Analysis
-
max time kernel
152s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
24/09/2022, 09:40
Behavioral task
behavioral1
Sample
HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
Resource
win10v2004-20220812-en
General
-
Target
HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe
-
Size
555KB
-
MD5
2102422fdf58e1f1ea628e864576f437
-
SHA1
a071690fa220c12e9b5fa85e70dc3e7c42b30893
-
SHA256
fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997
-
SHA512
9894a54a6c85ce3e087ef6f2a6da1a5744d71667eaa8f17d23985e15c39a425cfe53f838875573e828170ce6d3756618c4b293e3d81dfc7a7a5570daf2c0c2b6
-
SSDEEP
12288:gfp3lxis8EdrQso5hnyRIAPQJno5hnyRIAQg:gfp36sN5snUPjnUQg
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection w1uvcmam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" w1uvcmam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" w1uvcmam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" w1uvcmam.exe -
Executes dropped EXE 1 IoCs
pid Process 796 w1uvcmam.exe -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\SplitClear.png => C:\Users\Admin\Pictures\SplitClear.png.cryt0y w1uvcmam.exe File renamed C:\Users\Admin\Pictures\DismountOpen.raw => C:\Users\Admin\Pictures\DismountOpen.raw.cryt0y w1uvcmam.exe File renamed C:\Users\Admin\Pictures\EnableAssert.tif => C:\Users\Admin\Pictures\EnableAssert.tif.cryt0y w1uvcmam.exe File renamed C:\Users\Admin\Pictures\ResumeConvertFrom.png => C:\Users\Admin\Pictures\ResumeConvertFrom.png.cryt0y w1uvcmam.exe File renamed C:\Users\Admin\Pictures\ShowWait.png => C:\Users\Admin\Pictures\ShowWait.png.cryt0y w1uvcmam.exe File renamed C:\Users\Admin\Pictures\UnregisterAssert.tif => C:\Users\Admin\Pictures\UnregisterAssert.tif.cryt0y w1uvcmam.exe File renamed C:\Users\Admin\Pictures\UseAdd.png => C:\Users\Admin\Pictures\UseAdd.png.cryt0y w1uvcmam.exe File renamed C:\Users\Admin\Pictures\GrantLimit.raw => C:\Users\Admin\Pictures\GrantLimit.raw.cryt0y w1uvcmam.exe File renamed C:\Users\Admin\Pictures\InvokeExit.png => C:\Users\Admin\Pictures\InvokeExit.png.cryt0y w1uvcmam.exe File renamed C:\Users\Admin\Pictures\ReadClose.crw => C:\Users\Admin\Pictures\ReadClose.crw.cryt0y w1uvcmam.exe -
Loads dropped DLL 1 IoCs
pid Process 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe -
Obfuscated with Agile.Net obfuscator 4 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/1048-54-0x0000000000C90000-0x0000000000D1E000-memory.dmp agile_net behavioral1/files/0x000900000001230f-62.dat agile_net behavioral1/files/0x000900000001230f-64.dat agile_net behavioral1/memory/796-65-0x0000000000E80000-0x0000000000EF6000-memory.dmp agile_net -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features w1uvcmam.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png w1uvcmam.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\flyout.html w1uvcmam.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384888.JPG w1uvcmam.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\clock.css w1uvcmam.exe File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Background_Loading.png w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\background.gif w1uvcmam.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single.png w1uvcmam.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png w1uvcmam.exe File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif w1uvcmam.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html w1uvcmam.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-down.png w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\SAVE.GIF w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_left_over.gif w1uvcmam.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\drag.png w1uvcmam.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new.png w1uvcmam.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\PREVIEW.GIF w1uvcmam.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\settings.css w1uvcmam.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png w1uvcmam.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat w1uvcmam.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_down.png w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02758U.BMP w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Casual.gif w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCHKBRD.XML w1uvcmam.exe File created C:\Program Files\VideoLAN\VLC\uninstall.log w1uvcmam.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf w1uvcmam.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT w1uvcmam.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png w1uvcmam.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml w1uvcmam.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css w1uvcmam.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\init.js w1uvcmam.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.jpg w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101856.BMP w1uvcmam.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\gadget.xml w1uvcmam.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\icon.png w1uvcmam.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml w1uvcmam.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_docked.png w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178632.JPG w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\ELPHRG01.WAV w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_justify.gif w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfigInternal.zip w1uvcmam.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png w1uvcmam.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\23.png w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\JAVA_01.MID w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewFrame.html w1uvcmam.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_rainy.png w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01770_.GIF w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\validation.js w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Country.css w1uvcmam.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\RSSFeeds.css w1uvcmam.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml w1uvcmam.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv w1uvcmam.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\cpu.js w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00040_.GIF w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL095.XML w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01300_.GIF w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21398_.GIF w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_center.gif w1uvcmam.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png w1uvcmam.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\settings.js w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR11F.GIF w1uvcmam.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.GIF w1uvcmam.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt w1uvcmam.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\diagnostics\index\WindowsMediaPlayerPlayDVD.xml w1uvcmam.exe File created C:\Windows\diagnostics\scheduled\Maintenance\RS_RemoveUnusedDesktopIcons.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\AERO\TS_UXSMS.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Performance\RS_SwitchIntoDMA.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Performance\TS_PIOMode.ps1 w1uvcmam.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_ja_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll-Help.xml w1uvcmam.exe File created C:\Windows\diagnostics\system\Printer\TS_HomeGroup.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Performance\RS_MultipleUsers.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Power\TS_Wirelessadaptersettings.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\AERO\TS_MirrorDriver.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Device\TS_HardwareDeviceMain.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Power\RS_AdjustDimDisplay.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\scheduled\Maintenance\RS_MachineWERQueue.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Audio\RS_Unmute.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Networking\InteractiveRes.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Printer\TS_CannotConnect.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\AERO\CL_AeroFeature.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Networking\NetworkDiagnosticsTroubleshoot.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Power\TS_ScreenSaver.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Printer\TS_NoPrinterInstalled.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\AERO\TS_DWMEnable.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\AERO\CL_WinSAT.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Printer\TS_OutOfToner.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\scheduled\Maintenance\TS_DiagnosticHistory.ps1 w1uvcmam.exe File created C:\Windows\assembly\pubpol4.dat w1uvcmam.exe File opened for modification C:\Windows\DtcInstall.log w1uvcmam.exe File created C:\Windows\diagnostics\scheduled\Maintenance\RS_UserWERQueue.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\AERO\TS_HardwareSupport.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Audio\CL_Utility.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Device\TS_WindowsUpdate.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\HomeGroup\RS_LaunchInteraction.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Power\TS_DimDisplay.ps1 w1uvcmam.exe File opened for modification C:\Windows\assembly\pubpol37.dat w1uvcmam.exe File created C:\Windows\diagnostics\index\AudioRecordingDiagnostic.xml w1uvcmam.exe File created C:\Windows\diagnostics\system\PCW\VF_ProgramCompatibilityWizard.ps1 w1uvcmam.exe File opened for modification C:\Windows\TSSysprep.log w1uvcmam.exe File created C:\Windows\diagnostics\index\NetworkDiagnostics_6_DA.xml w1uvcmam.exe File created C:\Windows\diagnostics\system\Power\RS_ResetIdleSleepsetting.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Printer\CL_Utility.ps1 w1uvcmam.exe File created C:\Windows\mib.bin w1uvcmam.exe File created C:\Windows\diagnostics\system\Device\RS_EnableDevice.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\HomeGroup\CL_Service.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Power\TS_DisplayIdleTimeout.ps1 w1uvcmam.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_de_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll-Help.xml w1uvcmam.exe File created C:\Windows\diagnostics\system\Printer\RS_SpoolerCrashing.ps1 w1uvcmam.exe File created C:\Windows\Boot\DVD\EFI\en-US\efisys.bin w1uvcmam.exe File created C:\Windows\diagnostics\index\NetworkDiagnostics_3_HomeGroup.xml w1uvcmam.exe File created C:\Windows\diagnostics\system\AERO\RS_Themes.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Performance\TS_TooManyStartupPrograms.ps1 w1uvcmam.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index134.dat w1uvcmam.exe File created C:\Windows\diagnostics\system\Power\RS_Adjustwirelessadaptersettings.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Device\TS_NotWorkProperly.ps1 w1uvcmam.exe File created C:\Windows\Boot\DVD\PCAT\fr-FR\bootfix.bin w1uvcmam.exe File created C:\Windows\diagnostics\system\Device\RS_UpdateDriver.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Device\RS_WindowsUpdate.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Power\RS_ChangeProcessorState.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Printer\RS_ProcessPrinterjobs.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Printer\RS_WrongDefaultPrinter.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Printer\TS_PrinterDriverError.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\HomeGroup\CL_Detection.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\index\NetworkDiagnostics_5_Inbound.xml w1uvcmam.exe File created C:\Windows\diagnostics\system\Performance\RS_VisualEffects.ps1 w1uvcmam.exe File created C:\Windows\diagnostics\system\Performance\TS_PowerMode.ps1 w1uvcmam.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 1700 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe Token: SeDebugPrivilege 1700 taskkill.exe Token: SeDebugPrivilege 796 w1uvcmam.exe Token: SeDebugPrivilege 796 w1uvcmam.exe Token: SeDebugPrivilege 1732 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1048 wrote to memory of 944 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 27 PID 1048 wrote to memory of 944 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 27 PID 1048 wrote to memory of 944 1048 HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe 27 PID 1872 wrote to memory of 796 1872 cmd.exe 31 PID 1872 wrote to memory of 796 1872 cmd.exe 31 PID 1872 wrote to memory of 796 1872 cmd.exe 31 PID 796 wrote to memory of 1732 796 w1uvcmam.exe 36 PID 796 wrote to memory of 1732 796 w1uvcmam.exe 36 PID 796 wrote to memory of 1732 796 w1uvcmam.exe 36 PID 796 wrote to memory of 1964 796 w1uvcmam.exe 37 PID 796 wrote to memory of 1964 796 w1uvcmam.exe 37 PID 796 wrote to memory of 1964 796 w1uvcmam.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\windows\system32\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\qntd4mxr.inf2⤵PID:944
-
-
C:\Windows\system32\cmd.execmd /c start C:\Windows\temp\w1uvcmam.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\temp\w1uvcmam.exeC:\Windows\temp\w1uvcmam.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Modifies extensions of user files
- Windows security modification
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\system32\cmd.exe"cmd.exe"3⤵PID:1964
-
-
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1700
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
449KB
MD51db0b6b8d8429a19745386172720b241
SHA1bbe8ca48fecc9ee2e909a453e60bda1548b85898
SHA2560c903b0104a81695efd95240e79ba5d93cabae598acd193ac5f629d6ca10653d
SHA512e483213f1e64243a8f72b75dfca4dd6998122ddf08317849d4402d118dd39a5859e60cc880523573794809a06ef4b61a36c3113d80a289277828a5340042255e
-
Filesize
583B
MD5762e7afd44f01f83bfdc484f5cfbd603
SHA1b5386d2bbd30c1df890be6ac594a2f614dd8e2b5
SHA256e36e1a5dbb962545a01c567dfa639b6d40dcdda8447f6193a658b8c474dcb8af
SHA51282118201c7100e2dda0a31e32443d766097f4017b626d0ab720efd15e7a7e7d7fde208df058c7d0299c53c75f3a65db329bec0613b454de6d8acb775fff42d29
-
Filesize
449KB
MD51db0b6b8d8429a19745386172720b241
SHA1bbe8ca48fecc9ee2e909a453e60bda1548b85898
SHA2560c903b0104a81695efd95240e79ba5d93cabae598acd193ac5f629d6ca10653d
SHA512e483213f1e64243a8f72b75dfca4dd6998122ddf08317849d4402d118dd39a5859e60cc880523573794809a06ef4b61a36c3113d80a289277828a5340042255e
-
Filesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81