Analysis
-
max time kernel
152s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 02:19
Static task
static1
Behavioral task
behavioral1
Sample
ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe
Resource
win10v2004-20220812-en
General
-
Target
ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe
-
Size
348KB
-
MD5
655198dde4fca3eeb54780d117615f8f
-
SHA1
bfa972be17c752b0954a557122fc595fbc59364e
-
SHA256
ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90
-
SHA512
6ee0ebee31ed8c9bb324d2d29109328578106de194880d32607fe7378a6a5a2032bc9b5b228e89cbbcfc24bdb55e2050248e00d9998a81870b43633e56f48fd3
-
SSDEEP
6144:JX3ZVxStIm3Ap/d2ntk16SuDnAeaUhHkl8mRubynhwjo1lFolwMyy:JYa9AW16ljFHCqjW2wMn
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\how_recover+rrh.txt
http://vrd463xcepsd12cd.crsoftware745.com/5FA25D1D04F6D28
http://vr6g2curb2kcidou.expay34.com/5FA25D1D04F6D28
http://tsbfdsv.extr6mchf.com/5FA25D1D04F6D28
https://o7zeip6us33igmgw.onion.to/5FA25D1D04F6D28
http://o7zeip6us33igmgw.onion/5FA25D1D04F6D28
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 1912 bcdedit.exe 924 bcdedit.exe 688 bcdedit.exe 432 bcdedit.exe 1724 bcdedit.exe -
Executes dropped EXE 2 IoCs
Processes:
bmpjuacroic.exebmpjuacroic.exepid process 2040 bmpjuacroic.exe 1684 bmpjuacroic.exe -
Loads dropped DLL 2 IoCs
Processes:
ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exepid process 856 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe 856 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bmpjuacroic.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run bmpjuacroic.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Acrndtd = "C:\\Users\\Admin\\AppData\\Roaming\\bmpjuacroic.exe" bmpjuacroic.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 myexternalip.com 3 myexternalip.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exebmpjuacroic.exedescription pid process target process PID 1112 set thread context of 856 1112 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe PID 2040 set thread context of 1684 2040 bmpjuacroic.exe bmpjuacroic.exe -
Drops file in Program Files directory 64 IoCs
Processes:
bmpjuacroic.exedescription ioc process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push.png bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png bmpjuacroic.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt bmpjuacroic.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\am.pak bmpjuacroic.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoCanary.png bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\how_recover+rrh.html bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png bmpjuacroic.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\how_recover+rrh.txt bmpjuacroic.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\how_recover+rrh.html bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png bmpjuacroic.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\how_recover+rrh.html bmpjuacroic.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\how_recover+rrh.txt bmpjuacroic.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\how_recover+rrh.txt bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png bmpjuacroic.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt bmpjuacroic.exe File opened for modification C:\Program Files\7-Zip\readme.txt bmpjuacroic.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\how_recover+rrh.html bmpjuacroic.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\how_recover+rrh.txt bmpjuacroic.exe File opened for modification C:\Program Files\Common Files\System\ado\it-IT\how_recover+rrh.html bmpjuacroic.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ms.pak bmpjuacroic.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png bmpjuacroic.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\how_recover+rrh.txt bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\content-background.png bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\how_recover+rrh.html bmpjuacroic.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\how_recover+rrh.txt bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png bmpjuacroic.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png bmpjuacroic.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\how_recover+rrh.txt bmpjuacroic.exe File opened for modification C:\Program Files\Common Files\System\ado\en-US\how_recover+rrh.txt bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\15x15dot.png bmpjuacroic.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\how_recover+rrh.txt bmpjuacroic.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\how_recover+rrh.txt bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png bmpjuacroic.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\how_recover+rrh.html bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv bmpjuacroic.exe File opened for modification C:\Program Files\Common Files\System\ado\ja-JP\how_recover+rrh.html bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png bmpjuacroic.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hi.pak bmpjuacroic.exe File opened for modification C:\Program Files\Internet Explorer\fr-FR\how_recover+rrh.txt bmpjuacroic.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt bmpjuacroic.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\how_recover+rrh.html bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIcon.png bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png bmpjuacroic.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\pl.pak bmpjuacroic.exe File opened for modification C:\Program Files\Google\Chrome\how_recover+rrh.html bmpjuacroic.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\how_recover+rrh.html bmpjuacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\rollinghills.png bmpjuacroic.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 584 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bmpjuacroic.exepid process 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe 1684 bmpjuacroic.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exebmpjuacroic.exevssvc.exedescription pid process Token: SeDebugPrivilege 856 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe Token: SeDebugPrivilege 1684 bmpjuacroic.exe Token: SeBackupPrivilege 2008 vssvc.exe Token: SeRestorePrivilege 2008 vssvc.exe Token: SeAuditPrivilege 2008 vssvc.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exead71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exebmpjuacroic.exebmpjuacroic.exedescription pid process target process PID 1112 wrote to memory of 856 1112 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe PID 1112 wrote to memory of 856 1112 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe PID 1112 wrote to memory of 856 1112 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe PID 1112 wrote to memory of 856 1112 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe PID 1112 wrote to memory of 856 1112 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe PID 1112 wrote to memory of 856 1112 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe PID 1112 wrote to memory of 856 1112 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe PID 1112 wrote to memory of 856 1112 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe PID 1112 wrote to memory of 856 1112 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe PID 1112 wrote to memory of 856 1112 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe PID 1112 wrote to memory of 856 1112 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe PID 856 wrote to memory of 2040 856 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe bmpjuacroic.exe PID 856 wrote to memory of 2040 856 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe bmpjuacroic.exe PID 856 wrote to memory of 2040 856 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe bmpjuacroic.exe PID 856 wrote to memory of 2040 856 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe bmpjuacroic.exe PID 856 wrote to memory of 1992 856 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe cmd.exe PID 856 wrote to memory of 1992 856 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe cmd.exe PID 856 wrote to memory of 1992 856 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe cmd.exe PID 856 wrote to memory of 1992 856 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe cmd.exe PID 2040 wrote to memory of 1684 2040 bmpjuacroic.exe bmpjuacroic.exe PID 2040 wrote to memory of 1684 2040 bmpjuacroic.exe bmpjuacroic.exe PID 2040 wrote to memory of 1684 2040 bmpjuacroic.exe bmpjuacroic.exe PID 2040 wrote to memory of 1684 2040 bmpjuacroic.exe bmpjuacroic.exe PID 2040 wrote to memory of 1684 2040 bmpjuacroic.exe bmpjuacroic.exe PID 2040 wrote to memory of 1684 2040 bmpjuacroic.exe bmpjuacroic.exe PID 2040 wrote to memory of 1684 2040 bmpjuacroic.exe bmpjuacroic.exe PID 2040 wrote to memory of 1684 2040 bmpjuacroic.exe bmpjuacroic.exe PID 2040 wrote to memory of 1684 2040 bmpjuacroic.exe bmpjuacroic.exe PID 2040 wrote to memory of 1684 2040 bmpjuacroic.exe bmpjuacroic.exe PID 2040 wrote to memory of 1684 2040 bmpjuacroic.exe bmpjuacroic.exe PID 1684 wrote to memory of 1912 1684 bmpjuacroic.exe bcdedit.exe PID 1684 wrote to memory of 1912 1684 bmpjuacroic.exe bcdedit.exe PID 1684 wrote to memory of 1912 1684 bmpjuacroic.exe bcdedit.exe PID 1684 wrote to memory of 1912 1684 bmpjuacroic.exe bcdedit.exe PID 1684 wrote to memory of 584 1684 bmpjuacroic.exe vssadmin.exe PID 1684 wrote to memory of 584 1684 bmpjuacroic.exe vssadmin.exe PID 1684 wrote to memory of 584 1684 bmpjuacroic.exe vssadmin.exe PID 1684 wrote to memory of 584 1684 bmpjuacroic.exe vssadmin.exe PID 1684 wrote to memory of 924 1684 bmpjuacroic.exe bcdedit.exe PID 1684 wrote to memory of 924 1684 bmpjuacroic.exe bcdedit.exe PID 1684 wrote to memory of 924 1684 bmpjuacroic.exe bcdedit.exe PID 1684 wrote to memory of 924 1684 bmpjuacroic.exe bcdedit.exe PID 1684 wrote to memory of 688 1684 bmpjuacroic.exe bcdedit.exe PID 1684 wrote to memory of 688 1684 bmpjuacroic.exe bcdedit.exe PID 1684 wrote to memory of 688 1684 bmpjuacroic.exe bcdedit.exe PID 1684 wrote to memory of 688 1684 bmpjuacroic.exe bcdedit.exe PID 1684 wrote to memory of 432 1684 bmpjuacroic.exe bcdedit.exe PID 1684 wrote to memory of 432 1684 bmpjuacroic.exe bcdedit.exe PID 1684 wrote to memory of 432 1684 bmpjuacroic.exe bcdedit.exe PID 1684 wrote to memory of 432 1684 bmpjuacroic.exe bcdedit.exe PID 1684 wrote to memory of 1724 1684 bmpjuacroic.exe bcdedit.exe PID 1684 wrote to memory of 1724 1684 bmpjuacroic.exe bcdedit.exe PID 1684 wrote to memory of 1724 1684 bmpjuacroic.exe bcdedit.exe PID 1684 wrote to memory of 1724 1684 bmpjuacroic.exe bcdedit.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
bmpjuacroic.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bmpjuacroic.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" bmpjuacroic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe"C:\Users\Admin\AppData\Local\Temp\ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe"C:\Users\Admin\AppData\Local\Temp\ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\bmpjuacroic.exeC:\Users\Admin\AppData\Roaming\bmpjuacroic.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\bmpjuacroic.exeC:\Users\Admin\AppData\Roaming\bmpjuacroic.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} bootems off5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} advancedoptions off5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} optionsedit off5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} recoveryenabled off5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\AD71D1~1.EXE3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\bmpjuacroic.exeFilesize
348KB
MD5655198dde4fca3eeb54780d117615f8f
SHA1bfa972be17c752b0954a557122fc595fbc59364e
SHA256ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90
SHA5126ee0ebee31ed8c9bb324d2d29109328578106de194880d32607fe7378a6a5a2032bc9b5b228e89cbbcfc24bdb55e2050248e00d9998a81870b43633e56f48fd3
-
C:\Users\Admin\AppData\Roaming\bmpjuacroic.exeFilesize
348KB
MD5655198dde4fca3eeb54780d117615f8f
SHA1bfa972be17c752b0954a557122fc595fbc59364e
SHA256ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90
SHA5126ee0ebee31ed8c9bb324d2d29109328578106de194880d32607fe7378a6a5a2032bc9b5b228e89cbbcfc24bdb55e2050248e00d9998a81870b43633e56f48fd3
-
C:\Users\Admin\AppData\Roaming\bmpjuacroic.exeFilesize
348KB
MD5655198dde4fca3eeb54780d117615f8f
SHA1bfa972be17c752b0954a557122fc595fbc59364e
SHA256ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90
SHA5126ee0ebee31ed8c9bb324d2d29109328578106de194880d32607fe7378a6a5a2032bc9b5b228e89cbbcfc24bdb55e2050248e00d9998a81870b43633e56f48fd3
-
\Users\Admin\AppData\Roaming\bmpjuacroic.exeFilesize
348KB
MD5655198dde4fca3eeb54780d117615f8f
SHA1bfa972be17c752b0954a557122fc595fbc59364e
SHA256ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90
SHA5126ee0ebee31ed8c9bb324d2d29109328578106de194880d32607fe7378a6a5a2032bc9b5b228e89cbbcfc24bdb55e2050248e00d9998a81870b43633e56f48fd3
-
\Users\Admin\AppData\Roaming\bmpjuacroic.exeFilesize
348KB
MD5655198dde4fca3eeb54780d117615f8f
SHA1bfa972be17c752b0954a557122fc595fbc59364e
SHA256ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90
SHA5126ee0ebee31ed8c9bb324d2d29109328578106de194880d32607fe7378a6a5a2032bc9b5b228e89cbbcfc24bdb55e2050248e00d9998a81870b43633e56f48fd3
-
memory/432-105-0x0000000000000000-mapping.dmp
-
memory/584-102-0x0000000000000000-mapping.dmp
-
memory/688-104-0x0000000000000000-mapping.dmp
-
memory/856-63-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/856-80-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/856-57-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/856-72-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/856-73-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/856-67-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/856-59-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/856-61-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/856-65-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/856-56-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/856-68-0x0000000000409270-mapping.dmp
-
memory/924-103-0x0000000000000000-mapping.dmp
-
memory/1112-54-0x0000000074D61000-0x0000000074D63000-memory.dmpFilesize
8KB
-
memory/1112-55-0x0000000000230000-0x0000000000233000-memory.dmpFilesize
12KB
-
memory/1112-69-0x0000000000230000-0x0000000000233000-memory.dmpFilesize
12KB
-
memory/1684-100-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/1684-99-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/1684-98-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/1684-94-0x0000000000409270-mapping.dmp
-
memory/1724-106-0x0000000000000000-mapping.dmp
-
memory/1912-101-0x0000000000000000-mapping.dmp
-
memory/1992-79-0x0000000000000000-mapping.dmp
-
memory/2040-76-0x0000000000000000-mapping.dmp