Analysis
-
max time kernel
150s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 04:27
Static task
static1
Behavioral task
behavioral1
Sample
250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe
Resource
win10v2004-20221111-en
General
-
Target
250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe
-
Size
1009KB
-
MD5
63280dedabfe7caec283920f1b5ee3dd
-
SHA1
5efc119e54f35770a9dae6997b550982c82cc86b
-
SHA256
250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743
-
SHA512
45e0108743f5922352980565df9f24ac1bddf8b15aca4e00a58affd8bc9136eee5144fa53fa91c2a76cd0bdbbc366b41f9b9d978da88328ef7c91ff55c6a9983
-
SSDEEP
12288:RKfc7b5LkodZkB0YH6lmtSOE2UfQS/x1W5bUPodfCEVYHBF60GRGq4B:RKE7ttoBEmN3a/x1wBYh0I
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files yqyhzxi.txt
http://65y3g34c4zk3xkh2.onion.cab
http://65y3g34c4zk3xkh2.tor2web.org
http://65y3g34c4zk3xkh2.onion/
Extracted
C:\ProgramData\zlwdkgg.html
http-equiv='Content-Type
Extracted
C:\ProgramData\zlwdkgg.html
http://65y3g34c4zk3xkh2.onion.cab
http://65y3g34c4zk3xkh2.tor2web.org
http://65y3g34c4zk3xkh2.onion
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 6 IoCs
Processes:
pdfisga.exepdfisga.exepdfisga.exepdfisga.exepdfisga.exepdfisga.exepid process 1404 pdfisga.exe 700 pdfisga.exe 1724 pdfisga.exe 628 pdfisga.exe 1584 pdfisga.exe 560 pdfisga.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
pdfisga.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation pdfisga.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Drops file in System32 directory 1 IoCs
Processes:
pdfisga.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat pdfisga.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\Decrypt All Files yqyhzxi.bmp" Explorer.EXE -
Suspicious use of SetThreadContext 6 IoCs
Processes:
250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exepdfisga.exepdfisga.exepdfisga.exepdfisga.exedescription pid process target process PID 960 set thread context of 1376 960 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe PID 1376 set thread context of 1904 1376 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe PID 1404 set thread context of 700 1404 pdfisga.exe pdfisga.exe PID 700 set thread context of 1724 700 pdfisga.exe pdfisga.exe PID 628 set thread context of 1584 628 pdfisga.exe pdfisga.exe PID 1584 set thread context of 560 1584 pdfisga.exe pdfisga.exe -
Drops file in Program Files directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files yqyhzxi.bmp svchost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files yqyhzxi.txt svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1208 vssadmin.exe -
Processes:
pdfisga.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main pdfisga.exe -
Modifies data under HKEY_USERS 20 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}\MaxCapacity = "15140" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00640061006500300037006100650034002d0032006100330034002d0031003100650064002d0038003600630036002d003800300036006500360066003600650036003900360033007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963} svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}\NukeOnDelete = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion svchost.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exepdfisga.exepdfisga.exepdfisga.exepid process 1376 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe 1376 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe 1904 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe 700 pdfisga.exe 700 pdfisga.exe 1724 pdfisga.exe 1724 pdfisga.exe 1724 pdfisga.exe 1724 pdfisga.exe 1724 pdfisga.exe 1724 pdfisga.exe 1724 pdfisga.exe 1724 pdfisga.exe 1724 pdfisga.exe 1724 pdfisga.exe 1724 pdfisga.exe 1724 pdfisga.exe 1724 pdfisga.exe 1724 pdfisga.exe 1724 pdfisga.exe 1724 pdfisga.exe 1584 pdfisga.exe 1584 pdfisga.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
pdfisga.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1724 pdfisga.exe Token: SeDebugPrivilege 1724 pdfisga.exe Token: SeShutdownPrivilege 1220 Explorer.EXE Token: SeShutdownPrivilege 1220 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
pdfisga.exepid process 560 pdfisga.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
pdfisga.exepid process 560 pdfisga.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
pdfisga.exepid process 560 pdfisga.exe 560 pdfisga.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exetaskeng.exepdfisga.exepdfisga.exepdfisga.exesvchost.exepdfisga.exepdfisga.exedescription pid process target process PID 960 wrote to memory of 1376 960 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe PID 960 wrote to memory of 1376 960 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe PID 960 wrote to memory of 1376 960 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe PID 960 wrote to memory of 1376 960 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe PID 960 wrote to memory of 1376 960 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe PID 960 wrote to memory of 1376 960 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe PID 960 wrote to memory of 1376 960 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe PID 960 wrote to memory of 1376 960 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe PID 960 wrote to memory of 1376 960 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe PID 960 wrote to memory of 1376 960 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe PID 1376 wrote to memory of 1904 1376 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe PID 1376 wrote to memory of 1904 1376 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe PID 1376 wrote to memory of 1904 1376 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe PID 1376 wrote to memory of 1904 1376 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe PID 1376 wrote to memory of 1904 1376 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe PID 1376 wrote to memory of 1904 1376 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe PID 1376 wrote to memory of 1904 1376 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe 250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe PID 1692 wrote to memory of 1404 1692 taskeng.exe pdfisga.exe PID 1692 wrote to memory of 1404 1692 taskeng.exe pdfisga.exe PID 1692 wrote to memory of 1404 1692 taskeng.exe pdfisga.exe PID 1692 wrote to memory of 1404 1692 taskeng.exe pdfisga.exe PID 1404 wrote to memory of 700 1404 pdfisga.exe pdfisga.exe PID 1404 wrote to memory of 700 1404 pdfisga.exe pdfisga.exe PID 1404 wrote to memory of 700 1404 pdfisga.exe pdfisga.exe PID 1404 wrote to memory of 700 1404 pdfisga.exe pdfisga.exe PID 1404 wrote to memory of 700 1404 pdfisga.exe pdfisga.exe PID 1404 wrote to memory of 700 1404 pdfisga.exe pdfisga.exe PID 1404 wrote to memory of 700 1404 pdfisga.exe pdfisga.exe PID 1404 wrote to memory of 700 1404 pdfisga.exe pdfisga.exe PID 1404 wrote to memory of 700 1404 pdfisga.exe pdfisga.exe PID 1404 wrote to memory of 700 1404 pdfisga.exe pdfisga.exe PID 700 wrote to memory of 1724 700 pdfisga.exe pdfisga.exe PID 700 wrote to memory of 1724 700 pdfisga.exe pdfisga.exe PID 700 wrote to memory of 1724 700 pdfisga.exe pdfisga.exe PID 700 wrote to memory of 1724 700 pdfisga.exe pdfisga.exe PID 700 wrote to memory of 1724 700 pdfisga.exe pdfisga.exe PID 700 wrote to memory of 1724 700 pdfisga.exe pdfisga.exe PID 700 wrote to memory of 1724 700 pdfisga.exe pdfisga.exe PID 1724 wrote to memory of 600 1724 pdfisga.exe svchost.exe PID 600 wrote to memory of 828 600 svchost.exe DllHost.exe PID 600 wrote to memory of 828 600 svchost.exe DllHost.exe PID 600 wrote to memory of 828 600 svchost.exe DllHost.exe PID 1724 wrote to memory of 1220 1724 pdfisga.exe Explorer.EXE PID 1724 wrote to memory of 1208 1724 pdfisga.exe vssadmin.exe PID 1724 wrote to memory of 1208 1724 pdfisga.exe vssadmin.exe PID 1724 wrote to memory of 1208 1724 pdfisga.exe vssadmin.exe PID 1724 wrote to memory of 1208 1724 pdfisga.exe vssadmin.exe PID 1724 wrote to memory of 628 1724 pdfisga.exe pdfisga.exe PID 1724 wrote to memory of 628 1724 pdfisga.exe pdfisga.exe PID 1724 wrote to memory of 628 1724 pdfisga.exe pdfisga.exe PID 1724 wrote to memory of 628 1724 pdfisga.exe pdfisga.exe PID 628 wrote to memory of 1584 628 pdfisga.exe pdfisga.exe PID 628 wrote to memory of 1584 628 pdfisga.exe pdfisga.exe PID 628 wrote to memory of 1584 628 pdfisga.exe pdfisga.exe PID 628 wrote to memory of 1584 628 pdfisga.exe pdfisga.exe PID 628 wrote to memory of 1584 628 pdfisga.exe pdfisga.exe PID 628 wrote to memory of 1584 628 pdfisga.exe pdfisga.exe PID 628 wrote to memory of 1584 628 pdfisga.exe pdfisga.exe PID 628 wrote to memory of 1584 628 pdfisga.exe pdfisga.exe PID 628 wrote to memory of 1584 628 pdfisga.exe pdfisga.exe PID 628 wrote to memory of 1584 628 pdfisga.exe pdfisga.exe PID 1584 wrote to memory of 560 1584 pdfisga.exe pdfisga.exe PID 1584 wrote to memory of 560 1584 pdfisga.exe pdfisga.exe PID 1584 wrote to memory of 560 1584 pdfisga.exe pdfisga.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe"C:\Users\Admin\AppData\Local\Temp\250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe"C:\Users\Admin\AppData\Local\Temp\250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe"C:\Users\Admin\AppData\Local\Temp\250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {6507ABD5-57C0-41DE-A45E-BC736315DD6A} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeC:\Users\Admin\AppData\Local\Temp\pdfisga.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeC:\Users\Admin\AppData\Local\Temp\pdfisga.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeC:\Users\Admin\AppData\Local\Temp\pdfisga.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all5⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe"C:\Users\Admin\AppData\Local\Temp\pdfisga.exe" -u5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe"C:\Users\Admin\AppData\Local\Temp\pdfisga.exe" -u6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe"C:\Users\Admin\AppData\Local\Temp\pdfisga.exe" -u7⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft Help\xptppmlFilesize
654B
MD544350d7c4133a3bd6184b8dc15294d9f
SHA10953aa71844ac3d37c619c1e8fb7ad0ca91a36ce
SHA2564f4d0402be8ba7a3f72cb93dc54a4e283ead390929f6d9ce342724cb20cb13d5
SHA51262aca8bd3ce24a53cf8d7fe406072b6c7ba55c6e713b1e307c6fe51ca8f98763594610c4fc154bdb60f3fe534815399ebb30d5cc2aaf7bccc9d5124bcdd6ec8b
-
C:\ProgramData\Microsoft Help\xptppmlFilesize
654B
MD56102ee41cf560b0df699e3e36e74fd6b
SHA15ed750abbda811bae02c10d0a64f5520ae431868
SHA2569b692a6a0372f497c71c70e6743153ec5fca8fbfbdebb96cdc9e009ee060ea03
SHA512e67bddf30fdbf160bc9dee76ebb1438e6b0dc1a25ceae4a63a6cd2b27624f3b57557a3715fb9571dd314e6a0a8d024f50af783b0d7e0441c17481a083dcb943e
-
C:\ProgramData\Microsoft Help\xptppmlFilesize
654B
MD5ef283492055b476911ace10e952615e3
SHA16c4cbd7ae5f73a8e131ecd47756909b4c53ee723
SHA256bb7d9b7c446a2e98ec90d749a54dc271a5e3ab0dc38815cd878e30a489517a21
SHA5122d23ef818ef590a8d8f1786a19923fc2a530348b2529b250a37f9cfa0b51b96a9237a3e39fe0e870333dbca824d57fe142c0e308972b92e92e75a0c9510addd0
-
C:\ProgramData\zlwdkgg.htmlFilesize
60KB
MD5ca2fb3385bebe297ad319354ae1f5e13
SHA13a3d132e6d3065ec9c2fb4e3e433838ca51d7ff3
SHA256f30dbb237d1ace818a2cb92ac55b3159d4bef2273e4dc49dfed8c855c38b8045
SHA512554cc27e79db17485782e9269a47e091e9f33536f019026b7459ad4cc08619e4f8d11e9656035405a2a4a4cd53cb006c1b2abec96186f170b985239bd09f6e8a
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
1009KB
MD563280dedabfe7caec283920f1b5ee3dd
SHA15efc119e54f35770a9dae6997b550982c82cc86b
SHA256250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743
SHA51245e0108743f5922352980565df9f24ac1bddf8b15aca4e00a58affd8bc9136eee5144fa53fa91c2a76cd0bdbbc366b41f9b9d978da88328ef7c91ff55c6a9983
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
1009KB
MD563280dedabfe7caec283920f1b5ee3dd
SHA15efc119e54f35770a9dae6997b550982c82cc86b
SHA256250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743
SHA51245e0108743f5922352980565df9f24ac1bddf8b15aca4e00a58affd8bc9136eee5144fa53fa91c2a76cd0bdbbc366b41f9b9d978da88328ef7c91ff55c6a9983
