f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319

Analysis

max time kernel
150s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe
Size

1.0MB
MD5

d23c1057bfe4f1aaaf5a5a5bc37bd061
SHA1

741a668f93266819a91a8876c74126e97f3ed1cd
SHA256

f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319
SHA512

31bbf7e147dd25001b035bc68649f235488debea5adc3d54a25b3c0047b3f45b070fd4cb81d6919c972ca6747389973c07c3c94cc8bbe2304fa61c6ef35b4c5c
SSDEEP

24576:85PDHbsqZzwSRH3lPjCPH9MedZurmTR/zQu:81bsqZTH3lPjCFMa4mlzQu

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-zyjgzxi.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://onja764ig6vah2jo.onion.cab or http://onja764ig6vah2jo.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://onja764ig6vah2jo.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. OMRR3II-HMTPU5B-4HLINZO-ERGTBGY-X3TQ3B7-2VPUXFJ-7BMHOQJ-JBSWFVM 52CE5U3-SANQND2-DBYGTH3-2TGF5KP-QHYW4RW-SD27E4W-QMJ6J5V-XBCMJFC ZUQN5ZQ-INP36V6-KUCSDH2-5V55DJE-EHEO6PF-3UIZN7A-AWDPG2L-NG3RZO6 Follow the instructions on the server.

URLs

http://onja764ig6vah2jo.onion.cab

http://onja764ig6vah2jo.tor2web.org

http://onja764ig6vah2jo.onion/

Extracted

Path

C:\Users\Admin\Documents\Decrypt-All-Files-zyjgzxi.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://onja764ig6vah2jo.onion.cab or http://onja764ig6vah2jo.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://onja764ig6vah2jo.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. OMRR3II-HMTPU5B-4HLINZO-ERGTBGY-X3TQ3B7-2VPUXFJ-7BMHOQJ-JBSWFVM 52CE5U3-SANQND2-DBYGTH3-2TGF5KP-QHYW4RW-SD27E4W-QMJ6J5V-XBCMJFC ZUQN5ZQ-INP36V6-KUCSDH2-5V55DJE-EHEOK5F-RFIZN7A-AWDPG2L-NG3BIGF Follow the instructions on the server.

URLs

http://onja764ig6vah2jo.onion.cab

http://onja764ig6vah2jo.tor2web.org

http://onja764ig6vah2jo.onion/

Extracted

Path

C:\ProgramData\zlwdkgg.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://onja764ig6vah2jo.onion.cab or http://onja764ig6vah2jo.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://onja764ig6vah2jo.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://onja764ig6vah2jo.onion.cab

http://onja764ig6vah2jo.tor2web.org

http://onja764ig6vah2jo.onion

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 4 IoCs

Processes:

pdfisga.exepdfisga.exepdfisga.exepdfisga.exe

pid process

1504 pdfisga.exe
1816 pdfisga.exe
920 pdfisga.exe
1160 pdfisga.exe

pid	process
1504	pdfisga.exe
1816	pdfisga.exe
920	pdfisga.exe
1160	pdfisga.exe

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\UnlockUnblock.RAW.zyjgzxi	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\SyncBackup.CRW.zyjgzxi	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\NewRestore.RAW.zyjgzxi	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ResolveEdit.CRW.zyjgzxi	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\InstallClose.RAW.zyjgzxi	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\PopRepair.RAW.zyjgzxi	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

pdfisga.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation pdfisga.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	pdfisga.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in System32 directory 1 IoCs

Processes:

pdfisga.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	pdfisga.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\Decrypt-All-Files-zyjgzxi.bmp"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exepdfisga.exepdfisga.exe

description	pid	process	target process
PID 620 set thread context of 1312	620	f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe	f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe
PID 1504 set thread context of 1816	1504	pdfisga.exe	pdfisga.exe
PID 920 set thread context of 1160	920	pdfisga.exe	pdfisga.exe

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-zyjgzxi.bmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-zyjgzxi.txt	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

960 vssadmin.exe

pid	process
960	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

pdfisga.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	pdfisga.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	pdfisga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	pdfisga.exe

