8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217

General

Target

8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
Size

314KB
MD5

201c52f6219061d02e59bb11988e2950
SHA1

f6825d6dcd8dfbbac5ca186818b15d4fcb18d77f
SHA256

8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217
SHA512

02f6b69c6aef542e7facb67cc2a99fdb7f69d57209e215b41770faa6a46bc7ae1020872d8aad8659ceac1525c7e7dc542be5320d0aa8d249881f9a2e6b79c66e
SSDEEP

6144:Eyyzjg3u0rMoSc97kro4DtNxOaK9dAOBhmNnMOD:EyyQ3u0rMclZ0nME

Score

8^/10

bootkit persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.com\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.com	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.com\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.com	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.com	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.pif	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.pif\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.pif\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.pif\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.com\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.com\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.pif	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.com	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.com	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.com	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.pif	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.pif\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.pif	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.pif	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.pif	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.pif	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.pif\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.com\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.com\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.pif\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.pif\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BURSH = "C:\\Window\\bursh.exe"	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe

description ioc process

File opened for modification \??\PhysicalDrive0 8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
1764	2204	WerFault.exe	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
3660	2204	WerFault.exe	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

4204 notepad.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe

pid process

2204 8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe

pid	process
4204	notepad.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe

description	pid	process
Token: SeDebugPrivilege	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
Token: SeDebugPrivilege	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe

pid process

2204 8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe

pid	process
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe

description	pid	process	target process
PID 2204 wrote to memory of 4244	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 4244	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 4244	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 3304	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 3304	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 3304	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1684	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1684	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1684	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1000	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1000	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1000	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 2016	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 2016	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 2016	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1932	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1932	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1932	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 3056	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 3056	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 3056	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1944	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1944	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1944	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 2068	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 2068	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 2068	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1336	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1336	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1336	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 2256	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 2256	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 2256	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1692	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1692	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1692	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 2272	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 2272	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 2272	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 2180	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 2180	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 2180	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1764	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1764	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1764	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 4528	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 4528	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 4528	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1352	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1352	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 1352	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 3088	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 3088	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 3088	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 4752	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 4752	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 4752	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 2492	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 2492	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 2492	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 3176	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 3176	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 3176	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 2204 wrote to memory of 4204	2204	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
"C:\Users\Admin\AppData\Local\Temp\8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:4244

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.pif" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:3304

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.com" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:1000

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.pif" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.com" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:1932

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.pif" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.com" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.pif" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:2256

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.com" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:1692

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.pif" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:2180

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.com" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:1764

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:4528

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.pif" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:1352

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:3088

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:4752

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.pif" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.com" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:3176

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" C:\BURSH_VIRUS_MESSAGE.TXT
2⤵
- Opens file in notepad (likely ransom note)
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1416
2⤵
- Program crash
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 2476
2⤵
- Program crash
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2204 -ip 2204
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2204 -ip 2204
1⤵
PID:1884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BURSH_VIRUS_MESSAGE.TXT
Filesize
275B

MD5
5afc0b443327ab8786295390a6d8b32e

SHA1
9980d1e7b611f4c590afca0cab6cdae9e45835a2

SHA256
c0f207cd0143f37bc7e8c9474c42afeba851c9a277dc15b4887854064acd2eab

SHA512
1955634295b2cd6504ab9a48adf822b8fec6297ba39c65ba291990cc1ae3db3ffb3efdb2bb5c380fce3d2314d8b1ebf06b778f8d9c31a50b1918ae69364cd555

Download Submit
memory/1000-135-0x0000000000000000-mapping.dmp

Download
memory/1336-141-0x0000000000000000-mapping.dmp

Download
memory/1352-148-0x0000000000000000-mapping.dmp

Download
memory/1684-134-0x0000000000000000-mapping.dmp

Download
memory/1692-143-0x0000000000000000-mapping.dmp

Download
memory/1764-146-0x0000000000000000-mapping.dmp

Download
memory/1932-137-0x0000000000000000-mapping.dmp

Download
memory/1944-139-0x0000000000000000-mapping.dmp

Download
memory/2016-136-0x0000000000000000-mapping.dmp

Download
memory/2068-140-0x0000000000000000-mapping.dmp

Download
memory/2180-145-0x0000000000000000-mapping.dmp

Download
memory/2256-142-0x0000000000000000-mapping.dmp

Download
memory/2272-144-0x0000000000000000-mapping.dmp

Download
memory/2492-151-0x0000000000000000-mapping.dmp

Download
memory/3056-138-0x0000000000000000-mapping.dmp

Download
memory/3088-149-0x0000000000000000-mapping.dmp

Download
memory/3176-152-0x0000000000000000-mapping.dmp

Download
memory/3304-133-0x0000000000000000-mapping.dmp

Download
memory/4204-153-0x0000000000000000-mapping.dmp

Download
memory/4244-132-0x0000000000000000-mapping.dmp

Download
memory/4528-147-0x0000000000000000-mapping.dmp

Download
memory/4752-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads