Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 02:19
Static task
static1
Behavioral task
behavioral1
Sample
ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe
Resource
win10v2004-20220812-en
General
-
Target
ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe
-
Size
348KB
-
MD5
655198dde4fca3eeb54780d117615f8f
-
SHA1
bfa972be17c752b0954a557122fc595fbc59364e
-
SHA256
ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90
-
SHA512
6ee0ebee31ed8c9bb324d2d29109328578106de194880d32607fe7378a6a5a2032bc9b5b228e89cbbcfc24bdb55e2050248e00d9998a81870b43633e56f48fd3
-
SSDEEP
6144:JX3ZVxStIm3Ap/d2ntk16SuDnAeaUhHkl8mRubynhwjo1lFolwMyy:JYa9AW16ljFHCqjW2wMn
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-2295526160-1155304984-640977766-1000\how_recover+whv.txt
http://vrd463xcepsd12cd.crsoftware745.com/ABCACC4ECE384311
http://vr6g2curb2kcidou.expay34.com/ABCACC4ECE384311
http://tsbfdsv.extr6mchf.com/ABCACC4ECE384311
https://o7zeip6us33igmgw.onion.to/ABCACC4ECE384311
http://o7zeip6us33igmgw.onion/ABCACC4ECE384311
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 220 bcdedit.exe 828 bcdedit.exe 3844 bcdedit.exe 4340 bcdedit.exe 4672 bcdedit.exe -
Executes dropped EXE 2 IoCs
Processes:
jdhpeacroic.exejdhpeacroic.exepid process 5080 jdhpeacroic.exe 1556 jdhpeacroic.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exejdhpeacroic.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation jdhpeacroic.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
jdhpeacroic.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Acrndtd = "C:\\Users\\Admin\\AppData\\Roaming\\jdhpeacroic.exe" jdhpeacroic.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run jdhpeacroic.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 myexternalip.com 11 myexternalip.com 57 myexternalip.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exejdhpeacroic.exedescription pid process target process PID 4852 set thread context of 2036 4852 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe PID 5080 set thread context of 1556 5080 jdhpeacroic.exe jdhpeacroic.exe -
Drops file in Program Files directory 64 IoCs
Processes:
jdhpeacroic.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\how_recover+whv.txt jdhpeacroic.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\how_recover+whv.txt jdhpeacroic.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\how_recover+whv.txt jdhpeacroic.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\how_recover+whv.txt jdhpeacroic.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt jdhpeacroic.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\zh-TW\how_recover+whv.txt jdhpeacroic.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\how_recover+whv.txt jdhpeacroic.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\Common Files\System\ado\en-US\how_recover+whv.txt jdhpeacroic.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt jdhpeacroic.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt jdhpeacroic.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt jdhpeacroic.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ar-SA\how_recover+whv.txt jdhpeacroic.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\uk-UA\how_recover+whv.txt jdhpeacroic.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png jdhpeacroic.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\how_recover+whv.txt jdhpeacroic.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\how_recover+whv.txt jdhpeacroic.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\how_recover+whv.txt jdhpeacroic.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pl-PL\how_recover+whv.txt jdhpeacroic.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\id.pak jdhpeacroic.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\how_recover+whv.txt jdhpeacroic.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt jdhpeacroic.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\da-DK\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\th-TH\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Document Parts\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt jdhpeacroic.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-GB\how_recover+whv.txt jdhpeacroic.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\how_recover+whv.txt jdhpeacroic.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Triedit\en-US\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\Common Files\System\msadc\how_recover+whv.txt jdhpeacroic.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\Google\Chrome\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png jdhpeacroic.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt jdhpeacroic.exe File opened for modification C:\Program Files\Common Files\microsoft shared\TextConv\en-US\how_recover+whv.txt jdhpeacroic.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\how_recover+whv.txt jdhpeacroic.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt jdhpeacroic.exe File opened for modification C:\Program Files\Internet Explorer\fr-FR\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\cmm\how_recover+whv.txt jdhpeacroic.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt jdhpeacroic.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_100_percent.pak jdhpeacroic.exe File opened for modification C:\Program Files\Internet Explorer\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt jdhpeacroic.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\how_recover+whv.html jdhpeacroic.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt jdhpeacroic.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ko.pak jdhpeacroic.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3464 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
jdhpeacroic.exepid process 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe 1556 jdhpeacroic.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exejdhpeacroic.exevssvc.exedescription pid process Token: SeDebugPrivilege 2036 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe Token: SeDebugPrivilege 1556 jdhpeacroic.exe Token: SeBackupPrivilege 3920 vssvc.exe Token: SeRestorePrivilege 3920 vssvc.exe Token: SeAuditPrivilege 3920 vssvc.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exead71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exejdhpeacroic.exejdhpeacroic.exedescription pid process target process PID 4852 wrote to memory of 2036 4852 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe PID 4852 wrote to memory of 2036 4852 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe PID 4852 wrote to memory of 2036 4852 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe PID 4852 wrote to memory of 2036 4852 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe PID 4852 wrote to memory of 2036 4852 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe PID 4852 wrote to memory of 2036 4852 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe PID 4852 wrote to memory of 2036 4852 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe PID 4852 wrote to memory of 2036 4852 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe PID 4852 wrote to memory of 2036 4852 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe PID 4852 wrote to memory of 2036 4852 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe PID 2036 wrote to memory of 5080 2036 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe jdhpeacroic.exe PID 2036 wrote to memory of 5080 2036 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe jdhpeacroic.exe PID 2036 wrote to memory of 5080 2036 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe jdhpeacroic.exe PID 2036 wrote to memory of 4752 2036 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe cmd.exe PID 2036 wrote to memory of 4752 2036 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe cmd.exe PID 2036 wrote to memory of 4752 2036 ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe cmd.exe PID 5080 wrote to memory of 1556 5080 jdhpeacroic.exe jdhpeacroic.exe PID 5080 wrote to memory of 1556 5080 jdhpeacroic.exe jdhpeacroic.exe PID 5080 wrote to memory of 1556 5080 jdhpeacroic.exe jdhpeacroic.exe PID 5080 wrote to memory of 1556 5080 jdhpeacroic.exe jdhpeacroic.exe PID 5080 wrote to memory of 1556 5080 jdhpeacroic.exe jdhpeacroic.exe PID 5080 wrote to memory of 1556 5080 jdhpeacroic.exe jdhpeacroic.exe PID 5080 wrote to memory of 1556 5080 jdhpeacroic.exe jdhpeacroic.exe PID 5080 wrote to memory of 1556 5080 jdhpeacroic.exe jdhpeacroic.exe PID 5080 wrote to memory of 1556 5080 jdhpeacroic.exe jdhpeacroic.exe PID 5080 wrote to memory of 1556 5080 jdhpeacroic.exe jdhpeacroic.exe PID 1556 wrote to memory of 220 1556 jdhpeacroic.exe bcdedit.exe PID 1556 wrote to memory of 220 1556 jdhpeacroic.exe bcdedit.exe PID 1556 wrote to memory of 3464 1556 jdhpeacroic.exe vssadmin.exe PID 1556 wrote to memory of 3464 1556 jdhpeacroic.exe vssadmin.exe PID 1556 wrote to memory of 828 1556 jdhpeacroic.exe bcdedit.exe PID 1556 wrote to memory of 828 1556 jdhpeacroic.exe bcdedit.exe PID 1556 wrote to memory of 3844 1556 jdhpeacroic.exe bcdedit.exe PID 1556 wrote to memory of 3844 1556 jdhpeacroic.exe bcdedit.exe PID 1556 wrote to memory of 4340 1556 jdhpeacroic.exe bcdedit.exe PID 1556 wrote to memory of 4340 1556 jdhpeacroic.exe bcdedit.exe PID 1556 wrote to memory of 4672 1556 jdhpeacroic.exe bcdedit.exe PID 1556 wrote to memory of 4672 1556 jdhpeacroic.exe bcdedit.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
jdhpeacroic.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System jdhpeacroic.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" jdhpeacroic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe"C:\Users\Admin\AppData\Local\Temp\ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe"C:\Users\Admin\AppData\Local\Temp\ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\jdhpeacroic.exeC:\Users\Admin\AppData\Roaming\jdhpeacroic.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\jdhpeacroic.exeC:\Users\Admin\AppData\Roaming\jdhpeacroic.exe4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} bootems off5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} advancedoptions off5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} optionsedit off5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} recoveryenabled off5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\AD71D1~1.EXE3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\jdhpeacroic.exeFilesize
348KB
MD5655198dde4fca3eeb54780d117615f8f
SHA1bfa972be17c752b0954a557122fc595fbc59364e
SHA256ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90
SHA5126ee0ebee31ed8c9bb324d2d29109328578106de194880d32607fe7378a6a5a2032bc9b5b228e89cbbcfc24bdb55e2050248e00d9998a81870b43633e56f48fd3
-
C:\Users\Admin\AppData\Roaming\jdhpeacroic.exeFilesize
348KB
MD5655198dde4fca3eeb54780d117615f8f
SHA1bfa972be17c752b0954a557122fc595fbc59364e
SHA256ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90
SHA5126ee0ebee31ed8c9bb324d2d29109328578106de194880d32607fe7378a6a5a2032bc9b5b228e89cbbcfc24bdb55e2050248e00d9998a81870b43633e56f48fd3
-
C:\Users\Admin\AppData\Roaming\jdhpeacroic.exeFilesize
348KB
MD5655198dde4fca3eeb54780d117615f8f
SHA1bfa972be17c752b0954a557122fc595fbc59364e
SHA256ad71d139a14779f1632a83d075ba1e81d83edb27acc4cd0090ac660f525a7f90
SHA5126ee0ebee31ed8c9bb324d2d29109328578106de194880d32607fe7378a6a5a2032bc9b5b228e89cbbcfc24bdb55e2050248e00d9998a81870b43633e56f48fd3
-
memory/220-151-0x0000000000000000-mapping.dmp
-
memory/828-153-0x0000000000000000-mapping.dmp
-
memory/1556-145-0x0000000000000000-mapping.dmp
-
memory/1556-157-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/1556-150-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/1556-149-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/1556-148-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/2036-138-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/2036-133-0x0000000000000000-mapping.dmp
-
memory/2036-137-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/2036-134-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/2036-136-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/2036-143-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/3464-152-0x0000000000000000-mapping.dmp
-
memory/3844-154-0x0000000000000000-mapping.dmp
-
memory/4340-155-0x0000000000000000-mapping.dmp
-
memory/4672-156-0x0000000000000000-mapping.dmp
-
memory/4752-142-0x0000000000000000-mapping.dmp
-
memory/4852-135-0x0000000000EF0000-0x0000000000EF3000-memory.dmpFilesize
12KB
-
memory/4852-132-0x0000000000EF0000-0x0000000000EF3000-memory.dmpFilesize
12KB
-
memory/5080-139-0x0000000000000000-mapping.dmp
-
memory/5080-144-0x0000000000910000-0x0000000000913000-memory.dmpFilesize
12KB