mercurialgrabber | cdd2cab3b753dd1a2f583f14dae86457593c6114d9e69e0e41533fcc3af450fc

Analysis

max time kernel
470s
max time network
486s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
12-09-2022 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Val0ader.CL.1.5-F.exe
Size

36.8MB
MD5

4cf5e4a30cbb2664083e38ff54761c84
SHA1

fbd57eca4462966c1216df382c3be6b9e8754a2f
SHA256

cdd2cab3b753dd1a2f583f14dae86457593c6114d9e69e0e41533fcc3af450fc
SHA512

b1f4d82663d6289aaf8bcbd419295614c2f7c47f12ebcd3a1d7ad04a1f85049f02788a9e312ee5264aab7dc38252bf9cfd3843b6161e088b1eb53bfa8a31bfdc
SSDEEP

393216:PudOqgHWtfcf5DAh9m0LRiHrzSbGpmdXnfbm4vgOEKXDmfU4kpf/ZrYsK1/QYCvz:Pie2YxA1gUuUh/ZrYf6I3tjUP2jO

Score

10^/10

mercurialgrabber discovery persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\History.txt

Ransom Note

HISTORY of the 7-Zip -------------------- 21.07 2021-12-26 ------------------------- - 7-Zip now can extract VHDX disk images (Microsoft Hyper-V Virtual Hard Disk v2 format). - New switches: -spm and -im!{file_path} to exclude directories from processing for specified paths that don't contain path separator character at the end of path. - In the "Add to Archive" window, now it is allowed to use -m prefix for "Parameters" field as in command line: -mparam. - The sorting order of files in archives was slightly changed to be more consistent for cases where the name of some directory is the same as the prefix part of the name of another directory or file. - TAR archives created by 7-Zip now are more consistent with archives created by GNU TAR program. 21.06 2021-11-24 ------------------------- - The window "Add to Archive" now allows to set a limit on memory usage (RAM) that will be used for compressing. - New switch -mmemuse={N}g / -mmemuse=p{N} to set a limit on memory usage (RAM) for compressing and decompressing. - Bug in versions 21.00-21.05 was fixed: 7-Zip didn't set attributes of directories during archive extracting. - Some bugs were fixed. 21.04 beta 2021-11-02 ------------------------- - 7-Zip now reduces the number of working CPU threads for compression, if RAM size is not enough for compression with big LZMA2 dictionary. - 7-Zip now can create and check "file.sha256" text files that contain the list of file names and SHA-256 checksums in format compatible with sha256sum program. 7-Zip can work with such checksum files as with archives, but these files don't contain real file data. The context menu commands to create and test "sha256" files: 7-Zip / CRC SHA / SHA-256 -> file.sha256 7-Zip / CRC SHA / Test Archive : Checksum The commands for command line version: 7z a -thash file.sha256 *.txt 7z t -thash file.sha256 7z t -thash -shd. file.sha256 New -shd{dir_path} switch to set the directory that is used to check files referenced by "file.sha256" file for "Test" operation. If -shd{dir_path} is not specified, 7-Zip uses the directory where "file.sha256" is stored. - New -xtd switch to exclude directory metadata records from processing. 21.03 beta 2021-07-20 ------------------------- - The maximum dictionary size for LZMA/LZMA2 compressing was increased to 4 GB (3840 MiB). - Minor speed optimizations in LZMA/LZMA2 compressing. 21.02 alpha 2021-05-06 ------------------------- - 7-Zip now writes additional field for filename in UTF-8 encoding to zip archives. It allows to extract correct file name from zip archives on different systems. - The command line version of 7-Zip for macOS was released. - The speed for LZMA and LZMA2 decompression in arm64 versions for macOS and Linux was increased by 20%-60%. - Some changes and improvements in ZIP, TAR and NSIS code. 21.01 alpha 2021-03-09 ------------------------- - The command line version of 7-Zip for Linux was released. - The improvements for speed of ARM64 version using hardware CPU instructions for AES, CRC-32, SHA-1 and SHA-256. - The bug in versions 18.02 - 21.00 was fixed: 7-Zip could not correctly extract some ZIP archives created with xz compression method. - Some bugs were fixed. 21.00 alpha 2021-01-19 ------------------------- - Some internal changes in code. - Some bugs were fixed. - New localizations: Tajik, Uzbek (Cyrillic) 20.02 alpha 2020-08-08 ------------------------- - The default number of LZMA2 chunks per solid block in 7z archive was increased to 64. It allows to increase the compression speed for big 7z archives, if there is a big number of CPU cores and threads. - The speed of PPMd compressing/decompressing was increased for 7z/ZIP/RAR archives. - The new -ssp switch. If the switch -ssp is specified, 7-Zip doesn't allow the system to modify "Last Access Time" property of source files for archiving and hashing operations. - Some bugs were fixed. - New localization: Swahili. 20.00 alpha 2020-02-06 ------------------------- - 7-Zip now supports new optional match finders for LZMA/LZMA2 compression: bt5 and hc5, that can work faster than bt4 and hc4 match finders for the data with big redundancy. - The compression ratio was improved for Fast and Fastest compression levels with the following default settings: - Fastest level (-mx1) : hc5 match finder with 256 KB dictionary. - Fast level (-mx3) : hc5 match finder with 4 MB dictionary. - Minor speed optimizations in multithreaded LZMA/LZMA2 compression for Normal/Maximum/Ultra compression levels. - bzip2 decoding code was updated to support bzip2 archives, created by lbzip2 program. - Some bugs were fixed. - New localization: Turkmen. 19.02 alpha 2019-09-05 ------------------------- - 7-Zip now can unpack files encoded with Base64 encoding (b64 filename extension). - 7-Zip now can use new x86/x64 hardware instructions for SHA-1 and SHA-256, supported by AMD Ryzen and latest Intel CPUs: Ice Lake and Goldmont. It increases - the speed of SHA-1/SHA-256 hash value calculation, - the speed of encryption/decryption in zip AES, - the speed of key derivation for encryption/decryption in 7z/zip/rar archives. - The speed of zip AES encryption and 7z/zip/rar AES decryption was increased with the following improvements: - 7-Zip now can use new x86/x64 VAES (AVX Vector AES) instructions, supported by Intel Ice Lake CPU. - The existing code of x86/x64 AES-NI was improved also. - There is 2% speed optimization in 7-Zip benchmark's decompression. - Some bugs were fixed. 19.00 2019-02-21 ------------------------- - Encryption strength for 7z archives was increased: the size of random initialization vector was increased from 64-bit to 128-bit, and the pseudo-random number generator was improved. - Some bugs were fixed. 18.06 2018-12-30 ------------------------- - The speed for LZMA/LZMA2 compressing was increased by 3-10%, and there are minor changes in compression ratio. - Some bugs were fixed. - The bug in 7-Zip 18.02-18.05 was fixed: there was memory leak in xz decoder. - 7-Zip 18.02-18.05 used only one CPU thread for bz2 archive creation. 18.05 2018-04-30 ------------------------- - The speed for LZMA/LZMA2 compressing was increased by 8% for fastest/fast compression levels and by 3% for normal/maximum compression levels. - 7-Zip now shows Properties (Info) window and CRC/SHA results window as "list view" window instead of "message box" window. - Some improvements in zip, hfs and dmg code. - Previous versions of 7-Zip could work incorrectly in "Large memory pages" mode in Windows 10 because of some BUG with "Large Pages" in Windows 10. Now 7-Zip doesn't use "Large Pages" on Windows 10 up to revision 1709 (16299). - The vulnerability in RAR unpacking code was fixed (CVE-2018-10115). - Some bugs were fixed. 18.03 beta 2018-03-04 ------------------------- - The speed for single-thread LZMA/LZMA2 decoding was increased by 30% in x64 version and by 3% in x86 version. - 7-Zip now can use multi-threading for 7z/LZMA2 decoding, if there are multiple independent data chunks in LZMA2 stream. - 7-Zip now can use multi-threading for xz decoding, if there are multiple blocks in xz stream. - New localization: Kabyle. - Some bugs were fixed. 18.01 2018-01-28 ------------------------- - 7-Zip now can unpack DMG archives that use LZFSE compression method. - 7-Zip now doesn't allow update operation for archives that have read-only attribute. - The BUG was fixed: extracting from tar with -si switch didn't set timestamps for directories. - Some bugs were fixed. 18.00 beta 2018-01-10 ------------------------- - 7-Zip now can unpack OBJ/COFF files. - new -sse switch to stop archive creating, if 7-Zip can't open some input file. - Some bugs were fixed. 17.01 beta 2017-08-28 ------------------------- - Minor speed optimization for LZMA2 (xz and 7z) multi-threading compression. 7-Zip now uses additional memory buffers for multi-block LZMA2 compression. CPU utilization was slightly improved. - 7-zip now creates multi-block xz archives by default. Block size can be specified with -ms[Size]{m|g} switch. - xz decoder now can unpack random block from multi-block xz archives. 7-Zip File Manager now can open nested multi-block xz archives (for example, image.iso.xz) without full unpacking of xz archive. - 7-Zip now can create zip archives from stdin to stdout. - 7-Zip command line: @listfile now doesn't work after -- switch. Use -i@listfile before -- switch instead. - The BUGs were fixed: 7-Zip could add unrequired alternate file streams to WIM archives, for commands that contain filename wildcards and -sns switch. 7-Zip 17.00 beta crashed for commands that write anti-item to 7z archive. 7-Zip 17.00 beta ignored "Use large memory pages" option. 17.00 beta 2017-04-29 ------------------------- - ZIP unpacking code was improved. - 7-Zip now reserves file space before writing to file (for extraction from archive). It can reduce file fragmentation. - Some bugs were fixed. 7-Zip could crash in some cases. - Internal changes in code. 16.04 2016-10-04 ------------------------- - The bug was fixed: 7-Zip 16.03 exe installer under Vista didn't create links in Start / Programs menu. - Some bugs were fixed in RAR code. 16.03 2016-09-28 ------------------------- - Installer and SFX modules now use some protection against DLL preloading attack. - Some bugs were fixed in 7z, NSIS, SquashFS, RAR5 and another code. 16.02 2016-05-21 ------------------------- - 7-Zip now can extract multivolume ZIP archives (z01, z02, ... , zip). - Some bugs were fixed. 15.14 2015-12-31 ------------------------- - 7-Zip File Manager: - The code for "Open file from archive" operation was improved. - The code for "Tools/Options" window was improved. - The BUG was fixed: there was incorrect mouse cursor capture for drag-and-drop operations from open archive to Explorer window. - Some bugs were fixed. - New localization: Yoruba. 15.12 2015-11-19 ------------------------- - The release version. 15.11 beta 2015-11-14 ------------------------- - Some bugs were fixed. 15.10 beta 2015-11-01 ------------------------- - The BUG in 9.21 - 15.09 was fixed: 7-Zip could ignore some parameters, specified for archive creation operation for gzip and bzip2 formats in "Add to Archive" window and in command line version (-m switch). - Some bugs were fixed. 15.09 beta 2015-10-16 ------------------------- - 7-Zip now can extract ext2 and multivolume VMDK images. - Some bugs were fixed. 15.08 beta 2015-10-01 ------------------------- - 7-Zip now can extract ext3 and ext4 (Linux file system) images. - Some bugs were fixed. 15.07 beta 2015-09-17 ------------------------- - 7-Zip now can extract GPT images and single file QCOW2, VMDK, VDI images. - 7-Zip now can extract solid WIM archives with LZMS compression. - Some bugs were fixed. 15.06 beta 2015-08-09 ------------------------- - 7-Zip now can extract RAR5 archives. - 7-Zip now doesn't sort files by type while adding to solid 7z archive. - new -mqs switch to sort files by type while adding to solid 7z archive. - The BUG in 7-Zip File Manager was fixed: The "Move" operation to open 7z archive didn't delete empty files. - The BUG in 15.05 was fixed: console version added some text to the end of stdout stream, is -so switch was used. - The BUG in 9.30 - 15.05 was fixed: 7-Zip could not open multivolume sfx RAR archive. - Some bugs were fixed. 15.05 beta 2015-06-14 ------------------------- - 7-Zip now uses new installer. - 7-Zip now can create 7z, xz and zip archives with 1536 MB dictionary for LZMA/LZMA2. - 7-Zip File Manager now can operate with alternate file streams at NTFS volumes via "File / Alternate Streams" menu command. - 7-Zip now can extract .zipx (WinZip) archives that use xz compression. - new optional "section size" parameter for BCJ2 filter for compression ratio improving. Example: -mf=BCJ2:d9M, if largest executable section in files is smaller than 9 MB. - Speed optimizations for BCJ2 filter and SHA-1 and SHA-256 calculation. - Console version now uses stderr stream for error messages. - Console version now shows names of processed files only in progress line by default. - new -bb[0-3] switch to set output log level. -bb1 shows names of processed files in log. - new -bs[o|e|p][0|1|2] switch to set stream for output messages; o: output, e: error, p: progress line; 0: disable, 1: stdout, 2: stderr. - new -bt switch to show execution time statistics. - new -myx[0-9] switch to set level of file analysis. - new -mmtf- switch to set single thread mode for filters. - The BUG was fixed: 7-Zip didn't restore NTFS permissions for folders during extracting from WIM archives. - The BUG was fixed: The command line version: if the command "rn" (Rename) was called with more than one pair of paths, 7-Zip used only first rename pair. - The BUG was fixed: 7-Zip crashed for ZIP/LZMA/AES/AES-NI. - The BUG in 15.01-15.02 was fixed: 7-Zip created incorrect ZIP archives, if ZipCrypto encryption was used. 7-Zip 9.20 can extract such incorrect ZIP archives. - Some bugs were fixed. 9.38 beta 2015-01-03 ------------------------- - Some bugs were fixed. 9.36 beta 2014-12-26 ------------------------- - The BUG in command line version was fixed: 7-Zip created temporary archive in current folder during update archive operation, if -w{Path} switch was not specified. The fixed 7-Zip creates temporary archive in folder that contains updated archive. - The BUG in 9.33-9.35 was fixed: 7-Zip silently ignored file reading errors during 7z or gz archive creation, and the created archive contained only part of file that was read before error. The fixed 7-Zip stops archive creation and it reports about error. - Some bugs were fixed. 9.35 beta 2014-12-07 ------------------------- - The BUG was fixed: 7-Zip crashed during ZIP archive creation, if the number of CPU threads was more than 64. - The BUG in 9.31-9.34 was fixed: 7-Zip could not correctly extract ISO archives that are larger than 4 GiB. - The BUG in 9.33-9.34 was fixed: The option "Compress shared files" and -ssw switch didn't work. - The BUG in 9.26-9.34 was fixed: 7-Zip File Manager could crash for some archives open in "Flat View" mode. - Some bugs were fixed. 9.34 alpha 2014-06-22 ------------------------- - The BUG in 9.33 was fixed: Command line version of 7-Zip could work incorrectly, if there is relative path in exclude filename optiton (-x) and absolute path as include filename. - The BUG in 9.26-9.33 was fixed: 7-Zip could not open some unusual 7z archives that were created by another software (not by 7-Zip). - The BUG in 9.31-9.33 was fixed: 7-Zip could crash with switch -tcab. 9.33 alpha 2014-06-15 ------------------------- - 7-Zip now can show icons for 7-Zip items in Explorer's context menu. - "Add to archive" dialog box: - new options in "Path Mode" - new option "Delete files after compression" - new "NTFS" options for WIM and TAR formats: - Store symbolic links - Store hard links - Store alternate data streams - Store file security - "Extract" dialog box: - new optional field to set output folder name - new option "Eliminate duplication of root folder" - new option "Absolute pathnames" in "Path Mode". - new option "Restore file security" (that works for WIM archives only) - 7-Zip File Manager: - new "File / Link" dialog box in to create symbolic links and hard links. - Command line version: - new -spd switch to Disable wildcard matching for file names - new -spe switch to Eliminate duplic

Extracted

Family

mercurialgrabber

https://discord.com/api/webhooks/998600095366918235/cbWfFYMCBIAPEQhltUMcv31Z8CeEMlvhVHZOkZOwvyZcZiILj3vj60uL_Wa0pDVyeRTw

Signatures

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

output.exe7z2107-x64.exe

pid process

488 output.exe
2224 7z2107-x64.exe

pid	process
488	output.exe
2224	7z2107-x64.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

7z2107-x64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2107-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2107-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2107-x64.exe

Loads dropped DLL 2 IoCs

Processes:

Val0ader.CL.1.5-F.exe

pid process

3768 Val0ader.CL.1.5-F.exe
3768 Val0ader.CL.1.5-F.exe
Modifies file permissions 1 TTPs 5 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid process

3532 takeown.exe
3848 takeown.exe
1820 takeown.exe
984 takeown.exe
2652 takeown.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

286 ip4.seeip.org
287 ip4.seeip.org
288 ip-api.com

pid	process
3768	Val0ader.CL.1.5-F.exe
3768	Val0ader.CL.1.5-F.exe

pid	process
3532	takeown.exe
3848	takeown.exe
1820	takeown.exe
984	takeown.exe
2652	takeown.exe

flow	ioc
286	ip4.seeip.org
287	ip4.seeip.org
288	ip-api.com

Drops file in Program Files directory 64 IoCs

Processes:

7z2107-x64.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2107-x64.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll.tmp	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2107-x64.exe
File created	C:\Program Files\7-Zip\7-zip.dll	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2107-x64.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	7z2107-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	7z2107-x64.exe

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exeoutput.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	output.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	output.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4632 tasklist.exe
2748 tasklist.exe

pid	process
4632	tasklist.exe
2748	tasklist.exe

Modifies registry class 22 IoCs

Processes:

7z2107-x64.exetaskmgr.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2107-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2107-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2107-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2107-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2107-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2107-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2107-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2107-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2107-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2107-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2107-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2107-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2107-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2107-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2107-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2107-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2107-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2107-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2107-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2107-x64.exe

NTFS ADS 2 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\output.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\7z2107-x64.exe:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

1884 vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeVal0ader.CL.1.5-F.exetaskmgr.exe

pid	process
4784	powershell.exe
4784	powershell.exe
4784	powershell.exe
3768	Val0ader.CL.1.5-F.exe
3768	Val0ader.CL.1.5-F.exe
3768	Val0ader.CL.1.5-F.exe
3768	Val0ader.CL.1.5-F.exe
3768	Val0ader.CL.1.5-F.exe
3768	Val0ader.CL.1.5-F.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

vlc.exetaskmgr.exe

pid process

1884 vlc.exe
1016 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exetasklist.exetasklist.exetaskmgr.exefirefox.exeoutput.exe

description	pid	process
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	2748	tasklist.exe
Token: SeDebugPrivilege	4632	tasklist.exe
Token: SeDebugPrivilege	1016	taskmgr.exe
Token: SeSystemProfilePrivilege	1016	taskmgr.exe
Token: SeCreateGlobalPrivilege	1016	taskmgr.exe
Token: SeDebugPrivilege	2052	firefox.exe
Token: SeDebugPrivilege	2052	firefox.exe
Token: SeDebugPrivilege	2052	firefox.exe
Token: SeDebugPrivilege	2052	firefox.exe
Token: SeDebugPrivilege	488	output.exe
Token: 33	1016	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1016	taskmgr.exe
Token: SeDebugPrivilege	2052	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

vlc.exetaskmgr.exefirefox.exe

pid	process
1884	vlc.exe
1884	vlc.exe
1884	vlc.exe
1884	vlc.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
1016	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

vlc.exetaskmgr.exefirefox.exe

pid	process
1884	vlc.exe
1884	vlc.exe
1884	vlc.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
1016	taskmgr.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
1016	taskmgr.exe
1016	taskmgr.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

vlc.exefirefox.exe7z2107-x64.exe

pid	process
1884	vlc.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2052	firefox.exe
2224	7z2107-x64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Val0ader.CL.1.5-F.execmd.exepowershell.execsc.execmd.execmd.exefirefox.exefirefox.exe

description	pid	process	target process
PID 3768 wrote to memory of 4764	3768	Val0ader.CL.1.5-F.exe	cmd.exe
PID 3768 wrote to memory of 4764	3768	Val0ader.CL.1.5-F.exe	cmd.exe
PID 4764 wrote to memory of 4768	4764	cmd.exe	cmd.exe
PID 4764 wrote to memory of 4768	4764	cmd.exe	cmd.exe
PID 4764 wrote to memory of 4784	4764	cmd.exe	powershell.exe
PID 4764 wrote to memory of 4784	4764	cmd.exe	powershell.exe
PID 4784 wrote to memory of 4136	4784	powershell.exe	csc.exe
PID 4784 wrote to memory of 4136	4784	powershell.exe	csc.exe
PID 4136 wrote to memory of 4304	4136	csc.exe	cvtres.exe
PID 4136 wrote to memory of 4304	4136	csc.exe	cvtres.exe
PID 3768 wrote to memory of 3608	3768	Val0ader.CL.1.5-F.exe	cmd.exe
PID 3768 wrote to memory of 3608	3768	Val0ader.CL.1.5-F.exe	cmd.exe
PID 3608 wrote to memory of 2748	3608	cmd.exe	tasklist.exe
PID 3608 wrote to memory of 2748	3608	cmd.exe	tasklist.exe
PID 3768 wrote to memory of 3060	3768	Val0ader.CL.1.5-F.exe	cmd.exe
PID 3768 wrote to memory of 3060	3768	Val0ader.CL.1.5-F.exe	cmd.exe
PID 3060 wrote to memory of 4632	3060	cmd.exe	tasklist.exe
PID 3060 wrote to memory of 4632	3060	cmd.exe	tasklist.exe
PID 2248 wrote to memory of 2052	2248	firefox.exe	firefox.exe
PID 2248 wrote to memory of 2052	2248	firefox.exe	firefox.exe
PID 2248 wrote to memory of 2052	2248	firefox.exe	firefox.exe
PID 2248 wrote to memory of 2052	2248	firefox.exe	firefox.exe
PID 2248 wrote to memory of 2052	2248	firefox.exe	firefox.exe
PID 2248 wrote to memory of 2052	2248	firefox.exe	firefox.exe
PID 2248 wrote to memory of 2052	2248	firefox.exe	firefox.exe
PID 2248 wrote to memory of 2052	2248	firefox.exe	firefox.exe
PID 2248 wrote to memory of 2052	2248	firefox.exe	firefox.exe
PID 2052 wrote to memory of 2636	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 2636	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe
PID 2052 wrote to memory of 4896	2052	firefox.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\Val0ader.CL.1.5-F.exe
"C:\Users\Admin\AppData\Local\Temp\Val0ader.CL.1.5-F.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
2⤵
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
3⤵
PID:4768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -noprofile -
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qt2lnd4s\qt2lnd4s.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4136

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FA7.tmp" "c:\Users\Admin\AppData\Local\Temp\qt2lnd4s\CSC32991452AC9D4E2099FF6F93C44E1DD.TMP"
5⤵
PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4972

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\CheckpointHide.mp4"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1884

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1016

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2248

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2052

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2052.0.1704711340\813273425" -parentBuildID 20200403170909 -prefsHandle 1556 -prefMapHandle 1544 -prefsLen 1 -prefMapSize 220115 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2052 "\\.\pipe\gecko-crash-server-pipe.2052" 1644 gpu
3⤵
PID:2636

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2052.3.2063232443\915437027" -childID 1 -isForBrowser -prefsHandle 2208 -prefMapHandle 2228 -prefsLen 122 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2052 "\\.\pipe\gecko-crash-server-pipe.2052" 1796 tab
3⤵
PID:4896

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2052.13.1310599383\976329756" -childID 2 -isForBrowser -prefsHandle 3348 -prefMapHandle 3344 -prefsLen 6904 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2052 "\\.\pipe\gecko-crash-server-pipe.2052" 3332 tab
3⤵
PID:1564

C:\Users\Admin\Downloads\output.exe
"C:\Users\Admin\Downloads\output.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:488

C:\Users\Admin\Downloads\7z2107-x64.exe
"C:\Users\Admin\Downloads\7z2107-x64.exe"
1⤵
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2224

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3584

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2360

C:\Windows\system32\takeown.exe
takeown /fC:\Windows\System32
2⤵
- Modifies file permissions
PID:3532

C:\Windows\system32\takeown.exe
takeown /C:\Windows\System32
2⤵
- Modifies file permissions
PID:3848

C:\Windows\system32\takeown.exe
takeown /C:\Windows\System32
2⤵
- Modifies file permissions
PID:1820

C:\Windows\system32\takeown.exe
takeown C:\Windows\System32
2⤵
- Modifies file permissions
PID:984

C:\Windows\system32\takeown.exe
takeown /fC:\Windows\System32
2⤵
- Modifies file permissions
PID:2652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6FA7.tmp
Filesize
1KB

MD5
665758f5fb601b808293e8069043d360

SHA1
561fb12e55a91f24efd0efbe008267412e094308

SHA256
250754cd6af41d80fae854d7bd78b7ebcc6151c7f3c45d5927ee3dbd40b3daec

SHA512
9c017f7c1999fa38a2160bc66742b69c6123d5f683d39a15052a11ae77888786f38788c2b408ef36c958059f3d800e028828eeeb1cd669558a425f4b136fff2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qt2lnd4s\qt2lnd4s.dll
Filesize
3KB

MD5
08b13cdf0f3c6a9ca451e45c58b32b5d

SHA1
07c27ff4028634d0f51f39e1d4619e6af67d2add

SHA256
01feecb6b35b51bf14f11701dfbb68eed7df2ff9909abd3375d18b8c1a61edbe

SHA512
9f7ed8457fff6e4676f53d846f9cf27812a70edae67a97e2d298e9b7500482ff815a81813fc494afe983f5ae98c97a3c1d0079c156371325efae96e4551ce5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ps1
Filesize
419B

MD5
bf77c98084bde13aa379a5527a0f5850

SHA1
8a4d1307c3952d00ab3279baee4a03f899de7f1c

SHA256
c88eb353b4e1fe7f02529f9e8b48b21cee2c813674b32843136861f885053e3f

SHA512
8237fb209695c2568f4d3ada3181eb9a65ad16140896a5f8013ae267048ecd6994cddb25fc7ca0849bb0c484ba7be7a738a3ca0cad6e85d75587c4a2c37c60ef

Download Submit
C:\Users\Admin\Downloads\7z2107-x64.exe
Filesize
1.5MB

MD5
49839f0c227b5f9399b59f6ae94a7c7b

SHA1
332620e2e360d471736d714f3f5781354702d9a1

SHA256
0b461f0a0eccfc4f39733a80d70fd1210fdd69f600fb6b657e03940a734e5fc1

SHA512
4d406ddd257a28ab1521e0e28c20699a764d7a3d3c3651e9b080cbdb6dae2f7c348452b2946a1e16b00424f67b769fe44c54a9b94e9124fa219bbe2a544ee82b

Download Submit
C:\Users\Admin\Downloads\output.exe
Filesize
41KB

MD5
348036564062061947766020f527c1c7

SHA1
14bcddc513e71261a275573d896acf7adfdd13fb

SHA256
cf82aa6c88b9c40f987d3f862ebfdd1915aaa749416174a0b13093b1e2f1a0ee

SHA512
47fed975c5733695227dbe754c79b392536bf3b2158e272f66d365c120ba0f02c26aff3cc5798b81a6aa96f0a9df9aa8cd3f4f7cdead61a01f7abdb95a5462aa

Download Submit
C:\Users\Admin\Downloads\output.exe
Filesize
41KB

MD5
348036564062061947766020f527c1c7

SHA1
14bcddc513e71261a275573d896acf7adfdd13fb

SHA256
cf82aa6c88b9c40f987d3f862ebfdd1915aaa749416174a0b13093b1e2f1a0ee

SHA512
47fed975c5733695227dbe754c79b392536bf3b2158e272f66d365c120ba0f02c26aff3cc5798b81a6aa96f0a9df9aa8cd3f4f7cdead61a01f7abdb95a5462aa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qt2lnd4s\CSC32991452AC9D4E2099FF6F93C44E1DD.TMP
Filesize
652B

MD5
74aebc95a015a1b143ac329d1d3d7b49

SHA1
a2914b1085334db022f66cbe85c0aa250bd3ec85

SHA256
054dbe7547d34da6fdfa9627a5541d03445b3cc69144dfe9e95091aab5d05d54

SHA512
7c40c1b676c70f9e30254e8b121e0108817e1a6e6593c859a54bb75ef750ccacc0a20a79d3751d299e3621615cf40f5fdff3b8fa795f5ea33137391b2f0a7943

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qt2lnd4s\qt2lnd4s.0.cs
Filesize
331B

MD5
290cee718da5975e051415a46af47a4a

SHA1
8099250c47bb93d821def350b467521e7cf8d5de

SHA256
26d220f0926af717fb195e1ec05f2ecccee3fbd37fa92148774bb5604557c9c9

SHA512
306d86ec0c4bc64594b4ca336822030926eaea0873ccdbcf989a721d307b19831761a15b3a222f6ec0dcc44ba0fbacac6ffbe7da0f7a447d5d34d76f3f029510

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qt2lnd4s\qt2lnd4s.cmdline
Filesize
369B

MD5
139ae8dfca87bfc0128f456e2d4c25f3

SHA1
de13500d63c2b7777bc70780019d05b029c33458

SHA256
4bd5d43d99a0632659f2554aee3bf607749bc2d0d2f96b0edbd52753f4fb1b16

SHA512
a2fdb366a4f2cba0efb4fe55d5130ec209cde4cbbe2f72a526070d334349492063794f67c7dcddb404b3e48a5103b85823da37711f3782bdf156457fe7cec670

Download Submit
\??\c:\users\admin\downloads\7z2107-x64.exe
Filesize
1.5MB

MD5
49839f0c227b5f9399b59f6ae94a7c7b

SHA1
332620e2e360d471736d714f3f5781354702d9a1

SHA256
0b461f0a0eccfc4f39733a80d70fd1210fdd69f600fb6b657e03940a734e5fc1

SHA512
4d406ddd257a28ab1521e0e28c20699a764d7a3d3c3651e9b080cbdb6dae2f7c348452b2946a1e16b00424f67b769fe44c54a9b94e9124fa219bbe2a544ee82b

Download Submit
\Users\Admin\AppData\Local\Temp\pkg\53b88af8a78050718e1a282af077701921f1e2c7e0b4592d197eab2018240282\better-sqlite3\build\Release\better_sqlite3.node
Filesize
2.6MB

MD5
4b25dfb983845ff57360c720a429eef4

SHA1
51a9cad777b37f1c521c6d50b6f49379fb6d0a06

SHA256
53b88af8a78050718e1a282af077701921f1e2c7e0b4592d197eab2018240282

SHA512
b808133885ef35cba2ea81d37a9f996b121a91e459c68cf5b98cab2a53f783927a0023ecc095b5664fef1bcd463f8b8b42b51f8511fda25e21141693aed4ec77

Download Submit
\Users\Admin\AppData\Local\Temp\pkg\81aab2bb7227d24493d1f0d2483a307be716c84a733b54f69e671071715e10c2\win-dpapi\build\Release\node-dpapi.node
Filesize
141KB

MD5
dc92b8e77d869866a6af82409fae0af2

SHA1
a0edf2ddf35304854a134eac14637239fe319292

SHA256
81aab2bb7227d24493d1f0d2483a307be716c84a733b54f69e671071715e10c2

SHA512
dbfb1656b9aeb116993e9034d8a422a8d61d89f861221e15491d8dde04231eaa357573de59eab65b49533e03f06699a508dd27ed6b85ac94c882f505d22a0bdb

Download Submit
memory/488-254-0x0000000000730000-0x0000000000740000-memory.dmp

Filesize
64KB

Download
memory/984-311-0x0000000000000000-mapping.dmp

Download
memory/1820-310-0x0000000000000000-mapping.dmp

Download
memory/2224-291-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-279-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-307-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-306-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-305-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-304-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-303-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-302-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-301-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-300-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-256-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-257-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-299-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-258-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-260-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-261-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-262-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-263-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-264-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-265-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-266-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-267-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-268-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-270-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-269-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-271-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-272-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-273-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-274-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-275-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-276-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-277-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-278-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-298-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-280-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-281-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-282-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-283-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-284-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-285-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-286-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-287-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-288-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-289-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-290-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-297-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-292-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-293-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-294-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-295-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-296-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2652-312-0x0000000000000000-mapping.dmp

Download
memory/2748-249-0x0000000000000000-mapping.dmp

Download
memory/3060-250-0x0000000000000000-mapping.dmp

Download
memory/3532-308-0x0000000000000000-mapping.dmp

Download
memory/3608-248-0x0000000000000000-mapping.dmp

Download
memory/3848-309-0x0000000000000000-mapping.dmp

Download
memory/4136-216-0x0000000000000000-mapping.dmp

Download
memory/4304-219-0x0000000000000000-mapping.dmp

Download
memory/4632-251-0x0000000000000000-mapping.dmp

Download
memory/4764-118-0x0000000000000000-mapping.dmp

Download
memory/4768-119-0x0000000000000000-mapping.dmp

Download
memory/4784-157-0x00000233452C0000-0x0000023345336000-memory.dmp

Filesize
472KB

Download
memory/4784-146-0x0000023344D20000-0x0000023344D5C000-memory.dmp

Filesize
240KB

Download
memory/4784-127-0x00000233442F0000-0x0000023344312000-memory.dmp

Filesize
136KB

Download
memory/4784-120-0x0000000000000000-mapping.dmp

Download
memory/4784-223-0x0000023344320000-0x0000023344328000-memory.dmp

Filesize
32KB

Download