Analysis
-
max time kernel
151s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 06:05
Static task
static1
Behavioral task
behavioral1
Sample
7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe
Resource
win10v2004-20220812-en
General
-
Target
7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe
-
Size
184KB
-
MD5
89f059a012a6911765ceaf4e3eefd2f8
-
SHA1
d0aae8d39b153584b3ea8f82b1ccf99ebef6a20c
-
SHA256
7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72
-
SHA512
01938da98ff0352db5e8db56ad60158dfd758bba1036cbf31d6e95003254ab8bc5e8abdde6f6850258738099e6468c6fe228e0c32dd73a75a41d3161af468996
-
SSDEEP
3072:kyXt9mTrJfPB6y0TwqjoL0sMjHicmDJij4X0PQgyrkEp92QObfOCLn2O:p4FfZ6zTwhmjsO4XcQ1F9pObp2O
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
esbgeje.exeesbgeje.exepid process 1536 esbgeje.exe 1056 esbgeje.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
esbgeje.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertFromRepair.raw => C:\Users\Admin\Pictures\ConvertFromRepair.raw.ecc esbgeje.exe File renamed C:\Users\Admin\Pictures\PingRestore.crw => C:\Users\Admin\Pictures\PingRestore.crw.ecc esbgeje.exe File renamed C:\Users\Admin\Pictures\ReceiveCompare.png => C:\Users\Admin\Pictures\ReceiveCompare.png.ecc esbgeje.exe File renamed C:\Users\Admin\Pictures\SendMove.raw => C:\Users\Admin\Pictures\SendMove.raw.ecc esbgeje.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 612 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exeesbgeje.exepid process 1768 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe 1056 esbgeje.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
esbgeje.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run esbgeje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svv_e = "C:\\Users\\Admin\\AppData\\Roaming\\esbgeje.exe" esbgeje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce esbgeje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*svv_e = "C:\\Users\\Admin\\AppData\\Roaming\\esbgeje.exe" esbgeje.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
esbgeje.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\HELP_TO_SAVE_YOUR_FILES.bmp" esbgeje.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exeesbgeje.exedescription pid process target process PID 1204 set thread context of 1768 1204 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe PID 1536 set thread context of 1056 1536 esbgeje.exe esbgeje.exe -
Drops file in Program Files directory 64 IoCs
Processes:
esbgeje.exedescription ioc process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png esbgeje.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv esbgeje.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-disable.png esbgeje.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png esbgeje.exe File opened for modification C:\Program Files\PublishReset.crw esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer.png esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_dot.png esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js esbgeje.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt esbgeje.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png esbgeje.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png esbgeje.exe File opened for modification C:\Program Files\VideoLAN\VLC\README.txt esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Flyout_Thumbnail_Shadow.png esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\picturePuzzle.css esbgeje.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg esbgeje.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png esbgeje.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\zh-TW.pak esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\currency.js esbgeje.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\logo.png esbgeje.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\da.pak esbgeje.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\es-419.pak esbgeje.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\timeZones.js esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\2.png esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\13.png esbgeje.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png esbgeje.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\settings.js esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\slideShow.js esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\localizedStrings.js esbgeje.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png esbgeje.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_rest.png esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent.png esbgeje.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\resources.pak esbgeje.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png esbgeje.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ja.pak esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\library.js esbgeje.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ko.pak esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\RSSFeeds.js esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\icon.png esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\service.js esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\1.png esbgeje.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_right.png esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\localizedStrings.js esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\settings.css esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\alertIcon.png esbgeje.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\clock.css esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\RSSFeeds.js esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png esbgeje.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png esbgeje.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png esbgeje.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1520 1288 WerFault.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1592 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
esbgeje.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\WallpaperStyle = "0" esbgeje.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\TileWallpaper = "0" esbgeje.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