Modifies data under HKEY_USERS 19 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00640061006500300037006100650034002d0032006100330034002d0031003100650064002d0038003600630036002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exepdfisga.exe

pid	process
1312	f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe
1816	pdfisga.exe
1816	pdfisga.exe
1816	pdfisga.exe
1816	pdfisga.exe
1816	pdfisga.exe
1816	pdfisga.exe
1816	pdfisga.exe
1816	pdfisga.exe
1816	pdfisga.exe
1816	pdfisga.exe
1816	pdfisga.exe
1816	pdfisga.exe
1816	pdfisga.exe
1816	pdfisga.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1192 Explorer.EXE

pid	process
1192	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

pdfisga.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1816	pdfisga.exe
Token: SeDebugPrivilege	1816	pdfisga.exe
Token: SeShutdownPrivilege	1192	Explorer.EXE
Token: SeShutdownPrivilege	1192	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

pdfisga.exe

pid process

1160 pdfisga.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pdfisga.exe

pid process

1160 pdfisga.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pdfisga.exe

pid process

1160 pdfisga.exe
1160 pdfisga.exe

pid	process
1160	pdfisga.exe

pid	process
1160	pdfisga.exe

pid	process
1160	pdfisga.exe
1160	pdfisga.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exetaskeng.exepdfisga.exepdfisga.exesvchost.exepdfisga.exe

description	pid	process	target process
PID 620 wrote to memory of 1312	620	f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe	f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe
PID 620 wrote to memory of 1312	620	f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe	f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe
PID 620 wrote to memory of 1312	620	f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe	f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe
PID 620 wrote to memory of 1312	620	f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe	f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe
PID 620 wrote to memory of 1312	620	f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe	f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe
PID 620 wrote to memory of 1312	620	f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe	f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe
PID 620 wrote to memory of 1312	620	f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe	f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe
PID 620 wrote to memory of 1312	620	f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe	f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe
PID 1628 wrote to memory of 1504	1628	taskeng.exe	pdfisga.exe
PID 1628 wrote to memory of 1504	1628	taskeng.exe	pdfisga.exe
PID 1628 wrote to memory of 1504	1628	taskeng.exe	pdfisga.exe
PID 1628 wrote to memory of 1504	1628	taskeng.exe	pdfisga.exe
PID 1504 wrote to memory of 1816	1504	pdfisga.exe	pdfisga.exe
PID 1504 wrote to memory of 1816	1504	pdfisga.exe	pdfisga.exe
PID 1504 wrote to memory of 1816	1504	pdfisga.exe	pdfisga.exe
PID 1504 wrote to memory of 1816	1504	pdfisga.exe	pdfisga.exe
PID 1504 wrote to memory of 1816	1504	pdfisga.exe	pdfisga.exe
PID 1504 wrote to memory of 1816	1504	pdfisga.exe	pdfisga.exe
PID 1504 wrote to memory of 1816	1504	pdfisga.exe	pdfisga.exe
PID 1504 wrote to memory of 1816	1504	pdfisga.exe	pdfisga.exe
PID 1816 wrote to memory of 592	1816	pdfisga.exe	svchost.exe
PID 592 wrote to memory of 1144	592	svchost.exe	DllHost.exe
PID 592 wrote to memory of 1144	592	svchost.exe	DllHost.exe
PID 592 wrote to memory of 1144	592	svchost.exe	DllHost.exe
PID 1816 wrote to memory of 1192	1816	pdfisga.exe	Explorer.EXE
PID 1816 wrote to memory of 960	1816	pdfisga.exe	vssadmin.exe
PID 1816 wrote to memory of 960	1816	pdfisga.exe	vssadmin.exe
PID 1816 wrote to memory of 960	1816	pdfisga.exe	vssadmin.exe
PID 1816 wrote to memory of 960	1816	pdfisga.exe	vssadmin.exe
PID 1816 wrote to memory of 920	1816	pdfisga.exe	pdfisga.exe
PID 1816 wrote to memory of 920	1816	pdfisga.exe	pdfisga.exe
PID 1816 wrote to memory of 920	1816	pdfisga.exe	pdfisga.exe
PID 1816 wrote to memory of 920	1816	pdfisga.exe	pdfisga.exe
PID 920 wrote to memory of 1160	920	pdfisga.exe	pdfisga.exe
PID 920 wrote to memory of 1160	920	pdfisga.exe	pdfisga.exe
PID 920 wrote to memory of 1160	920	pdfisga.exe	pdfisga.exe
PID 920 wrote to memory of 1160	920	pdfisga.exe	pdfisga.exe
PID 920 wrote to memory of 1160	920	pdfisga.exe	pdfisga.exe
PID 920 wrote to memory of 1160	920	pdfisga.exe	pdfisga.exe
PID 920 wrote to memory of 1160	920	pdfisga.exe	pdfisga.exe
PID 920 wrote to memory of 1160	920	pdfisga.exe	pdfisga.exe
PID 592 wrote to memory of 1568	592	svchost.exe	DllHost.exe
PID 592 wrote to memory of 1568	592	svchost.exe	DllHost.exe
PID 592 wrote to memory of 1568	592	svchost.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Users\Admin\AppData\Local\Temp\f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe
"C:\Users\Admin\AppData\Local\Temp\f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Admin\AppData\Local\Temp\f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe
"C:\Users\Admin\AppData\Local\Temp\f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:1144

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:1568

C:\Windows\system32\taskeng.exe
taskeng.exe {2E49704A-2A00-4DD8-888C-0589D7E14CF2} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows all
4⤵
- Interacts with shadow copies
PID:960

C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
"C:\Users\Admin\AppData\Local\Temp\pdfisga.exe" -u
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:920

C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
"C:\Users\Admin\AppData\Local\Temp\pdfisga.exe" -u
5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1160

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\xptppml
Filesize
654B

MD5
d0e91c0914cc217d418a524a86c074b0

SHA1
9f41805d9e755dccc911e7a49381f5e50ed17139

SHA256
0247c7b4adfdfe6b54e49b3484fed37e90e43233623e0ee1094cb0ecee42ca48

SHA512
d2c957c5bf457baaec7860e3a0fbfad6b60afe00db98acd71a4d19cfef82439703999ed7c8d56868f59da9ad040029b3642b9de21c6476bec1ad2311c318f443

Download Submit
C:\ProgramData\Package Cache\xptppml
Filesize
654B

MD5
d0e91c0914cc217d418a524a86c074b0

SHA1
9f41805d9e755dccc911e7a49381f5e50ed17139

SHA256
0247c7b4adfdfe6b54e49b3484fed37e90e43233623e0ee1094cb0ecee42ca48

SHA512
d2c957c5bf457baaec7860e3a0fbfad6b60afe00db98acd71a4d19cfef82439703999ed7c8d56868f59da9ad040029b3642b9de21c6476bec1ad2311c318f443

Download Submit
C:\ProgramData\Package Cache\xptppml
Filesize
654B

MD5
a8399bcaf11fed2bdd562987e7bb66e1

SHA1
d30f20c496e84c62ed259cd03ae25cd5f9f533a1

SHA256
d972998fa81b3c7493d612fb164f470cdeace932c7f0c01c596e71271193dbcf

SHA512
b8aaf4f5d1ebb2e07c678af6d5c5d69b5baac96a93615ab0481635c2edf96c9126e09e2d06b436b2843a139b4b252c96bbb7aceecefe2f35f2792722733df03a

Download Submit
C:\ProgramData\Package Cache\xptppml
Filesize
654B

MD5
4c020f680945277cdb6194fea6357652

SHA1
d89a9a9c7de8081b853139ae3a48a634399e48ff

SHA256
203850bdbe497a25d67efe0fdd296cb4c57ff48625ed536f4b8f215ede9fff06

SHA512
bccd161b259f81c3301baa5d40daf3d6ca2e5ca69734683956eb0c421d0b76082c470d166c88404b6829502b140d8c6e0333383b02f2a995e4dfb2f63d2c43df

