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe PID 2452 set thread context of 2456 2452 pfvvraltodor.exe pfvvraltodor.exe -
Drops file in Program Files directory 64 IoCs
Processes:
pfvvraltodor.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\is-IS\Recovery+aqsdn.txt pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\Recovery+aqsdn.html pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-20.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxMediumTile.scale-150.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\Recovery+aqsdn.html pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\SmallTile.scale-200.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsWideTile.scale-125.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailBadge.scale-400.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\it-IT\Recovery+aqsdn.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-24_altform-unplated.png pfvvraltodor.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\Recovery+aqsdn.txt pfvvraltodor.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_school.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-125_contrast-white.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\it-IT\Recovery+aqsdn.txt pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\splashscreen.scale-100.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Doughboy.scale-125.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\Recovery+aqsdn.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\ja\Recovery+aqsdn.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\weather_2_travel.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-24_altform-unplated.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_contrast-white.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\3px.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\th-TH\View3d\Recovery+aqsdn.txt pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Recovery+aqsdn.txt pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-36_altform-unplated.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\winsdkfb\Recovery+aqsdn.html pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-150.png pfvvraltodor.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz\Recovery+aqsdn.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\Sunset.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\AppxMetadata\Recovery+aqsdn.html pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCache.scale-100.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-30.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-lightunplated_devicefamily-colorfulunplated.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_star_Loud.m4a pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\Recovery+aqsdn.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\SplashScreen.scale-200.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\Recovery+aqsdn.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBarNotificationLogo.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt pfvvraltodor.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1036\Recovery+aqsdn.html pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-24.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-400_contrast-black.png pfvvraltodor.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sl\Recovery+aqsdn.txt pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_scale-125.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\te-IN\Recovery+aqsdn.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleMedTile.scale-125.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-100_contrast-black.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-125.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-lightunplated_devicefamily-colorfulunplated.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Recovery+aqsdn.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-100_contrast-black.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-140.png pfvvraltodor.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\Recovery+aqsdn.html pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+aqsdn.txt pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-24_contrast-black.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square150x150\PaintMedTile.scale-125.png pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarLargeTile.scale-100.png pfvvraltodor.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\Recovery+aqsdn.txt pfvvraltodor.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\Recovery+aqsdn.html pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Recovery+aqsdn.html pfvvraltodor.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsStoreLogo.contrast-black_scale-100.png pfvvraltodor.exe -
Drops file in Windows directory 2 IoCs
Processes:
5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exedescription ioc process File created C:\Windows\pfvvraltodor.exe 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe File opened for modification C:\Windows\pfvvraltodor.exe 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4220 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
pfvvraltodor.exepid process 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe 2456 pfvvraltodor.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exepfvvraltodor.exevssvc.exedescription pid process Token: SeDebugPrivilege 1944 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe Token: SeDebugPrivilege 2456 pfvvraltodor.exe Token: SeBackupPrivilege 1736 vssvc.exe Token: SeRestorePrivilege 1736 vssvc.exe Token: SeAuditPrivilege 1736 vssvc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exepfvvraltodor.exepid process 3996 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe 2452 pfvvraltodor.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exepfvvraltodor.exepfvvraltodor.exedlnyr.exedescription pid process target process PID 3996 wrote to memory of 1944 3996 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe PID 3996 wrote to memory of 1944 3996 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe PID 3996 wrote to memory of 1944 3996 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe PID 3996 wrote to memory of 1944 3996 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe PID 3996 wrote to memory of 1944 3996 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe PID 3996 wrote to memory of 1944 3996 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe PID 3996 wrote to memory of 1944 3996 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe PID 3996 wrote to memory of 1944 3996 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe PID 3996 wrote to memory of 1944 3996 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe PID 3996 wrote to memory of 1944 3996 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe PID 1944 wrote to memory of 2452 1944 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe pfvvraltodor.exe PID 1944 wrote to memory of 2452 1944 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe pfvvraltodor.exe PID 1944 wrote to memory of 2452 1944 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe pfvvraltodor.exe PID 1944 wrote to memory of 4364 1944 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe cmd.exe PID 1944 wrote to memory of 4364 1944 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe cmd.exe PID 1944 wrote to memory of 4364 1944 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe cmd.exe PID 2452 wrote to memory of 2456 2452 pfvvraltodor.exe pfvvraltodor.exe PID 2452 wrote to memory of 2456 2452 pfvvraltodor.exe pfvvraltodor.exe PID 2452 wrote to memory of 2456 2452 pfvvraltodor.exe pfvvraltodor.exe PID 2452 wrote to memory of 2456 2452 pfvvraltodor.exe pfvvraltodor.exe PID 2452 wrote to memory of 2456 2452 pfvvraltodor.exe pfvvraltodor.exe PID 2452 wrote to memory of 2456 2452 pfvvraltodor.exe pfvvraltodor.exe PID 2452 wrote to memory of 2456 2452 pfvvraltodor.exe pfvvraltodor.exe PID 2452 wrote to memory of 2456 2452 pfvvraltodor.exe pfvvraltodor.exe PID 2452 wrote to memory of 2456 2452 pfvvraltodor.exe pfvvraltodor.exe PID 2452 wrote to memory of 2456 2452 pfvvraltodor.exe pfvvraltodor.exe PID 2456 wrote to memory of 1640 2456 pfvvraltodor.exe dlnyr.exe PID 2456 wrote to memory of 1640 2456 pfvvraltodor.exe dlnyr.exe PID 2456 wrote to memory of 1640 2456 pfvvraltodor.exe dlnyr.exe PID 1640 wrote to memory of 4220 1640 dlnyr.exe vssadmin.exe PID 1640 wrote to memory of 4220 1640 dlnyr.exe vssadmin.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
pfvvraltodor.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System pfvvraltodor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" pfvvraltodor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe"C:\Users\Admin\AppData\Local\Temp\5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe"C:\Users\Admin\AppData\Local\Temp\5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\pfvvraltodor.exeC:\Windows\pfvvraltodor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\pfvvraltodor.exeC:\Windows\pfvvraltodor.exe4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\Documents\dlnyr.exeC:\Users\Admin\Documents\dlnyr.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet6⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\5638C4~1.EXE3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\dlnyr.exeFilesize
5KB
MD534d3f2e3fd92cd38a103d415dbb22936
SHA1abdcf16a82cf8d3109ec39203181d839f2154a68
SHA2565119839eaaf7dfc670c7d2c8a83e74f895e07fab5f22c379185769eed07ece25
SHA512bc76ed0fe69ab38f66217f4b4aec79947e706136aecc5a42840ccd963799c8c175dc796d92be678b2b1e55d22c3a97fb4b9e00f6879958ae5a5bb2081ae7ad92
-
C:\Users\Admin\Documents\dlnyr.exeFilesize
5KB
MD534d3f2e3fd92cd38a103d415dbb22936
SHA1abdcf16a82cf8d3109ec39203181d839f2154a68
SHA2565119839eaaf7dfc670c7d2c8a83e74f895e07fab5f22c379185769eed07ece25
SHA512bc76ed0fe69ab38f66217f4b4aec79947e706136aecc5a42840ccd963799c8c175dc796d92be678b2b1e55d22c3a97fb4b9e00f6879958ae5a5bb2081ae7ad92
-
C:\Windows\pfvvraltodor.exeFilesize
416KB
MD5121e0d2c092d76e599e925f0b96746a3
SHA16b0311750c7e712b4de156dda496bb88705c8e1b
SHA2565638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b
SHA512b9fd5ceb2b8ef2375dbd6698fa12e98e8ce184801dcbfa7bcf9196aaf91ac875b3b8972f686801c9988d543d423adbd46bd8a6dd616238db47aeb9a96ba324a4
-
C:\Windows\pfvvraltodor.exeFilesize
416KB
MD5121e0d2c092d76e599e925f0b96746a3
SHA16b0311750c7e712b4de156dda496bb88705c8e1b
SHA2565638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b
SHA512b9fd5ceb2b8ef2375dbd6698fa12e98e8ce184801dcbfa7bcf9196aaf91ac875b3b8972f686801c9988d543d423adbd46bd8a6dd616238db47aeb9a96ba324a4
-
C:\Windows\pfvvraltodor.exeFilesize
416KB
MD5121e0d2c092d76e599e925f0b96746a3
SHA16b0311750c7e712b4de156dda496bb88705c8e1b
SHA2565638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b
SHA512b9fd5ceb2b8ef2375dbd6698fa12e98e8ce184801dcbfa7bcf9196aaf91ac875b3b8972f686801c9988d543d423adbd46bd8a6dd616238db47aeb9a96ba324a4
-
memory/1640-147-0x0000000000000000-mapping.dmp
-
memory/1944-133-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB
-
memory/1944-135-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB
-
memory/1944-136-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB
-
memory/1944-132-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB
-
memory/1944-131-0x0000000000000000-mapping.dmp
-
memory/1944-141-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB
-
memory/2452-137-0x0000000000000000-mapping.dmp
-
memory/2456-146-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB
-
memory/2456-145-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB
-
memory/2456-142-0x0000000000000000-mapping.dmp
-
memory/2456-151-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB
-
memory/2456-152-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB
-
memory/3996-130-0x0000000000C80000-0x0000000000C83000-memory.dmpFilesize
12KB
-
memory/3996-134-0x0000000000C80000-0x0000000000C83000-memory.dmpFilesize
12KB
-
memory/4220-150-0x0000000000000000-mapping.dmp
-
memory/4364-140-0x0000000000000000-mapping.dmp