Analysis
-
max time kernel
1354s -
max time network
1178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
-
submitted
08-08-2022 09:59
General
-
Target
http://tlniurl.com/1x3i1x
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Checks for any installed AV software in registry 1 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 19 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 44 IoCs
-
Suspicious use of SendNotifyMessage 42 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" http://tlniurl.com/1x3i1x1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" http://tlniurl.com/1x3i1x2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3172.0.1686592124\627402291" -parentBuildID 20200403170909 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 1 -prefMapSize 220073 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3172 "\\.\pipe\gecko-crash-server-pipe.3172" 1780 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3172.3.1872863328\2141733972" -childID 1 -isForBrowser -prefsHandle 2484 -prefMapHandle 1564 -prefsLen 78 -prefMapSize 220073 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3172 "\\.\pipe\gecko-crash-server-pipe.3172" 2472 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3172.13.216973103\86702932" -childID 2 -isForBrowser -prefsHandle 3588 -prefMapHandle 3584 -prefsLen 6860 -prefMapSize 220073 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3172 "\\.\pipe\gecko-crash-server-pipe.3172" 3600 tab3⤵
-
C:\Users\Admin\Downloads\Sony-Vegas-Pro-Crack_NQ5vYOZD.exe"C:\Users\Admin\Downloads\Sony-Vegas-Pro-Crack_NQ5vYOZD.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-TN80H.tmp\is-CIEKD.tmp"C:\Users\Admin\AppData\Local\Temp\is-TN80H.tmp\is-CIEKD.tmp" /SL4 $1020A "C:\Users\Admin\Downloads\Sony-Vegas-Pro-Crack_NQ5vYOZD.exe" 3802872 931842⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query3⤵
-
C:\Program Files (x86)\AbrielFilesPro\AbrielMyFilesPro.exe"C:\Program Files (x86)\AbrielFilesPro\AbrielMyFilesPro.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 10444⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 10804⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 1404⤵
- Program crash
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /F /TN "UndeleteMyFiles Pro 32"3⤵
-
C:\Program Files (x86)\AbrielFilesPro\AbrielMyFilesPro.exe"C:\Program Files (x86)\AbrielFilesPro\AbrielMyFilesPro.exe" 30b770fda09f718acf34258e00e7d06b3⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 10284⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 10364⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 11204⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 12164⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 12644⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 13244⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 13324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 13924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 13244⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 13964⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 11444⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 15204⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 13964⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 11284⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 11444⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4192 -ip 41921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4192 -ip 41921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4192 -ip 41921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4488 -ip 44881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4488 -ip 44881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4488 -ip 44881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4488 -ip 44881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4488 -ip 44881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4488 -ip 44881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4488 -ip 44881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4488 -ip 44881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4488 -ip 44881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4488 -ip 44881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4488 -ip 44881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4488 -ip 44881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4488 -ip 44881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4488 -ip 44881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4488 -ip 44881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4488 -ip 44881⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\AbrielFilesPro\AbrielMyFilesPro.exeFilesize
4.7MB
MD5ee257b83012f64e13dbd9ecff70884cc
SHA1d9ab7f6fe46f5d44a5172c7b7d6a58d5ac875b12
SHA256f9eb99b1de309353abd7a2e53f562c3658da580701a8115e8c65e7bf6a5211fb
SHA5122dd559b42ae540140dcb0dff583472217f360aeae22c4528d04aeedbf1be1c3e6f4ae2164a649504ebaa8f5944469e22af70406f1744d83ec1a5e22573094a52
-
C:\Program Files (x86)\AbrielFilesPro\AbrielMyFilesPro.exeFilesize
4.7MB
MD5ee257b83012f64e13dbd9ecff70884cc
SHA1d9ab7f6fe46f5d44a5172c7b7d6a58d5ac875b12
SHA256f9eb99b1de309353abd7a2e53f562c3658da580701a8115e8c65e7bf6a5211fb
SHA5122dd559b42ae540140dcb0dff583472217f360aeae22c4528d04aeedbf1be1c3e6f4ae2164a649504ebaa8f5944469e22af70406f1744d83ec1a5e22573094a52
-
C:\Program Files (x86)\AbrielFilesPro\AbrielMyFilesPro.exeFilesize
4.7MB
MD5ee257b83012f64e13dbd9ecff70884cc
SHA1d9ab7f6fe46f5d44a5172c7b7d6a58d5ac875b12
SHA256f9eb99b1de309353abd7a2e53f562c3658da580701a8115e8c65e7bf6a5211fb
SHA5122dd559b42ae540140dcb0dff583472217f360aeae22c4528d04aeedbf1be1c3e6f4ae2164a649504ebaa8f5944469e22af70406f1744d83ec1a5e22573094a52
-
C:\Users\Admin\AppData\Local\Temp\is-MFU84.tmp\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-TN80H.tmp\is-CIEKD.tmpFilesize
685KB
MD57f46188bafe719b5ba8e32c2e0037f21
SHA16dc19d768f6b24766cfcdf49f630b517174c780e
SHA2563c65b17529d5a22bbcb9f726f567f3a0506f6536bc5048789fd2f11c420ffd5e
SHA5125c14cf51850c1e02765e86f7a166e7554425c3399e979ff75397a1c430e1c5099545eddd51e65b06790fb3cc9cbb70b70749438ec3277deba5a0eb4c3beb2bc3
-
C:\Users\Admin\AppData\Local\Temp\is-TN80H.tmp\is-CIEKD.tmpFilesize
685KB
MD57f46188bafe719b5ba8e32c2e0037f21
SHA16dc19d768f6b24766cfcdf49f630b517174c780e
SHA2563c65b17529d5a22bbcb9f726f567f3a0506f6536bc5048789fd2f11c420ffd5e
SHA5125c14cf51850c1e02765e86f7a166e7554425c3399e979ff75397a1c430e1c5099545eddd51e65b06790fb3cc9cbb70b70749438ec3277deba5a0eb4c3beb2bc3
-
C:\Users\Admin\Downloads\Sony-Vegas-Pro-Crack_NQ5vYOZD.exeFilesize
3.9MB
MD5cda249aa09d54ed57a8b845391fd0298
SHA16266ceacbf9300b92343b7c96b1b3593591e2f0e
SHA2569eb38fb80e816722e45bfad342244e03164703caf535209ad8c570f336bb020a
SHA51241c0497f1145c14cd2382a75a2b8d91cb1b89f2356b936ddf849d92e51a0dd8a7b9d3d810569a74100985f1329c2fba50ac986754649310ed30818ae2a9e99fc
-
C:\Users\Admin\Downloads\Sony-Vegas-Pro-Crack_NQ5vYOZD.exeFilesize
3.9MB
MD5cda249aa09d54ed57a8b845391fd0298
SHA16266ceacbf9300b92343b7c96b1b3593591e2f0e
SHA2569eb38fb80e816722e45bfad342244e03164703caf535209ad8c570f336bb020a
SHA51241c0497f1145c14cd2382a75a2b8d91cb1b89f2356b936ddf849d92e51a0dd8a7b9d3d810569a74100985f1329c2fba50ac986754649310ed30818ae2a9e99fc
-
memory/980-150-0x0000000000000000-mapping.dmp
-
memory/1368-137-0x0000000000000000-mapping.dmp
-
memory/4192-149-0x0000000000400000-0x00000000016BC000-memory.dmpFilesize
18.7MB
-
memory/4192-143-0x0000000000000000-mapping.dmp
-
memory/4192-146-0x0000000000400000-0x00000000016BC000-memory.dmpFilesize
18.7MB
-
memory/4192-147-0x0000000000400000-0x00000000016BC000-memory.dmpFilesize
18.7MB
-
memory/4192-148-0x0000000000400000-0x00000000016BC000-memory.dmpFilesize
18.7MB
-
memory/4228-142-0x0000000000000000-mapping.dmp
-
memory/4488-155-0x0000000000400000-0x00000000016BC000-memory.dmpFilesize
18.7MB
-
memory/4488-151-0x0000000000000000-mapping.dmp
-
memory/4488-153-0x0000000000400000-0x00000000016BC000-memory.dmpFilesize
18.7MB
-
memory/4488-156-0x0000000000400000-0x00000000016BC000-memory.dmpFilesize
18.7MB
-
memory/4488-157-0x0000000000400000-0x00000000016BC000-memory.dmpFilesize
18.7MB
-
memory/4488-158-0x0000000000400000-0x00000000016BC000-memory.dmpFilesize
18.7MB
-
memory/4496-134-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4496-136-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4496-141-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4496-159-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB