Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 02:10
Static task
static1
Behavioral task
behavioral1
Sample
ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe
Resource
win10v2004-20220812-en
General
-
Target
ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe
-
Size
328KB
-
MD5
65d63d237251c492c7c2a8617c40b53e
-
SHA1
80d06e4ed07626bcf0312b4022014cdbda934c9a
-
SHA256
ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9
-
SHA512
f9263beb29fcaa3db667866892783fd57b7ad51e8ea48703fc1b610416aa282c1e55e254cd10b510e6d327ed70a1004ef708048ece60032bd399b756973c2e40
-
SSDEEP
6144:qLAJ3I3pnzOwewUqjxGTw8NMM8iH+C+MJKzb3n3jMR/mriB9ph:qLg3I3pnzORwRjxG3i8H+C+2oLnLe
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\Recovery+bmdcp.txt
http://ytrest84y5i456hghadefdsd.pontogrot.com/39EAFB843DFE4ED3
http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/39EAFB843DFE4ED3
http://5rport45vcdef345adfkksawe.bematvocal.at/39EAFB843DFE4ED3
http://xlowfznrg4wf7dli.onion/39EAFB843DFE4ED3
http://xlowfznrg4wf7dli.ONION/39EAFB843DFE4ED3
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
Processes:
skkypocxuxmg.exepid process 4756 skkypocxuxmg.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exeskkypocxuxmg.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation skkypocxuxmg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
skkypocxuxmg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run skkypocxuxmg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fdqfxsopwgpu = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\skkypocxuxmg.exe\"" skkypocxuxmg.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{17FE615E-1CCD-4D22-BCA4-171CDA0E0881}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{A1A6BD6F-5CCF-46C7-B1CC-63C58CB0ABB8}.catalogItem svchost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
skkypocxuxmg.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\subscription_intro\Recovery+bmdcp.png skkypocxuxmg.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\Recovery+bmdcp.html skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_contrast-white.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-150.png skkypocxuxmg.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Recovery+bmdcp.html skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\MedTile.scale-125.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-100_contrast-black.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\loc_archives\en-gb\Recovery+bmdcp.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookSmallTile.scale-100.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare150x150Logo.scale-100_contrast-black.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-400.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Recovery+bmdcp.html skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_3_Loud.m4a skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\Recovery+bmdcp.html skkypocxuxmg.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\Recovery+bmdcp.txt skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-256_altform-lightunplated.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-16.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\tr-TR\Recovery+bmdcp.html skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\archives\Recovery+bmdcp.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square150x150\PaintMedTile.scale-125.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-150.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\WideTile.scale-200.png skkypocxuxmg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\Recovery+bmdcp.html skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-MX\View3d\Recovery+bmdcp.txt skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\th-TH\Recovery+bmdcp.txt skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\Recovery+bmdcp.txt skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-32_altform-unplated.png skkypocxuxmg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\office.core.operational.js skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-200.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Recovery+bmdcp.html skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\Recovery+bmdcp.html skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-48_altform-unplated.png skkypocxuxmg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\3082\Recovery+bmdcp.png skkypocxuxmg.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\Recovery+bmdcp.txt skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\Recovery+bmdcp.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-24.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\Recovery+bmdcp.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\Recovery+bmdcp.html skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\2px.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Misc_Clickpop.m4a skkypocxuxmg.exe File opened for modification C:\Program Files\Common Files\System\ado\it-IT\Recovery+bmdcp.html skkypocxuxmg.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Recovery+bmdcp.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Recovery+bmdcp.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\Recovery+bmdcp.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Third Party Notices.txt skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-unplated_contrast-white.png skkypocxuxmg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\Recovery+bmdcp.html skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailLargeTile.scale-200.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlbumMediumTile.scale-100.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-400.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-60.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-24_altform-lightunplated.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+bmdcp.txt skkypocxuxmg.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\Recovery+bmdcp.txt skkypocxuxmg.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoCanary.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+bmdcp.txt skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\accessibilitychecker\styles.css skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-60_altform-unplated_contrast-white.png skkypocxuxmg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\Recovery+bmdcp.html skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Wide310x150Logo.scale-100.png skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+bmdcp.html skkypocxuxmg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\AppxMetadata\Recovery+bmdcp.txt skkypocxuxmg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Recovery+bmdcp.txt skkypocxuxmg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\Recovery+bmdcp.txt skkypocxuxmg.exe -
Drops file in Windows directory 2 IoCs
Processes:
ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exedescription ioc process File created C:\Windows\skkypocxuxmg.exe ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe File opened for modification C:\Windows\skkypocxuxmg.exe ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
skkypocxuxmg.exepid process 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe 4756 skkypocxuxmg.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exeskkypocxuxmg.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1404 ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe Token: SeDebugPrivilege 4756 skkypocxuxmg.exe Token: SeIncreaseQuotaPrivilege 816 WMIC.exe Token: SeSecurityPrivilege 816 WMIC.exe Token: SeTakeOwnershipPrivilege 816 WMIC.exe Token: SeLoadDriverPrivilege 816 WMIC.exe Token: SeSystemProfilePrivilege 816 WMIC.exe Token: SeSystemtimePrivilege 816 WMIC.exe Token: SeProfSingleProcessPrivilege 816 WMIC.exe Token: SeIncBasePriorityPrivilege 816 WMIC.exe Token: SeCreatePagefilePrivilege 816 WMIC.exe Token: SeBackupPrivilege 816 WMIC.exe Token: SeRestorePrivilege 816 WMIC.exe Token: SeShutdownPrivilege 816 WMIC.exe Token: SeDebugPrivilege 816 WMIC.exe Token: SeSystemEnvironmentPrivilege 816 WMIC.exe Token: SeRemoteShutdownPrivilege 816 WMIC.exe Token: SeUndockPrivilege 816 WMIC.exe Token: SeManageVolumePrivilege 816 WMIC.exe Token: 33 816 WMIC.exe Token: 34 816 WMIC.exe Token: 35 816 WMIC.exe Token: 36 816 WMIC.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exeskkypocxuxmg.exedescription pid process target process PID 1404 wrote to memory of 4756 1404 ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe skkypocxuxmg.exe PID 1404 wrote to memory of 4756 1404 ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe skkypocxuxmg.exe PID 1404 wrote to memory of 4756 1404 ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe skkypocxuxmg.exe PID 1404 wrote to memory of 4952 1404 ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe cmd.exe PID 1404 wrote to memory of 4952 1404 ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe cmd.exe PID 1404 wrote to memory of 4952 1404 ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe cmd.exe PID 4756 wrote to memory of 816 4756 skkypocxuxmg.exe WMIC.exe PID 4756 wrote to memory of 816 4756 skkypocxuxmg.exe WMIC.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
skkypocxuxmg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System skkypocxuxmg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" skkypocxuxmg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe"C:\Users\Admin\AppData\Local\Temp\ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\skkypocxuxmg.exeC:\Windows\skkypocxuxmg.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\AD754D~1.EXE2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\skkypocxuxmg.exeFilesize
328KB
MD565d63d237251c492c7c2a8617c40b53e
SHA180d06e4ed07626bcf0312b4022014cdbda934c9a
SHA256ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9
SHA512f9263beb29fcaa3db667866892783fd57b7ad51e8ea48703fc1b610416aa282c1e55e254cd10b510e6d327ed70a1004ef708048ece60032bd399b756973c2e40
-
C:\Windows\skkypocxuxmg.exeFilesize
328KB
MD565d63d237251c492c7c2a8617c40b53e
SHA180d06e4ed07626bcf0312b4022014cdbda934c9a
SHA256ad754d6d382007f1d57142787b9fa309fb0a94b0e6c340d24327ae3e1c4d1cd9
SHA512f9263beb29fcaa3db667866892783fd57b7ad51e8ea48703fc1b610416aa282c1e55e254cd10b510e6d327ed70a1004ef708048ece60032bd399b756973c2e40
-
memory/816-147-0x0000000000000000-mapping.dmp
-
memory/1404-132-0x0000000002260000-0x00000000022E5000-memory.dmpFilesize
532KB
-
memory/1404-133-0x0000000000400000-0x0000000000494000-memory.dmpFilesize
592KB
-
memory/1404-146-0x0000000002260000-0x00000000022E5000-memory.dmpFilesize
532KB
-
memory/4756-137-0x0000000000000000-mapping.dmp
-
memory/4756-144-0x00000000021B0000-0x0000000002235000-memory.dmpFilesize
532KB
-
memory/4952-145-0x0000000000000000-mapping.dmp