db8eb8347ed084c3ee3707ad032743e350157abcaf2817e5f15777b20c554b7f

Resubmissions

23-02-2023 13:58

230223-q979csga63 10

23-02-2023 13:58

30-01-2023 00:58

15-01-2023 07:31

15-01-2023 07:28

15-01-2023 01:34

Analysis

max time kernel
577s
max time network
608s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2023 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

working_attack.7z
Size

925KB
MD5

79c2ac9fb282708c97b2622b1dcf8428
SHA1

bbfeb1b3a9379ca5fd894b8c5afa0b95f5eef1b7
SHA256

db8eb8347ed084c3ee3707ad032743e350157abcaf2817e5f15777b20c554b7f
SHA512

2334c5568ec148985245936d8301e8677b0d6b9809943f1c705ab80572be150d598525df205b8902f8739322f1faa42eb52087048cf57164311002a8e32d2f5f
SSDEEP

24576:y7zYd9xdNsC/TbVTUGTL/g5zXCXPukSSw1hSD6xTBeJw6HXss5:ezY3bWYTUkhhSSuhS0G3s8

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jsc.exe

Executes dropped EXE 3 IoCs

pid	Process
2228	45.exe
1628	45.exe
1136	45.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
74	eth0.me

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\eventvwr.msc	mmc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2228 set thread context of 1844	2228	45.exe	103
PID 1628 set thread context of 3564	1628	45.exe	110
PID 1136 set thread context of 3980	1136	45.exe	113

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = ffffffff	45.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	45.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	45.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	45.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	45.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	45.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	45.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	45.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	45.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	45.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	45.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	45.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	45.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	45.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	45.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	45.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	45.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	45.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	45.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	45.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	45.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	45.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	45.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	45.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "3"	45.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	45.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	45.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	45.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	45.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	45.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	45.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	45.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	45.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	45.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	45.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	45.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	45.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	45.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	45.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	45.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	45.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	45.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	45.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	45.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	45.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	45.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	45.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	45.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	45.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	45.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	45.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	45.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	45.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	45.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	45.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	45.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	45.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	45.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	45.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	45.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4900	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2228	45.exe
2228	45.exe
2228	45.exe
2228	45.exe
2228	45.exe
2228	45.exe
2228	45.exe
2228	45.exe
1628	45.exe
1628	45.exe
1628	45.exe
1628	45.exe
1628	45.exe
1628	45.exe
1628	45.exe
1628	45.exe
1136	45.exe
1136	45.exe
1136	45.exe
1136	45.exe
1136	45.exe
1136	45.exe
1136	45.exe
1136	45.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2228	45.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	1444	7zG.exe
Token: 35	1444	7zG.exe
Token: SeSecurityPrivilege	1444	7zG.exe
Token: SeSecurityPrivilege	1444	7zG.exe
Token: SeBackupPrivilege	4720	svchost.exe
Token: SeRestorePrivilege	4720	svchost.exe
Token: SeSecurityPrivilege	4720	svchost.exe
Token: SeTakeOwnershipPrivilege	4720	svchost.exe
Token: 35	4720	svchost.exe
Token: SeDebugPrivilege	1844	jsc.exe
Token: SeDebugPrivilege	3564	jsc.exe
Token: SeDebugPrivilege	3980	jsc.exe
Token: SeSecurityPrivilege	900	mmc.exe
Token: 33	900	mmc.exe
Token: SeIncBasePriorityPrivilege	900	mmc.exe
Token: 33	900	mmc.exe
Token: SeIncBasePriorityPrivilege	900	mmc.exe
Token: 33	900	mmc.exe
Token: SeIncBasePriorityPrivilege	900	mmc.exe
Token: 33	900	mmc.exe
Token: SeIncBasePriorityPrivilege	900	mmc.exe
Token: 33	900	mmc.exe
Token: SeIncBasePriorityPrivilege	900	mmc.exe
Token: 33	900	mmc.exe
Token: SeIncBasePriorityPrivilege	900	mmc.exe
Token: 33	900	mmc.exe
Token: SeIncBasePriorityPrivilege	900	mmc.exe
Token: 33	900	mmc.exe
Token: SeIncBasePriorityPrivilege	900	mmc.exe
Token: 33	900	mmc.exe
Token: SeIncBasePriorityPrivilege	900	mmc.exe
Token: 33	900	mmc.exe
Token: SeIncBasePriorityPrivilege	900	mmc.exe
Token: 33	900	mmc.exe
Token: SeIncBasePriorityPrivilege	900	mmc.exe
Token: 33	900	mmc.exe
Token: SeIncBasePriorityPrivilege	900	mmc.exe
Token: 33	900	mmc.exe
Token: SeIncBasePriorityPrivilege	900	mmc.exe
Token: 33	900	mmc.exe
Token: SeIncBasePriorityPrivilege	900	mmc.exe
Token: 33	900	mmc.exe
Token: SeIncBasePriorityPrivilege	900	mmc.exe
Token: 33	900	mmc.exe
Token: SeIncBasePriorityPrivilege	900	mmc.exe
Token: SeSecurityPrivilege	900	mmc.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
1444	7zG.exe
2228	45.exe
2228	45.exe
2228	45.exe
2228	45.exe
1628	45.exe
1628	45.exe
1628	45.exe
1136	45.exe
1136	45.exe
1136	45.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
2228	45.exe
2228	45.exe
2228	45.exe
1628	45.exe
1628	45.exe
1628	45.exe
1136	45.exe
1136	45.exe
1136	45.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3796	OpenWith.exe
2228	45.exe
2228	45.exe
2228	45.exe
2228	45.exe
2228	45.exe
1628	45.exe
1136	45.exe
900	mmc.exe
900	mmc.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 1844	2228	45.exe	103
PID 2228 wrote to memory of 1844	2228	45.exe	103
PID 2228 wrote to memory of 1844	2228	45.exe	103
PID 2228 wrote to memory of 1844	2228	45.exe	103
PID 2228 wrote to memory of 1844	2228	45.exe	103
PID 1628 wrote to memory of 3564	1628	45.exe	110
PID 1628 wrote to memory of 3564	1628	45.exe	110
PID 1628 wrote to memory of 3564	1628	45.exe	110
PID 1628 wrote to memory of 3564	1628	45.exe	110
PID 1628 wrote to memory of 3564	1628	45.exe	110
PID 1136 wrote to memory of 3980	1136	45.exe	113
PID 1136 wrote to memory of 3980	1136	45.exe	113
PID 1136 wrote to memory of 3980	1136	45.exe	113
PID 1136 wrote to memory of 3980	1136	45.exe	113
PID 1136 wrote to memory of 3980	1136	45.exe	113

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\working_attack.7z
1⤵
- Modifies registry class
PID:1556

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5040

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap3215:84:7zEvent3408
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1444

C:\Users\Admin\Desktop\working_attack\45.exe
"C:\Users\Admin\Desktop\working_attack\45.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  - UAC bypass
  - Suspicious use of AdjustPrivilegeToken
  PID:1844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
1⤵
- Opens file in notepad (likely ransom note)
PID:4900

C:\Users\Admin\Desktop\working_attack\45.exe
"C:\Users\Admin\Desktop\working_attack\45.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3564

C:\Users\Admin\Desktop\working_attack\45.exe
"C:\Users\Admin\Desktop\working_attack\45.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3980

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
cec171cfa1ddf6d8d2447fd6f387d9e6

SHA1
900b80fbf94dc389b0c3c98654065bbf6aa2e1f8

SHA256
23c330a45b20a2cab1f99ef11d0413a7e71cad4748bf2424d1c5942aaad29df3

SHA512
bc3fc9b16479991520b388bf44809c5311953bbca25a52b757de2479ce292768353bebc8082aa99ee2d921fd104c172b79dc8ec4f5045f15ef161def4455e619

Download Submit
C:\Users\Admin\Desktop\working_attack\45.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\Desktop\working_attack\45.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\Desktop\working_attack\45.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\Desktop\working_attack\45.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\Desktop\working_attack\S.a3x

Filesize
1.5MB

MD5
536073c3748e4eb7bbee303547b7227d

SHA1
4397b1d855e799f4d38467a848cda2273c1c6c73

SHA256
8e289b8dfc7e4994d808ef79a88adb513365177604fe587f6efa812f284e21a3

SHA512
3b1e1c853c362770a4ddcc4c7b3b932f9adf9db006bf649266a1b0c9c6c7b0afb7f0cd5687f672ed58908c9af8b56a830888b6f30defb97297cbde8de18f7651

Download Submit
memory/900-155-0x00007FFFEA320000-0x00007FFFEADE1000-memory.dmp

Filesize
10.8MB

Download
memory/900-154-0x00007FFFEA320000-0x00007FFFEADE1000-memory.dmp

Filesize
10.8MB

Download
memory/1844-143-0x0000000006FD0000-0x00000000074FC000-memory.dmp

Filesize
5.2MB

Download
memory/1844-142-0x0000000006790000-0x0000000006806000-memory.dmp

Filesize
472KB

Download
memory/1844-141-0x00000000068D0000-0x0000000006A92000-memory.dmp

Filesize
1.8MB

Download
memory/1844-144-0x0000000006880000-0x000000000689E000-memory.dmp

Filesize
120KB

Download
memory/1844-140-0x0000000004EE0000-0x0000000004F46000-memory.dmp

Filesize
408KB

Download
memory/1844-139-0x0000000004DF0000-0x0000000004E82000-memory.dmp

Filesize
584KB

Download
memory/1844-138-0x0000000005490000-0x0000000005A34000-memory.dmp

Filesize
5.6MB

Download
memory/1844-136-0x0000000000720000-0x00000000007C6000-memory.dmp

Filesize
664KB

Download
memory/3564-148-0x0000000000350000-0x00000000003F6000-memory.dmp

Filesize
664KB

Download
memory/3980-152-0x00000000013A0000-0x0000000001446000-memory.dmp

Filesize
664KB

Download