Analysis
-
max time kernel
155s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-08-2022 22:43
Behavioral task
behavioral1
Sample
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe
Resource
win10v2004-20220812-en
General
-
Target
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe
-
Size
139KB
-
MD5
24275604649ac0abafe99b981b914fbc
-
SHA1
818b0e3018ad27be9887e9e5f4ef1971f422652c
-
SHA256
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749
-
SHA512
008ef045724963d6ae3b845a6c3de8ebb6682b0f4b8ea77c2d35e2193596b78f0092183de0a88a34f7dde4e71abbc129b2f0f00fd8469801fff66f1b8390b6c8
-
SSDEEP
1536:JLMVCWvZ8URtqOz3d+1Qs6H9Mk2e3E2avMWC3yMgYxf6+okbdWsWjcdpKCaIxWzX:VM9ntZ3s1QJdnU2SQdf64ZZ8CaIxWec
Malware Config
Extracted
C:\RSAHIYV-DECRYPT.txt
http://gandcrabmfe6mnef.onion/c3f423cdbe44ce6f
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exedescription ioc process File renamed C:\Users\Admin\Pictures\FormatResize.tiff => C:\Users\Admin\Pictures\FormatResize.tiff.rsahiyv 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File renamed C:\Users\Admin\Pictures\SaveBlock.tif => C:\Users\Admin\Pictures\SaveBlock.tif.rsahiyv 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File renamed C:\Users\Admin\Pictures\ConvertFromHide.png => C:\Users\Admin\Pictures\ConvertFromHide.png.rsahiyv 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File renamed C:\Users\Admin\Pictures\DisableRedo.png => C:\Users\Admin\Pictures\DisableRedo.png.rsahiyv 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File renamed C:\Users\Admin\Pictures\EnterUnblock.crw => C:\Users\Admin\Pictures\EnterUnblock.crw.rsahiyv 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File renamed C:\Users\Admin\Pictures\ExportOpen.png => C:\Users\Admin\Pictures\ExportOpen.png.rsahiyv 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Users\Admin\Pictures\FormatResize.tiff 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe -
Drops startup file 2 IoCs
Processes:
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\be44c98cbe44ce61417.lock 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RSAHIYV-DECRYPT.txt 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exedescription ioc process File opened (read-only) \??\A: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\B: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\K: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\O: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\Q: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\T: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\V: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\X: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\N: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\P: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\E: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\F: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\H: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\I: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\J: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\M: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\R: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\S: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\Y: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\G: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\L: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\U: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\W: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\Z: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe -
Drops file in Program Files directory 35 IoCs
Processes:
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exedescription ioc process File opened for modification C:\Program Files\UnlockResume.mp4 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File created C:\Program Files\RSAHIYV-DECRYPT.txt 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\AssertDisable.aiff 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\GrantBackup.ex_ 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\ImportConvertTo.snd 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\SyncShow.vssm 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\ApproveDebug.php 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\ProtectInitialize.3gp2 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\ReadRename.avi 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File created C:\Program Files (x86)\be44c98cbe44ce61417.lock 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\ApproveEnter.mov 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\AssertUnprotect.mpeg2 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\EnterRegister.vsw 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\ImportDismount.reg 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\InitializeDisconnect.mhtml 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\ResizeComplete.kix 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\StepSuspend.xlt 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\UpdateFormat.xltm 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\ClearOpen.AAC 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\CompareSend.wmv 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\ExpandWatch.rmi 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\FindSwitch.txt 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\RegisterOpen.xlt 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\ApproveAssert.mp3 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File created C:\Program Files (x86)\RSAHIYV-DECRYPT.txt 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\RemoveRedo.dxf 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\RevokeFormat.docx 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\UnpublishRead.mht 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File created C:\Program Files\be44c98cbe44ce61417.lock 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\DismountConvertTo.3gp2 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\StepUndo.mpeg 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\CopyCompare.mpeg3 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\PopEnter.xsl 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\ProtectCopy.vsdx 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\SwitchCopy.dib 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe -
Processes:
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 0f0000000100000010000000824bae7c7cb3a15ce851a396760574a30b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000006200000001000000200000005f0b62eab5e353ea6521651658fbb65359f443280a4afbd104d77d10f9f04c07090000000100000020000000301e06082b0601050507030306082b0601050507030406082b06010505070301140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c1d0000000100000010000000d06bc27453aa4f6d586437e5d3b377986800000001000000080000000000876ace99d1010300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a194520000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 0400000001000000100000008f5d770627c4983c5b9378e7d77d9bcc0300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a19456800000001000000080000000000876ace99d1011d0000000100000010000000d06bc27453aa4f6d586437e5d3b37798140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c090000000100000020000000301e06082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000005f0b62eab5e353ea6521651658fbb65359f443280a4afbd104d77d10f9f04c070b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000000f0000000100000010000000824bae7c7cb3a15ce851a396760574a320000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 190000000100000010000000e559465e28a60e5499846f194087b0e50f0000000100000010000000824bae7c7cb3a15ce851a396760574a30b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000006200000001000000200000005f0b62eab5e353ea6521651658fbb65359f443280a4afbd104d77d10f9f04c07090000000100000020000000301e06082b0601050507030306082b0601050507030406082b06010505070301140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c1d0000000100000010000000d06bc27453aa4f6d586437e5d3b377986800000001000000080000000000876ace99d1010300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a19450400000001000000100000008f5d770627c4983c5b9378e7d77d9bcc20000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 5c0000000100000004000000000400000400000001000000100000008f5d770627c4983c5b9378e7d77d9bcc0300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a19456800000001000000080000000000876ace99d1011d0000000100000010000000d06bc27453aa4f6d586437e5d3b37798140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c090000000100000020000000301e06082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000005f0b62eab5e353ea6521651658fbb65359f443280a4afbd104d77d10f9f04c070b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000000f0000000100000010000000824bae7c7cb3a15ce851a396760574a3190000000100000010000000e559465e28a60e5499846f194087b0e520000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exepid process 2164 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe 2164 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe 2164 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe 2164 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4004 wmic.exe Token: SeSecurityPrivilege 4004 wmic.exe Token: SeTakeOwnershipPrivilege 4004 wmic.exe Token: SeLoadDriverPrivilege 4004 wmic.exe Token: SeSystemProfilePrivilege 4004 wmic.exe Token: SeSystemtimePrivilege 4004 wmic.exe Token: SeProfSingleProcessPrivilege 4004 wmic.exe Token: SeIncBasePriorityPrivilege 4004 wmic.exe Token: SeCreatePagefilePrivilege 4004 wmic.exe Token: SeBackupPrivilege 4004 wmic.exe Token: SeRestorePrivilege 4004 wmic.exe Token: SeShutdownPrivilege 4004 wmic.exe Token: SeDebugPrivilege 4004 wmic.exe Token: SeSystemEnvironmentPrivilege 4004 wmic.exe Token: SeRemoteShutdownPrivilege 4004 wmic.exe Token: SeUndockPrivilege 4004 wmic.exe Token: SeManageVolumePrivilege 4004 wmic.exe Token: 33 4004 wmic.exe Token: 34 4004 wmic.exe Token: 35 4004 wmic.exe Token: 36 4004 wmic.exe Token: SeIncreaseQuotaPrivilege 4004 wmic.exe Token: SeSecurityPrivilege 4004 wmic.exe Token: SeTakeOwnershipPrivilege 4004 wmic.exe Token: SeLoadDriverPrivilege 4004 wmic.exe Token: SeSystemProfilePrivilege 4004 wmic.exe Token: SeSystemtimePrivilege 4004 wmic.exe Token: SeProfSingleProcessPrivilege 4004 wmic.exe Token: SeIncBasePriorityPrivilege 4004 wmic.exe Token: SeCreatePagefilePrivilege 4004 wmic.exe Token: SeBackupPrivilege 4004 wmic.exe Token: SeRestorePrivilege 4004 wmic.exe Token: SeShutdownPrivilege 4004 wmic.exe Token: SeDebugPrivilege 4004 wmic.exe Token: SeSystemEnvironmentPrivilege 4004 wmic.exe Token: SeRemoteShutdownPrivilege 4004 wmic.exe Token: SeUndockPrivilege 4004 wmic.exe Token: SeManageVolumePrivilege 4004 wmic.exe Token: 33 4004 wmic.exe Token: 34 4004 wmic.exe Token: 35 4004 wmic.exe Token: 36 4004 wmic.exe Token: SeBackupPrivilege 3636 vssvc.exe Token: SeRestorePrivilege 3636 vssvc.exe Token: SeAuditPrivilege 3636 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exedescription pid process target process PID 2164 wrote to memory of 4004 2164 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe wmic.exe PID 2164 wrote to memory of 4004 2164 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe wmic.exe PID 2164 wrote to memory of 4004 2164 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe"C:\Users\Admin\AppData\Local\Temp\4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4004-132-0x0000000000000000-mapping.dmp