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
1009KB
MD563280dedabfe7caec283920f1b5ee3dd
SHA15efc119e54f35770a9dae6997b550982c82cc86b
SHA256250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743
SHA51245e0108743f5922352980565df9f24ac1bddf8b15aca4e00a58affd8bc9136eee5144fa53fa91c2a76cd0bdbbc366b41f9b9d978da88328ef7c91ff55c6a9983
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
1009KB
MD563280dedabfe7caec283920f1b5ee3dd
SHA15efc119e54f35770a9dae6997b550982c82cc86b
SHA256250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743
SHA51245e0108743f5922352980565df9f24ac1bddf8b15aca4e00a58affd8bc9136eee5144fa53fa91c2a76cd0bdbbc366b41f9b9d978da88328ef7c91ff55c6a9983
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
1009KB
MD563280dedabfe7caec283920f1b5ee3dd
SHA15efc119e54f35770a9dae6997b550982c82cc86b
SHA256250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743
SHA51245e0108743f5922352980565df9f24ac1bddf8b15aca4e00a58affd8bc9136eee5144fa53fa91c2a76cd0bdbbc366b41f9b9d978da88328ef7c91ff55c6a9983
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
1009KB
MD563280dedabfe7caec283920f1b5ee3dd
SHA15efc119e54f35770a9dae6997b550982c82cc86b
SHA256250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743
SHA51245e0108743f5922352980565df9f24ac1bddf8b15aca4e00a58affd8bc9136eee5144fa53fa91c2a76cd0bdbbc366b41f9b9d978da88328ef7c91ff55c6a9983
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
1009KB
MD563280dedabfe7caec283920f1b5ee3dd
SHA15efc119e54f35770a9dae6997b550982c82cc86b
SHA256250684f6de27ae57738e361aa0b3cc967f27e8d017817dcef0199f5cbd0e7743
SHA51245e0108743f5922352980565df9f24ac1bddf8b15aca4e00a58affd8bc9136eee5144fa53fa91c2a76cd0bdbbc366b41f9b9d978da88328ef7c91ff55c6a9983
-
memory/560-151-0x00000000004054BA-mapping.dmp
-
memory/600-120-0x000007FEFC011000-0x000007FEFC013000-memory.dmpFilesize
8KB
-
memory/600-117-0x0000000000460000-0x00000000004C9000-memory.dmpFilesize
420KB
-
memory/600-115-0x0000000000460000-0x00000000004C9000-memory.dmpFilesize
420KB
-
memory/628-127-0x0000000000000000-mapping.dmp
-
memory/700-99-0x0000000000402A02-mapping.dmp
-
memory/700-114-0x0000000000400000-0x0000000001215000-memory.dmpFilesize
14.1MB
-
memory/752-159-0x0000000000000000-mapping.dmp
-
memory/828-119-0x0000000000000000-mapping.dmp
-
memory/960-54-0x00000000757A1000-0x00000000757A3000-memory.dmpFilesize
8KB
-
memory/1208-126-0x0000000000000000-mapping.dmp
-
memory/1376-64-0x0000000000400000-0x0000000001215000-memory.dmpFilesize
14.1MB
-
memory/1376-56-0x0000000000400000-0x0000000001215000-memory.dmpFilesize
14.1MB
-
memory/1376-58-0x0000000000400000-0x0000000001215000-memory.dmpFilesize
14.1MB
-
memory/1376-60-0x0000000000400000-0x0000000001215000-memory.dmpFilesize
14.1MB
-
memory/1376-79-0x0000000000400000-0x0000000001215000-memory.dmpFilesize
14.1MB
-
memory/1376-62-0x0000000000400000-0x0000000001215000-memory.dmpFilesize
14.1MB
-
memory/1376-66-0x0000000000400000-0x0000000001215000-memory.dmpFilesize
14.1MB
-
memory/1376-81-0x00000000003B0000-0x00000000003E4000-memory.dmpFilesize
208KB
-
memory/1376-55-0x0000000000400000-0x0000000001215000-memory.dmpFilesize
14.1MB
-
memory/1376-70-0x0000000000400000-0x0000000001215000-memory.dmpFilesize
14.1MB
-
memory/1376-67-0x0000000000402A02-mapping.dmp
-
memory/1404-84-0x0000000000000000-mapping.dmp
-
memory/1584-142-0x0000000000402A02-mapping.dmp
-
memory/1584-157-0x0000000000400000-0x0000000001215000-memory.dmpFilesize
14.1MB
-
memory/1724-113-0x00000000005E0000-0x00000000006E9000-memory.dmpFilesize
1.0MB
-
memory/1724-108-0x00000000004054BA-mapping.dmp
-
memory/1904-71-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1904-72-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1904-75-0x00000000004054BA-mapping.dmp
-
memory/1904-74-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1904-77-0x0000000000220000-0x00000000002F8000-memory.dmpFilesize
864KB
-
memory/1904-80-0x0000000000400000-0x0000000000422E00-memory.dmpFilesize
139KB
-
memory/1904-82-0x0000000000430000-0x0000000000539000-memory.dmpFilesize
1.0MB