esbgeje.exepid process 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe 1056 esbgeje.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exeesbgeje.exevssvc.exedescription pid process Token: SeDebugPrivilege 1768 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe Token: SeDebugPrivilege 1056 esbgeje.exe Token: SeBackupPrivilege 1492 vssvc.exe Token: SeRestorePrivilege 1492 vssvc.exe Token: SeAuditPrivilege 1492 vssvc.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exeesbgeje.exeesbgeje.exedescription pid process target process PID 1204 wrote to memory of 1768 1204 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe PID 1204 wrote to memory of 1768 1204 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe PID 1204 wrote to memory of 1768 1204 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe PID 1204 wrote to memory of 1768 1204 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe PID 1204 wrote to memory of 1768 1204 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe PID 1204 wrote to memory of 1768 1204 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe PID 1204 wrote to memory of 1768 1204 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe PID 1204 wrote to memory of 1768 1204 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe PID 1204 wrote to memory of 1768 1204 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe PID 1204 wrote to memory of 1768 1204 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe PID 1768 wrote to memory of 1536 1768 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe esbgeje.exe PID 1768 wrote to memory of 1536 1768 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe esbgeje.exe PID 1768 wrote to memory of 1536 1768 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe esbgeje.exe PID 1768 wrote to memory of 1536 1768 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe esbgeje.exe PID 1536 wrote to memory of 1056 1536 esbgeje.exe esbgeje.exe PID 1536 wrote to memory of 1056 1536 esbgeje.exe esbgeje.exe PID 1536 wrote to memory of 1056 1536 esbgeje.exe esbgeje.exe PID 1536 wrote to memory of 1056 1536 esbgeje.exe esbgeje.exe PID 1536 wrote to memory of 1056 1536 esbgeje.exe esbgeje.exe PID 1536 wrote to memory of 1056 1536 esbgeje.exe esbgeje.exe PID 1536 wrote to memory of 1056 1536 esbgeje.exe esbgeje.exe PID 1536 wrote to memory of 1056 1536 esbgeje.exe esbgeje.exe PID 1536 wrote to memory of 1056 1536 esbgeje.exe esbgeje.exe PID 1536 wrote to memory of 1056 1536 esbgeje.exe esbgeje.exe PID 1768 wrote to memory of 612 1768 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe cmd.exe PID 1768 wrote to memory of 612 1768 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe cmd.exe PID 1768 wrote to memory of 612 1768 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe cmd.exe PID 1768 wrote to memory of 612 1768 7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe cmd.exe PID 1056 wrote to memory of 1592 1056 esbgeje.exe vssadmin.exe PID 1056 wrote to memory of 1592 1056 esbgeje.exe vssadmin.exe PID 1056 wrote to memory of 1592 1056 esbgeje.exe vssadmin.exe PID 1056 wrote to memory of 1592 1056 esbgeje.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe"C:\Users\Admin\AppData\Local\Temp\7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exeC:\Users\Admin\AppData\Local\Temp\7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\esbgeje.exeC:\Users\Admin\AppData\Roaming\esbgeje.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\esbgeje.exeC:\Users\Admin\AppData\Roaming\esbgeje.exe4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Loads dropped DLL
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\7DB66A~1.EXE >> NUL3⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1288 -s 21441⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\esbgeje.exeFilesize
184KB
MD589f059a012a6911765ceaf4e3eefd2f8
SHA1d0aae8d39b153584b3ea8f82b1ccf99ebef6a20c
SHA2567db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72
SHA51201938da98ff0352db5e8db56ad60158dfd758bba1036cbf31d6e95003254ab8bc5e8abdde6f6850258738099e6468c6fe228e0c32dd73a75a41d3161af468996
-
C:\Users\Admin\AppData\Roaming\esbgeje.exeFilesize
184KB
MD589f059a012a6911765ceaf4e3eefd2f8
SHA1d0aae8d39b153584b3ea8f82b1ccf99ebef6a20c
SHA2567db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72
SHA51201938da98ff0352db5e8db56ad60158dfd758bba1036cbf31d6e95003254ab8bc5e8abdde6f6850258738099e6468c6fe228e0c32dd73a75a41d3161af468996
-
C:\Users\Admin\AppData\Roaming\esbgeje.exeFilesize
184KB
MD589f059a012a6911765ceaf4e3eefd2f8
SHA1d0aae8d39b153584b3ea8f82b1ccf99ebef6a20c
SHA2567db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72
SHA51201938da98ff0352db5e8db56ad60158dfd758bba1036cbf31d6e95003254ab8bc5e8abdde6f6850258738099e6468c6fe228e0c32dd73a75a41d3161af468996
-
\Users\Admin\AppData\Roaming\esbgeje.exeFilesize
184KB
MD589f059a012a6911765ceaf4e3eefd2f8
SHA1d0aae8d39b153584b3ea8f82b1ccf99ebef6a20c
SHA2567db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72
SHA51201938da98ff0352db5e8db56ad60158dfd758bba1036cbf31d6e95003254ab8bc5e8abdde6f6850258738099e6468c6fe228e0c32dd73a75a41d3161af468996
-
\Users\Admin\AppData\Roaming\esbgeje.exeFilesize
184KB
MD589f059a012a6911765ceaf4e3eefd2f8
SHA1d0aae8d39b153584b3ea8f82b1ccf99ebef6a20c
SHA2567db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72
SHA51201938da98ff0352db5e8db56ad60158dfd758bba1036cbf31d6e95003254ab8bc5e8abdde6f6850258738099e6468c6fe228e0c32dd73a75a41d3161af468996
-
memory/612-89-0x0000000000000000-mapping.dmp
-
memory/1056-84-0x0000000000425911-mapping.dmp
-
memory/1056-94-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/1056-92-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/1204-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmpFilesize
8KB
-
memory/1536-71-0x0000000000000000-mapping.dmp
-
memory/1592-93-0x0000000000000000-mapping.dmp
-
memory/1768-62-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/1768-60-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/1768-58-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/1768-65-0x0000000000425911-mapping.dmp
-
memory/1768-56-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/1768-90-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/1768-69-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/1768-68-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/1768-64-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/1768-55-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB