ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928

Analysis

max time kernel
153s
max time network
180s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
Size

916KB
MD5

050b01e4e61e6e07973f230fbd7b5710
SHA1

cff45b1f2a471b0f329a8167937aaac7fae9b157
SHA256

ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928
SHA512

43daee52faf96a88e8d5f410c9ecb2ea008ad7ea848ef011412d8953617d3626494f812129cfb5a3044cc8f69cd1d9c9f5f1afe9f28fc4deee695043f5549e75
SSDEEP

12288:VtwVHekR9k8FDTJjwPFO1cH10nQSOgQwF2UWamEgp6ScqOeyB6:VtaTkkD1jQFb10D2U+E8rz

Score

8^/10

evasion

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1"	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe

Disables Task Manager via registry modification
evasion

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\H:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\N:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\S:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\X:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\Y:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\U:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\B:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\F:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\G:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\J:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\L:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\R:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\T:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\V:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\Z:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\E:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\I:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\M:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\O:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\P:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\Q:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\W:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
File opened (read-only)	\??\K:	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1320	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	27
PID 1732 wrote to memory of 1320	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	27
PID 1732 wrote to memory of 1320	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	27
PID 1732 wrote to memory of 1320	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	27
PID 1732 wrote to memory of 1340	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	29
PID 1732 wrote to memory of 1340	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	29
PID 1732 wrote to memory of 1340	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	29
PID 1732 wrote to memory of 1340	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	29
PID 1732 wrote to memory of 840	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	31
PID 1732 wrote to memory of 840	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	31
PID 1732 wrote to memory of 840	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	31
PID 1732 wrote to memory of 840	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	31
PID 1340 wrote to memory of 1628	1340	cmd.exe	33
PID 1340 wrote to memory of 1628	1340	cmd.exe	33
PID 1340 wrote to memory of 1628	1340	cmd.exe	33
PID 1340 wrote to memory of 1628	1340	cmd.exe	33
PID 1628 wrote to memory of 268	1628	net.exe	35
PID 1628 wrote to memory of 268	1628	net.exe	35
PID 1628 wrote to memory of 268	1628	net.exe	35
PID 1628 wrote to memory of 268	1628	net.exe	35
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8
PID 1732 wrote to memory of 1128	1732	ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe	8

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe
  "C:\Users\Admin\AppData\Local\Temp\ebb13cc93e7ee7e3cf7272097410f36849c1ce01d9c5e16416d468a2d2f08928.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart.exe
    3⤵
    PID:1320
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\WINDOWS\SysWOW64\net.exe
      net user administrator websos
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user administrator websos
        5⤵
        
        PID:268
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\1exe.cmd
    3⤵
    PID:840

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1204

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-614539738-14984774061632288113-636241726-1492203388-1621562806-347098863594002799"
1⤵
PID:960

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1576

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1956

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1764

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\1exe.cmd

Filesize
24B

MD5
e5fad0eebdbdb290ba8e7e45b783eb80

SHA1
d0134651bc51f9b818508dbdb21690800c5ed127

SHA256
15c12f019428c39e6a96d46fb531b763d0dea5151e23376a6aabe2e05180aa83

SHA512
e61a0756f71654febc40f181a01df302eb0c1328f87e5ae8138b7f9a7414027ad9b913d9d5381a8497f25439fa8fed5b80dbacc3c4b760e8c40f256872857469

Download Submit
memory/1732-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download