Download Submit
C:\ProgramData\zlwdkgg.html
Filesize
62KB

MD5
89cb8fb27162d06cfd4718fd6e30770e

SHA1
daa134769247a0de85848d233151fc48fc1a6ab3

SHA256
5a39acf5dd83e959eb56422632fe0359a900cbbc6131ce5088e04cfab37985c3

SHA512
e8e1ba7c0e8a95fd27beeabfd5db07c43cb324d5e255ebc997baf4fc1654147cf65750b75d15972039b7a015758bb2c0061a1e6291e8567a6e49352e553c7d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
Filesize
1.0MB

MD5
d23c1057bfe4f1aaaf5a5a5bc37bd061

SHA1
741a668f93266819a91a8876c74126e97f3ed1cd

SHA256
f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319

SHA512
31bbf7e147dd25001b035bc68649f235488debea5adc3d54a25b3c0047b3f45b070fd4cb81d6919c972ca6747389973c07c3c94cc8bbe2304fa61c6ef35b4c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
Filesize
1.0MB

MD5
d23c1057bfe4f1aaaf5a5a5bc37bd061

SHA1
741a668f93266819a91a8876c74126e97f3ed1cd

SHA256
f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319

SHA512
31bbf7e147dd25001b035bc68649f235488debea5adc3d54a25b3c0047b3f45b070fd4cb81d6919c972ca6747389973c07c3c94cc8bbe2304fa61c6ef35b4c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
Filesize
1.0MB

MD5
d23c1057bfe4f1aaaf5a5a5bc37bd061

SHA1
741a668f93266819a91a8876c74126e97f3ed1cd

SHA256
f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319

SHA512
31bbf7e147dd25001b035bc68649f235488debea5adc3d54a25b3c0047b3f45b070fd4cb81d6919c972ca6747389973c07c3c94cc8bbe2304fa61c6ef35b4c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
Filesize
1.0MB

MD5
d23c1057bfe4f1aaaf5a5a5bc37bd061

SHA1
741a668f93266819a91a8876c74126e97f3ed1cd

SHA256
f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319

SHA512
31bbf7e147dd25001b035bc68649f235488debea5adc3d54a25b3c0047b3f45b070fd4cb81d6919c972ca6747389973c07c3c94cc8bbe2304fa61c6ef35b4c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
Filesize
1.0MB

MD5
d23c1057bfe4f1aaaf5a5a5bc37bd061

SHA1
741a668f93266819a91a8876c74126e97f3ed1cd

SHA256
f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319

SHA512
31bbf7e147dd25001b035bc68649f235488debea5adc3d54a25b3c0047b3f45b070fd4cb81d6919c972ca6747389973c07c3c94cc8bbe2304fa61c6ef35b4c5c

Download Submit
memory/592-82-0x00000000003B0000-0x0000000000424000-memory.dmp

Filesize
464KB

Download
memory/592-84-0x00000000003B0000-0x0000000000424000-memory.dmp

Filesize
464KB

Download
memory/592-88-0x000007FEFC331000-0x000007FEFC333000-memory.dmp

Filesize
8KB

Download
memory/620-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/620-60-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/620-81-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/920-95-0x0000000000000000-mapping.dmp

Download
memory/920-103-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/960-94-0x0000000000000000-mapping.dmp

Download
memory/1144-87-0x0000000000000000-mapping.dmp

Download
memory/1160-101-0x00000000012CBD1E-mapping.dmp

Download
memory/1160-108-0x0000000000C00000-0x0000000000E40000-memory.dmp

Filesize
2.2MB

Download
memory/1312-64-0x00000000006C0000-0x0000000000900000-memory.dmp

Filesize
2.2MB

Download
memory/1312-62-0x00000000004B0000-0x00000000006BF000-memory.dmp

Filesize
2.1MB

Download
memory/1312-61-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1312-59-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1312-58-0x00000000011EBD1E-mapping.dmp

Download
memory/1312-56-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1312-55-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1504-75-0x0000000074660000-0x0000000074C0B000-memory.dmp

Filesize
5.7MB

Download
memory/1504-69-0x0000000074660000-0x0000000074C0B000-memory.dmp

Filesize
5.7MB

Download
memory/1504-66-0x0000000000000000-mapping.dmp

Download
memory/1568-110-0x0000000000000000-mapping.dmp

Download
memory/1816-80-0x00000000008B0000-0x0000000000AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1816-73-0x00000000012CBD1E-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads