daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b

Analysis

max time kernel
150s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe
Size

773KB
MD5

f47b209aa25c3426286be59241c54080
SHA1

5ea33d22675205abee0456816607df747f1d8fd9
SHA256

daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b
SHA512

082ff17de2f0d3d39230a357f243e81ad5ac9b78b515d1097ca613707ddb44721dd96900d55009c7bc732e4d5bfc03bf8902a0c71d9caa771d93cd0dd6951aa7
SSDEEP

24576:jmLWMKfN5UrJFZQg3V8Y3gkatvpyn/xJ9TVHYcY:jb3U5XrYDypqcY

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-dcxclmn.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. KMYC634-LW3PJWD-7PNFIAC-IASBZDO-VQMNGEM-ISP7GF3-CRVJMUG-3BWD2C6 LNRXO73-HIX6Q45-K36KK6U-YGKRT2N-DXNMWBH-D7BSSO3-K2ZPHCL-RILXCLP 3TVITJU-H4MF6PW-RCYGVX7-BGFLF7W-LJU4VM2-4WBCWQ3-N4ECBT2-Z46VYZO Follow the instructions on the server.

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\Users\Admin\Documents\Decrypt-All-Files-dcxclmn.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. KMYC634-LW3PJWD-7PNFIAC-IASBZDO-VQMNGEM-ISP7GF3-CRVJMUG-3BWD2C6 LNRXO73-HIX6Q45-K36KK6U-YGKRT2N-DXNMWBH-D7BSSO3-K2ZPHCL-RILXCLP 3TVITJU-H4MF6PW-RCYGVX7-BGFLF7W-LJU4P62-SHBCWQ3-N4ECBT2-Z46VHJT Follow the instructions on the server.

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\ProgramData\nydzthc.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 4 IoCs

Processes:

pcrcyge.exepcrcyge.exepcrcyge.exepcrcyge.exe

pid process

1500 pcrcyge.exe
1364 pcrcyge.exe
1464 pcrcyge.exe
556 pcrcyge.exe

pid	process
1500	pcrcyge.exe
1364	pcrcyge.exe
1464	pcrcyge.exe
556	pcrcyge.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\InitializeClear.CRW.dcxclmn	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\JoinShow.CRW.dcxclmn	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\FormatRevoke.RAW.dcxclmn	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\PublishExit.CRW.dcxclmn	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

pcrcyge.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation pcrcyge.exe
Loads dropped DLL 3 IoCs

Processes:

daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exepcrcyge.exepcrcyge.exe

pid process

1692 daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe
1500 pcrcyge.exe
1464 pcrcyge.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	pcrcyge.exe

pid	process
1692	daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe
1500	pcrcyge.exe
1464	pcrcyge.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

pcrcyge.exepcrcyge.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\06 - Clark Gable.mp3	pcrcyge.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\06 - Clark Gable.mp3	pcrcyge.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\Decrypt-All-Files-dcxclmn.bmp"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exepcrcyge.exepcrcyge.exe

description	pid	process	target process
PID 1692 set thread context of 1136	1692	daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe	daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe
PID 1500 set thread context of 1364	1500	pcrcyge.exe	pcrcyge.exe
PID 1464 set thread context of 556	1464	pcrcyge.exe	pcrcyge.exe

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-dcxclmn.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-dcxclmn.bmp	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe	nsis_installer_2

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

812 vssadmin.exe

pid	process
812	vssadmin.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00360061003200380062003200320034002d0031006100380032002d0031003100650064002d0062003900380066002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exepcrcyge.exe

pid	process
1136	daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe
1364	pcrcyge.exe
1364	pcrcyge.exe
1364	pcrcyge.exe
1364	pcrcyge.exe
1364	pcrcyge.exe
1364	pcrcyge.exe
1364	pcrcyge.exe
1364	pcrcyge.exe
1364	pcrcyge.exe
1364	pcrcyge.exe
1364	pcrcyge.exe
1364	pcrcyge.exe
1364	pcrcyge.exe
1364	pcrcyge.exe
1364	pcrcyge.exe
1364	pcrcyge.exe
1364	pcrcyge.exe
1364	pcrcyge.exe
1364	pcrcyge.exe
1364	pcrcyge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1392 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pcrcyge.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 1364 pcrcyge.exe
Token: SeDebugPrivilege 1364 pcrcyge.exe
Token: SeShutdownPrivilege 1392 Explorer.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

pcrcyge.exe

pid process

556 pcrcyge.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pcrcyge.exe

pid process

556 pcrcyge.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pcrcyge.exe

pid process

556 pcrcyge.exe
556 pcrcyge.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1392 Explorer.EXE

pid	process
1392	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1364	pcrcyge.exe
Token: SeDebugPrivilege	1364	pcrcyge.exe
Token: SeShutdownPrivilege	1392	Explorer.EXE

pid	process
556	pcrcyge.exe

pid	process
556	pcrcyge.exe

pid	process
556	pcrcyge.exe
556	pcrcyge.exe

pid	process
1392	Explorer.EXE

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exetaskeng.exepcrcyge.exepcrcyge.exesvchost.exepcrcyge.exe

description	pid	process	target process
PID 1692 wrote to memory of 1136	1692	daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe	daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe
PID 1692 wrote to memory of 1136	1692	daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe	daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe
PID 1692 wrote to memory of 1136	1692	daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe	daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe
PID 1692 wrote to memory of 1136	1692	daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe	daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe
PID 1692 wrote to memory of 1136	1692	daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe	daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe
PID 1692 wrote to memory of 1136	1692	daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe	daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe
PID 1692 wrote to memory of 1136	1692	daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe	daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe
PID 1760 wrote to memory of 1500	1760	taskeng.exe	pcrcyge.exe
PID 1760 wrote to memory of 1500	1760	taskeng.exe	pcrcyge.exe
PID 1760 wrote to memory of 1500	1760	taskeng.exe	pcrcyge.exe
PID 1760 wrote to memory of 1500	1760	taskeng.exe	pcrcyge.exe
PID 1500 wrote to memory of 1364	1500	pcrcyge.exe	pcrcyge.exe
PID 1500 wrote to memory of 1364	1500	pcrcyge.exe	pcrcyge.exe
PID 1500 wrote to memory of 1364	1500	pcrcyge.exe	pcrcyge.exe
PID 1500 wrote to memory of 1364	1500	pcrcyge.exe	pcrcyge.exe
PID 1500 wrote to memory of 1364	1500	pcrcyge.exe	pcrcyge.exe
PID 1500 wrote to memory of 1364	1500	pcrcyge.exe	pcrcyge.exe
PID 1500 wrote to memory of 1364	1500	pcrcyge.exe	pcrcyge.exe
PID 1364 wrote to memory of 584	1364	pcrcyge.exe	svchost.exe
PID 584 wrote to memory of 1560	584	svchost.exe	DllHost.exe
PID 584 wrote to memory of 1560	584	svchost.exe	DllHost.exe
PID 584 wrote to memory of 1560	584	svchost.exe	DllHost.exe
PID 1364 wrote to memory of 1392	1364	pcrcyge.exe	Explorer.EXE
PID 1364 wrote to memory of 812	1364	pcrcyge.exe	vssadmin.exe
PID 1364 wrote to memory of 812	1364	pcrcyge.exe	vssadmin.exe
PID 1364 wrote to memory of 812	1364	pcrcyge.exe	vssadmin.exe
PID 1364 wrote to memory of 812	1364	pcrcyge.exe	vssadmin.exe
PID 1364 wrote to memory of 1464	1364	pcrcyge.exe	pcrcyge.exe
PID 1364 wrote to memory of 1464	1364	pcrcyge.exe	pcrcyge.exe
PID 1364 wrote to memory of 1464	1364	pcrcyge.exe	pcrcyge.exe
PID 1364 wrote to memory of 1464	1364	pcrcyge.exe	pcrcyge.exe
PID 1464 wrote to memory of 556	1464	pcrcyge.exe	pcrcyge.exe
PID 1464 wrote to memory of 556	1464	pcrcyge.exe	pcrcyge.exe
PID 1464 wrote to memory of 556	1464	pcrcyge.exe	pcrcyge.exe
PID 1464 wrote to memory of 556	1464	pcrcyge.exe	pcrcyge.exe
PID 1464 wrote to memory of 556	1464	pcrcyge.exe	pcrcyge.exe
PID 1464 wrote to memory of 556	1464	pcrcyge.exe	pcrcyge.exe
PID 1464 wrote to memory of 556	1464	pcrcyge.exe	pcrcyge.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1392

C:\Users\Admin\AppData\Local\Temp\daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe
"C:\Users\Admin\AppData\Local\Temp\daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe
"C:\Users\Admin\AppData\Local\Temp\daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:1560

C:\Windows\system32\taskeng.exe
taskeng.exe {E8BA625E-AD9C-4C61-BA4C-B6C61F40384E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
"C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows all
4⤵
- Interacts with shadow copies
PID:812

C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
"C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe" -u
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
"C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:556

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\aubdarb
Filesize
654B

MD5
4aa34155a867cce24960064548554f53

SHA1
13f8a4be94948a1799377f0c33bdc2c32523589c

SHA256
26e21bf39b3a97d6a8d4334f0d0f57343b4f82f4028e2d448bb45468748845da

SHA512
edc4ba308333859968e580682ba40a79e6537b9005298eb6d07ab98826029c0845da981b007f565c915378ed7ea70a79c9183e5b8222c766db5cf0a7da502e5d

Download Submit
C:\ProgramData\Adobe\aubdarb
Filesize
654B

MD5
4aa34155a867cce24960064548554f53

SHA1
13f8a4be94948a1799377f0c33bdc2c32523589c

SHA256
26e21bf39b3a97d6a8d4334f0d0f57343b4f82f4028e2d448bb45468748845da

SHA512
edc4ba308333859968e580682ba40a79e6537b9005298eb6d07ab98826029c0845da981b007f565c915378ed7ea70a79c9183e5b8222c766db5cf0a7da502e5d

Download Submit
C:\ProgramData\Adobe\aubdarb
Filesize
654B

MD5
30029907a1c6d20e9d763ae343ffed43

SHA1
5ca626351582c8b62e6bf4d76b5e5d40fe10524b

SHA256
f6b6b56a734384764c526aafd42bbee48a27d1dbc5e345e681bd262999c4ff28

SHA512
7c4ea06839296379073e305075b78f103206d650feb672af3de24f78c6dbea6947b213aaa9bd57afd7fa9000f549f16b69429eafc81ce9469e178e1af9901f05

Download Submit
C:\ProgramData\Adobe\aubdarb
Filesize
654B

MD5
0e7718dcccbf86171eac53ae0af3545a

SHA1
45de9eb5a8c8e30a605aa0c558bbbec009ccd66f

SHA256
9f2bf2b3f599f53037095c42323a9f2aedcd00a4df2623f9078994d2be9ca2c8

SHA512
059599e34d55390aab0ef12b648e1341b9ddfed0bfbc3f1b67460d448652921ca33f05f905afef20f24bd1f6af8edd9f0dc3d2f494e737a812425b5a54767564

Download Submit
C:\ProgramData\nydzthc.html
Filesize
63KB

MD5
0958ea3ba0a0ef39b08d36dad906eaa2

SHA1
863922fdf5c26d721379877287f10247d4481fbc

SHA256
0968ce11e60747b997ccc85c12e7ab3dbf993731679802aa130625f0332c884c

SHA512
0bcc839ff9c6c78a3027a92091bf0b6e5e36405b73bc0f5ce7b5b47a2c183fc3b4018173fb08deeac82fac3301ef01cbc4366e9ca493af71d7fcda892599fdb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
773KB

MD5
f47b209aa25c3426286be59241c54080

SHA1
5ea33d22675205abee0456816607df747f1d8fd9

SHA256
daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b

SHA512
082ff17de2f0d3d39230a357f243e81ad5ac9b78b515d1097ca613707ddb44721dd96900d55009c7bc732e4d5bfc03bf8902a0c71d9caa771d93cd0dd6951aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
773KB

MD5
f47b209aa25c3426286be59241c54080

SHA1
5ea33d22675205abee0456816607df747f1d8fd9

SHA256
daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b

SHA512
082ff17de2f0d3d39230a357f243e81ad5ac9b78b515d1097ca613707ddb44721dd96900d55009c7bc732e4d5bfc03bf8902a0c71d9caa771d93cd0dd6951aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
773KB

MD5
f47b209aa25c3426286be59241c54080

SHA1
5ea33d22675205abee0456816607df747f1d8fd9

SHA256
daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b

SHA512
082ff17de2f0d3d39230a357f243e81ad5ac9b78b515d1097ca613707ddb44721dd96900d55009c7bc732e4d5bfc03bf8902a0c71d9caa771d93cd0dd6951aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
773KB

MD5
f47b209aa25c3426286be59241c54080

SHA1
5ea33d22675205abee0456816607df747f1d8fd9

SHA256
daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b

SHA512
082ff17de2f0d3d39230a357f243e81ad5ac9b78b515d1097ca613707ddb44721dd96900d55009c7bc732e4d5bfc03bf8902a0c71d9caa771d93cd0dd6951aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
773KB

MD5
f47b209aa25c3426286be59241c54080

SHA1
5ea33d22675205abee0456816607df747f1d8fd9

SHA256
daa8c6c1ca41044a3da2b00e50eb8cbb78765fccc5bfb64c843def7c6bf5c40b

SHA512
082ff17de2f0d3d39230a357f243e81ad5ac9b78b515d1097ca613707ddb44721dd96900d55009c7bc732e4d5bfc03bf8902a0c71d9caa771d93cd0dd6951aa7

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\06 - Clark Gable.mp3
Filesize
649KB

MD5
d91613b966b0199836a05e9e0267a16c

SHA1
af2aabee645dedf980adefa78152a838f02df677

SHA256
3746cbd9b3c22359f5acac02e9c505a0fb4e6dc67d7a2d4b0d014f54725d35a0

SHA512
3110827ef875fe75afc1a754353122e93368b426bfcda7a6247476cb78dcddd106ae1f3a51b999d299eb82d3ac4d8e64bdd94afc2f76a8a95b311627fdb8c242

Download Submit
\Users\Admin\AppData\Local\Temp\nsy5FFD.tmp\handover.dll
Filesize
55KB

MD5
693c0eb5d27f069dc419f6e1b5f6661b

SHA1
3e876c7fff500a7d471c0ef07b1881b9d706fb69

SHA256
f1cb56cb1aa2dfbde2a004801c4e09a695e36c643135d5e4010d9ab7e352b357

SHA512
86269a7abf5750c196a895749ad42aa12ed9dc25d7a292487ebb1fd6e87f5baae9415abba3934862268e390cd2624441c05a2b3848ff8e49ea7f4f3125342dc9

Download Submit
\Windows\Temp\nsj70A0.tmp\handover.dll
Filesize
55KB

MD5
693c0eb5d27f069dc419f6e1b5f6661b

SHA1
3e876c7fff500a7d471c0ef07b1881b9d706fb69

SHA256
f1cb56cb1aa2dfbde2a004801c4e09a695e36c643135d5e4010d9ab7e352b357

SHA512
86269a7abf5750c196a895749ad42aa12ed9dc25d7a292487ebb1fd6e87f5baae9415abba3934862268e390cd2624441c05a2b3848ff8e49ea7f4f3125342dc9

Download Submit
\Windows\Temp\nsjBE42.tmp\handover.dll
Filesize
55KB

MD5
693c0eb5d27f069dc419f6e1b5f6661b

SHA1
3e876c7fff500a7d471c0ef07b1881b9d706fb69

SHA256
f1cb56cb1aa2dfbde2a004801c4e09a695e36c643135d5e4010d9ab7e352b357

SHA512
86269a7abf5750c196a895749ad42aa12ed9dc25d7a292487ebb1fd6e87f5baae9415abba3934862268e390cd2624441c05a2b3848ff8e49ea7f4f3125342dc9

Download Submit
memory/556-106-0x000000000048B1B7-mapping.dmp

Download
memory/556-111-0x0000000000940000-0x0000000000B80000-memory.dmp

Filesize
2.2MB

Download
memory/584-89-0x000007FEFB9B1000-0x000007FEFB9B3000-memory.dmp

Filesize
8KB

Download
memory/584-83-0x00000000003D0000-0x0000000000444000-memory.dmp

Filesize
464KB

Download
memory/584-85-0x00000000003D0000-0x0000000000444000-memory.dmp

Filesize
464KB

Download
memory/812-95-0x0000000000000000-mapping.dmp

Download
memory/1136-66-0x0000000000400000-0x00000000004A3200-memory.dmp

Filesize
652KB

Download
memory/1136-60-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1136-58-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1136-57-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1136-61-0x000000000048B1B7-mapping.dmp

Download
memory/1136-63-0x00000000004B0000-0x00000000006BF000-memory.dmp

Filesize
2.1MB

Download
memory/1136-65-0x00000000006C0000-0x0000000000900000-memory.dmp

Filesize
2.2MB

Download
memory/1364-77-0x000000000048B1B7-mapping.dmp

Download
memory/1364-82-0x0000000000980000-0x0000000000BC0000-memory.dmp

Filesize
2.2MB

Download
memory/1392-113-0x000007FEFABC0000-0x000007FEFAD03000-memory.dmp

Filesize
1.3MB

Download
memory/1392-114-0x000007FF75EA0000-0x000007FF75EAA000-memory.dmp

Filesize
40KB

Download
memory/1464-96-0x0000000000000000-mapping.dmp

Download
memory/1464-101-0x0000000002B70000-0x0000000002B87000-memory.dmp

Filesize
92KB

Download
memory/1500-68-0x0000000000000000-mapping.dmp

Download
memory/1500-72-0x00000000004B0000-0x00000000004C7000-memory.dmp

Filesize
92KB

Download
memory/1560-88-0x0000000000000000-mapping.dmp

Download
memory/1692-54-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/1692-56-0x0000000000520000-0x0000000000537000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads