Resubmissions
19-01-2023 10:17
230119-mbpsksff79 1014-11-2022 04:26
221114-e2qhsseg47 1020-01-2022 19:02
220120-xptc2abbh7 10Analysis
-
max time kernel
207s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2022 04:26
Behavioral task
behavioral1
Sample
c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
Resource
win10v2004-20220812-en
General
-
Target
c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
-
Size
2.9MB
-
MD5
ccde3fe374a219ed3a85a0bf548542c3
-
SHA1
c1187fe0eaddee995773d6c66bcb558536e9b62c
-
SHA256
c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40
-
SHA512
94852c04d6f627b35a7486de166648eb43373850b862e1958e676c53fd5dc37103659fe28e2b51f2fffd815ded2745d8793d8158543ff14b1e1f0cafe2a3c63c
-
SSDEEP
49152:4dwE1vCCeShiBHJFIPiEPE3bvk6Ca89388YhwjfJNt/RgaJ2wtb:WwE1253IPiYE3bnCa8Hzj5vwwtb
Malware Config
Extracted
C:\Users\Admin\Searches\RECOVER-mfqssdj-FILES.txt
http://b4twqa2mvob3s6uvuyfra5xk3qgps2v5kkt7k2qnb7rpdu3j4fkntead.onion/?access-key=cAPELqDsLGJdtvehxxlyhJ5CQfLTSKKFns74YjQWw8fvIQAsq6frqD5lS0BpfvoVGzWMpsUIWeucBxx%2B9aQXvRT29VpQa1fccyBNL3tbjmmLu%2BEatuLhU3NBo8yP6BG63YqpQ4qT%2BUhqJZQxq7iQAnjK8US6q7rWq9LSpaSUZXQRnyQFh7uZHKvSw0K2YpQd2fncQ3BEOTC7nluR0wpowFDYh47FV%2ByccMt6vdK7JgNXAj4DsB5zkE9LDB5tBFp5bVPlhxdp7JxKj9Ct34Epz7T0nIoHAbUMn4efw9SBbC1mCPg3ReiWMh9JANpVY711mSefKfRVokxqiVTXAmycjA%3D%3D
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4792 created 3372 4792 svchost.exe 75 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1688 bcdedit.exe 1672 bcdedit.exe -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\FindExpand.png.mfqssdj c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe File renamed C:\Users\Admin\Pictures\ReadImport.tiff => C:\Users\Admin\Pictures\ReadImport.tiff.mfqssdj c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe File opened for modification C:\Users\Admin\Pictures\ReadImport.tiff.mfqssdj c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe File renamed C:\Users\Admin\Pictures\UnpublishConvertFrom.tif => C:\Users\Admin\Pictures\UnpublishConvertFrom.tif.mfqssdj c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe File opened for modification C:\Users\Admin\Pictures\TraceWatch.tiff.mfqssdj c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe File opened for modification C:\Users\Admin\Pictures\UnpublishConvertFrom.tif.mfqssdj c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe File opened for modification C:\Users\Admin\Pictures\ReadImport.tiff c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe File opened for modification C:\Users\Admin\Pictures\TraceWatch.tiff c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe File renamed C:\Users\Admin\Pictures\FindExpand.png => C:\Users\Admin\Pictures\FindExpand.png.mfqssdj c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe File renamed C:\Users\Admin\Pictures\ResizeDisconnect.raw => C:\Users\Admin\Pictures\ResizeDisconnect.raw.mfqssdj c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe File opened for modification C:\Users\Admin\Pictures\ResizeDisconnect.raw.mfqssdj c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe File renamed C:\Users\Admin\Pictures\TraceWatch.tiff => C:\Users\Admin\Pictures\TraceWatch.tiff.mfqssdj c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Admin\\Desktop\\RECOVER-mfqssdj-FILES.txt.png" c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\RECOVER-mfqssdj-FILES.txt.png" c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4268 vssadmin.exe 4552 vssadmin.exe -
Modifies Control Panel 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\WallpaperStyle = "0" c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3064 WMIC.exe Token: SeSecurityPrivilege 3064 WMIC.exe Token: SeTakeOwnershipPrivilege 3064 WMIC.exe Token: SeLoadDriverPrivilege 3064 WMIC.exe Token: SeSystemProfilePrivilege 3064 WMIC.exe Token: SeSystemtimePrivilege 3064 WMIC.exe Token: SeProfSingleProcessPrivilege 3064 WMIC.exe Token: SeIncBasePriorityPrivilege 3064 WMIC.exe Token: SeCreatePagefilePrivilege 3064 WMIC.exe Token: SeBackupPrivilege 3064 WMIC.exe Token: SeRestorePrivilege 3064 WMIC.exe Token: SeShutdownPrivilege 3064 WMIC.exe Token: SeDebugPrivilege 3064 WMIC.exe Token: SeSystemEnvironmentPrivilege 3064 WMIC.exe Token: SeRemoteShutdownPrivilege 3064 WMIC.exe Token: SeUndockPrivilege 3064 WMIC.exe Token: SeManageVolumePrivilege 3064 WMIC.exe Token: 33 3064 WMIC.exe Token: 34 3064 WMIC.exe Token: 35 3064 WMIC.exe Token: 36 3064 WMIC.exe Token: SeIncreaseQuotaPrivilege 3064 WMIC.exe Token: SeSecurityPrivilege 3064 WMIC.exe Token: SeTakeOwnershipPrivilege 3064 WMIC.exe Token: SeLoadDriverPrivilege 3064 WMIC.exe Token: SeSystemProfilePrivilege 3064 WMIC.exe Token: SeSystemtimePrivilege 3064 WMIC.exe Token: SeProfSingleProcessPrivilege 3064 WMIC.exe Token: SeIncBasePriorityPrivilege 3064 WMIC.exe Token: SeCreatePagefilePrivilege 3064 WMIC.exe Token: SeBackupPrivilege 3064 WMIC.exe Token: SeRestorePrivilege 3064 WMIC.exe Token: SeShutdownPrivilege 3064 WMIC.exe Token: SeDebugPrivilege 3064 WMIC.exe Token: SeSystemEnvironmentPrivilege 3064 WMIC.exe Token: SeRemoteShutdownPrivilege 3064 WMIC.exe Token: SeUndockPrivilege 3064 WMIC.exe Token: SeManageVolumePrivilege 3064 WMIC.exe Token: 33 3064 WMIC.exe Token: 34 3064 WMIC.exe Token: 35 3064 WMIC.exe Token: 36 3064 WMIC.exe Token: SeIncreaseQuotaPrivilege 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeSecurityPrivilege 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeTakeOwnershipPrivilege 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeLoadDriverPrivilege 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeSystemProfilePrivilege 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeSystemtimePrivilege 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeProfSingleProcessPrivilege 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeIncBasePriorityPrivilege 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeCreatePagefilePrivilege 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeBackupPrivilege 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeRestorePrivilege 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeShutdownPrivilege 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeDebugPrivilege 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeSystemEnvironmentPrivilege 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeChangeNotifyPrivilege 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeRemoteShutdownPrivilege 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeUndockPrivilege 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeManageVolumePrivilege 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeImpersonatePrivilege 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: SeCreateGlobalPrivilege 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: 33 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe Token: 34 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3372 wrote to memory of 2276 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 76 PID 3372 wrote to memory of 2276 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 76 PID 3372 wrote to memory of 2276 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 76 PID 2276 wrote to memory of 3064 2276 cmd.exe 78 PID 2276 wrote to memory of 3064 2276 cmd.exe 78 PID 2276 wrote to memory of 3064 2276 cmd.exe 78 PID 3372 wrote to memory of 3032 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 80 PID 3372 wrote to memory of 3032 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 80 PID 3372 wrote to memory of 3032 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 80 PID 3032 wrote to memory of 2164 3032 cmd.exe 82 PID 3032 wrote to memory of 2164 3032 cmd.exe 82 PID 3032 wrote to memory of 2164 3032 cmd.exe 82 PID 3372 wrote to memory of 2416 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 83 PID 3372 wrote to memory of 2416 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 83 PID 3372 wrote to memory of 2416 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 83 PID 2416 wrote to memory of 2220 2416 cmd.exe 85 PID 2416 wrote to memory of 2220 2416 cmd.exe 85 PID 2416 wrote to memory of 2220 2416 cmd.exe 85 PID 3372 wrote to memory of 3556 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 86 PID 3372 wrote to memory of 3556 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 86 PID 3372 wrote to memory of 3556 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 86 PID 3372 wrote to memory of 3144 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 89 PID 3372 wrote to memory of 3144 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 89 PID 3372 wrote to memory of 3144 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 89 PID 3372 wrote to memory of 1692 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 91 PID 3372 wrote to memory of 1692 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 91 PID 3144 wrote to memory of 3568 3144 cmd.exe 92 PID 3144 wrote to memory of 3568 3144 cmd.exe 92 PID 3144 wrote to memory of 3568 3144 cmd.exe 92 PID 3372 wrote to memory of 1628 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 94 PID 3372 wrote to memory of 1628 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 94 PID 3372 wrote to memory of 1628 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 94 PID 1628 wrote to memory of 5052 1628 cmd.exe 96 PID 1628 wrote to memory of 5052 1628 cmd.exe 96 PID 1628 wrote to memory of 5052 1628 cmd.exe 96 PID 1692 wrote to memory of 4552 1692 cmd.exe 97 PID 1692 wrote to memory of 4552 1692 cmd.exe 97 PID 4792 wrote to memory of 4512 4792 svchost.exe 98 PID 4792 wrote to memory of 4512 4792 svchost.exe 98 PID 4792 wrote to memory of 4512 4792 svchost.exe 98 PID 4512 wrote to memory of 4256 4512 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 99 PID 4512 wrote to memory of 4256 4512 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 99 PID 4512 wrote to memory of 4256 4512 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 99 PID 4256 wrote to memory of 3048 4256 cmd.exe 102 PID 4256 wrote to memory of 3048 4256 cmd.exe 102 PID 4256 wrote to memory of 3048 4256 cmd.exe 102 PID 3372 wrote to memory of 316 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 104 PID 3372 wrote to memory of 316 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 104 PID 316 wrote to memory of 1444 316 cmd.exe 106 PID 316 wrote to memory of 1444 316 cmd.exe 106 PID 3372 wrote to memory of 4336 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 107 PID 3372 wrote to memory of 4336 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 107 PID 4336 wrote to memory of 1688 4336 cmd.exe 109 PID 4336 wrote to memory of 1688 4336 cmd.exe 109 PID 3372 wrote to memory of 4768 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 111 PID 3372 wrote to memory of 4768 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 111 PID 4768 wrote to memory of 1672 4768 cmd.exe 113 PID 4768 wrote to memory of 1672 4768 cmd.exe 113 PID 3372 wrote to memory of 3636 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 114 PID 3372 wrote to memory of 3636 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 114 PID 3636 wrote to memory of 3520 3636 cmd.exe 116 PID 3636 wrote to memory of 3520 3636 cmd.exe 116 PID 3372 wrote to memory of 2236 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 124 PID 3372 wrote to memory of 2236 3372 c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exeC:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe --access-token 123451⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "wmic csproduct get UUID"2⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get UUID3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "fsutil behavior set SymlinkEvaluation R2L:1"2⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\fsutil.exefsutil behavior set SymlinkEvaluation R2L:13⤵PID:2164
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "fsutil behavior set SymlinkEvaluation R2R:1"2⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\fsutil.exefsutil behavior set SymlinkEvaluation R2R:13⤵PID:2220
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "iisreset.exe /stop"2⤵PID:3556
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"2⤵
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f3⤵PID:3568
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "vssadmin.exe Delete Shadows /all /quiet"2⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4552
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "arp -a"2⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\ARP.EXEarp -a3⤵PID:5052
-
-
-
C:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe"C:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe" --child --access-token 123452⤵
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "wmic csproduct get UUID"3⤵
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get UUID4⤵PID:3048
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "wmic.exe Shadowcopy Delete"2⤵
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\System32\Wbem\WMIC.exewmic.exe Shadowcopy Delete3⤵PID:1444
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "bcdedit /set {default}"2⤵
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\system32\bcdedit.exebcdedit /set {default}3⤵
- Modifies boot configuration data using bcdedit
PID:1688
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"2⤵
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:1672
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\""2⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\system32\cmd.execmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"3⤵PID:3520
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "vssadmin.exe Delete Shadows /all /quiet"2⤵PID:2236
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4268
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "wmic.exe Shadowcopy Delete"2⤵PID:3740
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe Shadowcopy Delete3⤵PID:2316
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\""2⤵PID:2040
-
C:\Windows\system32\cmd.execmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"3⤵PID:4952
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4792
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2032
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2516