8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d

General

Target

8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
Size

236KB
MD5

2c9b73837f952efde030bb1dc7d18976
SHA1

c010231c403427df5a66f26caeb86a5909233b99
SHA256

8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d
SHA512

0a60f0ae5a59da80efe53be00d4337ba76842157512b3ef2fe869a863e6d1b77a96a4255d2ecbce8266a07fc207cfdb80f0779061f6e83b293ebca7969733408
SSDEEP

3072:2YMUflz+rRo0jSc2uCwy6irfmE0FZFUwr95N5OWISZTbUqMCa+RifgPxz+tB99y6:v+CKZy6zEbC5N52LCWYPxkBteQ

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Drops startup file 1 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8855f3d.exe explorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8855f3d.exe	explorer.exe

Drops file in System32 directory 14 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6F44E21A9D619ED3DDA892C60C09B740	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6F44E21A9D619ED3DDA892C60C09B740	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe

description	pid	process	target process
PID 1232 set thread context of 1396	1232	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1192 vssadmin.exe

pid	process
1192	vssadmin.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0047000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-20-73-4c-9d-dc	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D42C538D-D429-4DE8-91BB-6F6E28F0AA1D}\2e-20-73-4c-9d-dc	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-20-73-4c-9d-dc\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D42C538D-D429-4DE8-91BB-6F6E28F0AA1D}\WpadNetworkName = "Network 2"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-20-73-4c-9d-dc\WpadDecisionTime = 107a3f1470ffd801	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D42C538D-D429-4DE8-91BB-6F6E28F0AA1D}\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D42C538D-D429-4DE8-91BB-6F6E28F0AA1D}\WpadDecisionTime = 107a3f1470ffd801	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-20-73-4c-9d-dc\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D42C538D-D429-4DE8-91BB-6F6E28F0AA1D}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D42C538D-D429-4DE8-91BB-6F6E28F0AA1D}\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	svchost.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe

pid	process
1232	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
1396	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
1396	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
1396	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
1396	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
1396	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
1396	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
1396	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
1396	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1336

pid	process
1336

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exeexplorer.exe

pid	process
1396	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
1396	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
524	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1836	vssvc.exe
Token: SeRestorePrivilege	1836	vssvc.exe
Token: SeAuditPrivilege	1836	vssvc.exe
Token: SeShutdownPrivilege	1336

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1336
1336
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1336
1336

pid	process
1336
1336

pid	process
1336
1336

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe

pid	process
1232	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
1232	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exeexplorer.exe

description	pid	process	target process
PID 1232 wrote to memory of 1396	1232	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
PID 1232 wrote to memory of 1396	1232	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
PID 1232 wrote to memory of 1396	1232	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
PID 1232 wrote to memory of 1396	1232	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
PID 1232 wrote to memory of 1396	1232	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
PID 1232 wrote to memory of 1396	1232	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
PID 1232 wrote to memory of 1396	1232	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
PID 1232 wrote to memory of 1396	1232	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
PID 1232 wrote to memory of 1396	1232	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
PID 1232 wrote to memory of 1396	1232	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
PID 1396 wrote to memory of 524	1396	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe	explorer.exe
PID 1396 wrote to memory of 524	1396	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe	explorer.exe
PID 1396 wrote to memory of 524	1396	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe	explorer.exe
PID 1396 wrote to memory of 524	1396	8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe	explorer.exe
PID 524 wrote to memory of 588	524	explorer.exe	svchost.exe
PID 524 wrote to memory of 588	524	explorer.exe	svchost.exe
PID 524 wrote to memory of 588	524	explorer.exe	svchost.exe
PID 524 wrote to memory of 588	524	explorer.exe	svchost.exe
PID 524 wrote to memory of 1192	524	explorer.exe	vssadmin.exe
PID 524 wrote to memory of 1192	524	explorer.exe	vssadmin.exe
PID 524 wrote to memory of 1192	524	explorer.exe	vssadmin.exe
PID 524 wrote to memory of 1192	524	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
"C:\Users\Admin\AppData\Local\Temp\8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
C:\Users\Admin\AppData\Local\Temp\8b8db2381a7c6c2dfc0fecf811674bc43ce5e2027c4b1248a7746aa12665a38d.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\syswow64\explorer.exe
"C:\Windows\syswow64\explorer.exe"
3⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\syswow64\svchost.exe
-k netsvcs
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:588

C:\Windows\syswow64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1192

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/524-75-0x00000000000C0000-0x00000000000EB000-memory.dmp

Filesize
172KB

Download
memory/524-74-0x00000000750D1000-0x00000000750D3000-memory.dmp

Filesize
8KB

Download
memory/524-72-0x0000000000000000-mapping.dmp

Download
memory/588-79-0x00000000000C0000-0x00000000000EB000-memory.dmp

Filesize
172KB

Download
memory/588-76-0x0000000000000000-mapping.dmp

Download
memory/1192-77-0x0000000000000000-mapping.dmp

Download
memory/1232-64-0x00000000003E0000-0x00000000003E4000-memory.dmp

Filesize
16KB

Download
memory/1232-54-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1336-71-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1336-70-0x0000000001C90000-0x0000000001C9C000-memory.dmp

Filesize
48KB

Download
memory/1396-65-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/1396-69-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1396-63-0x0000000000418DF0-mapping.dmp

Download
memory/1396-62-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1396-61-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1396-59-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1396-58-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1396-56-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1396-55-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads