Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 06:34
Static task
static1
Behavioral task
behavioral1
Sample
55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe
Resource
win10v2004-20220721-en
General
-
Target
55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe
-
Size
620KB
-
MD5
5f685fae5cf582995387f342f60b5e23
-
SHA1
f99aa09d283e441e42edb46ae48c58f6ac8011ce
-
SHA256
55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e
-
SHA512
dc3793c5699e53ccb818787b5f60d866e1a4ab78ac08a0ba0e53db6a3810dfb829f67bf372acf54dcde768d8a7ae9434a213fd7391605b65e4290df5cb5b6ce5
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-2660308776-3705150086-26593515-1000\Recovery+hvefa.txt
http://ert54nfh6hdshbw4f.nursespelk.com/8FA12DEEBE8A2E6
http://kk4dshfjn45tsnkdf34fg.tatiejava.at/8FA12DEEBE8A2E6
http://akdfrefdkm45tf33fsdfsdf.yamenswash.com/8FA12DEEBE8A2E6
http://fwgrhsao3aoml7ej.onion/8FA12DEEBE8A2E6
Signatures
-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 3 IoCs
Processes:
wtnbaocgm.exewtnbaocgm.exenxmfy.exepid process 3900 wtnbaocgm.exe 2776 wtnbaocgm.exe 1724 nxmfy.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
wtnbaocgm.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertToSkip.raw => C:\Users\Admin\Pictures\ConvertToSkip.raw.mp3 wtnbaocgm.exe File renamed C:\Users\Admin\Pictures\DisconnectApprove.crw => C:\Users\Admin\Pictures\DisconnectApprove.crw.mp3 wtnbaocgm.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exenxmfy.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation nxmfy.exe -
Drops startup file 6 IoCs
Processes:
wtnbaocgm.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+hvefa.png wtnbaocgm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+hvefa.txt wtnbaocgm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+hvefa.html wtnbaocgm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+hvefa.png wtnbaocgm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+hvefa.txt wtnbaocgm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+hvefa.html wtnbaocgm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wtnbaocgm.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows\CurrentVersion\Run wtnbaocgm.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qwer-sadkfgsa = "C:\\Windows\\wtnbaocgm.exe" wtnbaocgm.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exewtnbaocgm.exedescription pid process target process PID 4156 set thread context of 4040 4156 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe PID 3900 set thread context of 2776 3900 wtnbaocgm.exe wtnbaocgm.exe -
Drops file in Program Files directory 64 IoCs
Processes:
wtnbaocgm.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-200.png wtnbaocgm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\Recovery+hvefa.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_altform-unplated.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-100.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\1851_32x32x32.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-100_contrast-white.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\WideTile.scale-100.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+hvefa.html wtnbaocgm.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Recovery+hvefa.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-60_altform-unplated.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\Recovery+hvefa.txt wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+hvefa.html wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-40_altform-unplated.png wtnbaocgm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\da-DK\Recovery+hvefa.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-20_altform-unplated.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Glasses.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Video_Msg_Stop.m4a wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail.scale-125.png wtnbaocgm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\Recovery+hvefa.txt wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\Fonts\Recovery+hvefa.png wtnbaocgm.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W7.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\Recovery+hvefa.html wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.scale-150.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-72_altform-unplated.png wtnbaocgm.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Recovery+hvefa.txt wtnbaocgm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\Recovery+hvefa.txt wtnbaocgm.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\Recovery+hvefa.txt wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_2.m4a wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\Recovery+hvefa.html wtnbaocgm.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg wtnbaocgm.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\Recovery+hvefa.html wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\GlowInTheDark.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-36_altform-unplated.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-lightunplated.png wtnbaocgm.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Recovery+hvefa.txt wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_altform-unplated_contrast-black.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\Recovery+hvefa.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\Recovery+hvefa.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Recovery+hvefa.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-60.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\Recovery+hvefa.html wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\Recovery+hvefa.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Recovery+hvefa.png wtnbaocgm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-32.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-256_altform-unplated_contrast-white.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_altform-unplated_contrast-black.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-80_altform-lightunplated.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\id-ID\Recovery+hvefa.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\EnsoUI\Recovery+hvefa.html wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-140.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalMedTile.scale-200_contrast-white.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.png wtnbaocgm.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\Recovery+hvefa.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Shaders\LoadedModelShaders\Recovery+hvefa.txt wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\3px.png wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Recovery+hvefa.txt wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Fonts\Recovery+hvefa.txt wtnbaocgm.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\lv-LV\Recovery+hvefa.html wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+hvefa.html wtnbaocgm.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\Recovery+hvefa.txt wtnbaocgm.exe -
Drops file in Windows directory 2 IoCs
Processes:
55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exedescription ioc process File created C:\Windows\wtnbaocgm.exe 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe File opened for modification C:\Windows\wtnbaocgm.exe 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2400 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
wtnbaocgm.exepid process 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe 2776 wtnbaocgm.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exewtnbaocgm.exevssvc.exedescription pid process Token: SeDebugPrivilege 4040 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe Token: SeDebugPrivilege 2776 wtnbaocgm.exe Token: SeBackupPrivilege 964 vssvc.exe Token: SeRestorePrivilege 964 vssvc.exe Token: SeAuditPrivilege 964 vssvc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exewtnbaocgm.exepid process 4156 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe 3900 wtnbaocgm.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exewtnbaocgm.exewtnbaocgm.exenxmfy.exedescription pid process target process PID 4156 wrote to memory of 4040 4156 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe PID 4156 wrote to memory of 4040 4156 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe PID 4156 wrote to memory of 4040 4156 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe PID 4156 wrote to memory of 4040 4156 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe PID 4156 wrote to memory of 4040 4156 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe PID 4156 wrote to memory of 4040 4156 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe PID 4156 wrote to memory of 4040 4156 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe PID 4156 wrote to memory of 4040 4156 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe PID 4156 wrote to memory of 4040 4156 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe PID 4156 wrote to memory of 4040 4156 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe PID 4040 wrote to memory of 3900 4040 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe wtnbaocgm.exe PID 4040 wrote to memory of 3900 4040 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe wtnbaocgm.exe PID 4040 wrote to memory of 3900 4040 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe wtnbaocgm.exe PID 4040 wrote to memory of 4144 4040 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe cmd.exe PID 4040 wrote to memory of 4144 4040 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe cmd.exe PID 4040 wrote to memory of 4144 4040 55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe cmd.exe PID 3900 wrote to memory of 2776 3900 wtnbaocgm.exe wtnbaocgm.exe PID 3900 wrote to memory of 2776 3900 wtnbaocgm.exe wtnbaocgm.exe PID 3900 wrote to memory of 2776 3900 wtnbaocgm.exe wtnbaocgm.exe PID 3900 wrote to memory of 2776 3900 wtnbaocgm.exe wtnbaocgm.exe PID 3900 wrote to memory of 2776 3900 wtnbaocgm.exe wtnbaocgm.exe PID 3900 wrote to memory of 2776 3900 wtnbaocgm.exe wtnbaocgm.exe PID 3900 wrote to memory of 2776 3900 wtnbaocgm.exe wtnbaocgm.exe PID 3900 wrote to memory of 2776 3900 wtnbaocgm.exe wtnbaocgm.exe PID 3900 wrote to memory of 2776 3900 wtnbaocgm.exe wtnbaocgm.exe PID 3900 wrote to memory of 2776 3900 wtnbaocgm.exe wtnbaocgm.exe PID 2776 wrote to memory of 1724 2776 wtnbaocgm.exe nxmfy.exe PID 2776 wrote to memory of 1724 2776 wtnbaocgm.exe nxmfy.exe PID 2776 wrote to memory of 1724 2776 wtnbaocgm.exe nxmfy.exe PID 1724 wrote to memory of 2400 1724 nxmfy.exe vssadmin.exe PID 1724 wrote to memory of 2400 1724 nxmfy.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe"C:\Users\Admin\AppData\Local\Temp\55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe"C:\Users\Admin\AppData\Local\Temp\55e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\wtnbaocgm.exeC:\Windows\wtnbaocgm.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\wtnbaocgm.exeC:\Windows\wtnbaocgm.exe4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\nxmfy.exeC:\Users\Admin\Documents\nxmfy.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet6⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\55E1C4~1.EXE3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\nxmfy.exeFilesize
4KB
MD5307074acffa41e69ae7449338accbac4
SHA1d880915f78361db3b15ff18b0d3239a5d2a6a997
SHA256a5d3ed693c85298bd8f1c116bb16f78e032364143c76da2e22b3d0de29182380
SHA512aba5ffe7ec7342ba381927d3ff995f339b1837faab30e0fe48ed38b2da636b4e38b969a23c1c87271e54862522098775cb2f695c22a42b7a81d7f4e88fefa426
-
C:\Users\Admin\Documents\nxmfy.exeFilesize
4KB
MD5307074acffa41e69ae7449338accbac4
SHA1d880915f78361db3b15ff18b0d3239a5d2a6a997
SHA256a5d3ed693c85298bd8f1c116bb16f78e032364143c76da2e22b3d0de29182380
SHA512aba5ffe7ec7342ba381927d3ff995f339b1837faab30e0fe48ed38b2da636b4e38b969a23c1c87271e54862522098775cb2f695c22a42b7a81d7f4e88fefa426
-
C:\Windows\wtnbaocgm.exeFilesize
620KB
MD55f685fae5cf582995387f342f60b5e23
SHA1f99aa09d283e441e42edb46ae48c58f6ac8011ce
SHA25655e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e
SHA512dc3793c5699e53ccb818787b5f60d866e1a4ab78ac08a0ba0e53db6a3810dfb829f67bf372acf54dcde768d8a7ae9434a213fd7391605b65e4290df5cb5b6ce5
-
C:\Windows\wtnbaocgm.exeFilesize
620KB
MD55f685fae5cf582995387f342f60b5e23
SHA1f99aa09d283e441e42edb46ae48c58f6ac8011ce
SHA25655e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e
SHA512dc3793c5699e53ccb818787b5f60d866e1a4ab78ac08a0ba0e53db6a3810dfb829f67bf372acf54dcde768d8a7ae9434a213fd7391605b65e4290df5cb5b6ce5
-
C:\Windows\wtnbaocgm.exeFilesize
620KB
MD55f685fae5cf582995387f342f60b5e23
SHA1f99aa09d283e441e42edb46ae48c58f6ac8011ce
SHA25655e1c4d76da8b185f8a68481bcbcdec3ed44f75dc04845e4a2a66ac0e5f6140e
SHA512dc3793c5699e53ccb818787b5f60d866e1a4ab78ac08a0ba0e53db6a3810dfb829f67bf372acf54dcde768d8a7ae9434a213fd7391605b65e4290df5cb5b6ce5
-
memory/1724-148-0x0000000000000000-mapping.dmp
-
memory/2400-151-0x0000000000000000-mapping.dmp
-
memory/2776-147-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/2776-152-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/2776-146-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/2776-145-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/2776-142-0x0000000000000000-mapping.dmp
-
memory/3900-136-0x0000000000000000-mapping.dmp
-
memory/4040-135-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/4040-141-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/4040-139-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/4040-133-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/4040-132-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/4040-131-0x0000000000000000-mapping.dmp
-
memory/4144-140-0x0000000000000000-mapping.dmp
-
memory/4156-130-0x0000000002590000-0x0000000002593000-memory.dmpFilesize
12KB
-
memory/4156-134-0x0000000002590000-0x0000000002593000-memory.dmpFilesize
12KB