Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
22-01-2023 19:17
Behavioral task
behavioral1
Sample
4.exe
Resource
win7-20221111-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
4.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
4.exe
-
Size
211KB
-
MD5
8f43f1fddbcf5409408eb618a981b23b
-
SHA1
3ff15167aa71fc29c7f3ee17fc5f482d8ecceaf2
-
SHA256
6656c50ffbdc59ce71b93474f43270dfeb42b57451724c25fa26f5bbf532e449
-
SHA512
3a6bca15442233f9b36e51ea984353925d43ac17326742ad8a562542ca20e99da0477b583b8cc415eb8ab09b306a6b903e7ee1d79137487312ab5327f8ac2387
-
SSDEEP
6144:+ia1gMH2EXtAup5Qnqn64DQFu/U3buRKlemZ9DnGAe+hsOn+8:+IMHxGe5Qb4DQFu/U3buRKlemZ9DnGAz
Score
10/10
Malware Config
Signatures
-
Detects Zeppelin payload 5 IoCs
resource yara_rule behavioral1/files/0x000a00000001232d-55.dat family_zeppelin behavioral1/files/0x000a00000001232d-56.dat family_zeppelin behavioral1/files/0x000a00000001232d-58.dat family_zeppelin behavioral1/files/0x000a00000001232d-77.dat family_zeppelin behavioral1/files/0x000a00000001232d-79.dat family_zeppelin -
Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
pid Process 1804 explorer.exe 1588 explorer.exe -
Loads dropped DLL 2 IoCs
pid Process 2000 4.exe 2000 4.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run 4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start" 4.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: explorer.exe File opened (read-only) \??\O: explorer.exe File opened (read-only) \??\N: explorer.exe File opened (read-only) \??\G: explorer.exe File opened (read-only) \??\A: explorer.exe File opened (read-only) \??\K: explorer.exe File opened (read-only) \??\J: explorer.exe File opened (read-only) \??\Z: explorer.exe File opened (read-only) \??\X: explorer.exe File opened (read-only) \??\W: explorer.exe File opened (read-only) \??\Q: explorer.exe File opened (read-only) \??\M: explorer.exe File opened (read-only) \??\L: explorer.exe File opened (read-only) \??\H: explorer.exe File opened (read-only) \??\B: explorer.exe File opened (read-only) \??\V: explorer.exe File opened (read-only) \??\S: explorer.exe File opened (read-only) \??\R: explorer.exe File opened (read-only) \??\I: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\Y: explorer.exe File opened (read-only) \??\U: explorer.exe File opened (read-only) \??\T: explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 geoiptool.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml explorer.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\RECOVERY DATA INFORMATION.TXT explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Hong_Kong.A53-384-D03 explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Broken_Hill.A53-384-D03 explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Tucuman explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_ja.jar.A53-384-D03 explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Rio_Gallegos explorer.exe File opened for modification C:\Program Files\Microsoft Games\More Games\en-US\MoreGames.dll.mui.A53-384-D03 explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo.A53-384-D03 explorer.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt.A53-384-D03 explorer.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\cursors.properties explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Panama explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Glace_Bay explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Iqaluit explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore_2.10.1.v20140901-1043.jar explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar.A53-384-D03 explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_zh_CN.jar explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh.A53-384-D03 explorer.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\chkrzm.exe.mui.A53-384-D03 explorer.exe File created C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\RECOVERY DATA INFORMATION.TXT explorer.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kwajalein explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css.A53-384-D03 explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar.A53-384-D03 explorer.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt.A53-384-D03 explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MET explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Warsaw.A53-384-D03 explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_zh_CN.jar explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Aqtau.A53-384-D03 explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Athens explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo explorer.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt explorer.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground.wmv explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6CDT.A53-384-D03 explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_sv.properties.A53-384-D03 explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\sunec.jar.A53-384-D03 explorer.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\sound.properties explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Santa_Isabel explorer.exe File created C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\RECOVERY DATA INFORMATION.TXT explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml.A53-384-D03 explorer.exe File created C:\Program Files\Java\jre7\lib\deploy\RECOVERY DATA INFORMATION.TXT explorer.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\vlc.mo.A53-384-D03 explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\CIEXYZ.pf.A53-384-D03 explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay.A53-384-D03 explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Catamarca explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml.A53-384-D03 explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml explorer.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIcon.png explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sitka explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Ashgabat explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1600 vssadmin.exe 1300 vssadmin.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 explorer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 4.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 4.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 4.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1264 WMIC.exe Token: SeSecurityPrivilege 1264 WMIC.exe Token: SeTakeOwnershipPrivilege 1264 WMIC.exe Token: SeLoadDriverPrivilege 1264 WMIC.exe Token: SeSystemProfilePrivilege 1264 WMIC.exe Token: SeSystemtimePrivilege 1264 WMIC.exe Token: SeProfSingleProcessPrivilege 1264 WMIC.exe Token: SeIncBasePriorityPrivilege 1264 WMIC.exe Token: SeCreatePagefilePrivilege 1264 WMIC.exe Token: SeBackupPrivilege 1264 WMIC.exe Token: SeRestorePrivilege 1264 WMIC.exe Token: SeShutdownPrivilege 1264 WMIC.exe Token: SeDebugPrivilege 1264 WMIC.exe Token: SeSystemEnvironmentPrivilege 1264 WMIC.exe Token: SeRemoteShutdownPrivilege 1264 WMIC.exe Token: SeUndockPrivilege 1264 WMIC.exe Token: SeManageVolumePrivilege 1264 WMIC.exe Token: 33 1264 WMIC.exe Token: 34 1264 WMIC.exe Token: 35 1264 WMIC.exe Token: SeIncreaseQuotaPrivilege 1168 WMIC.exe Token: SeSecurityPrivilege 1168 WMIC.exe Token: SeTakeOwnershipPrivilege 1168 WMIC.exe Token: SeLoadDriverPrivilege 1168 WMIC.exe Token: SeSystemProfilePrivilege 1168 WMIC.exe Token: SeSystemtimePrivilege 1168 WMIC.exe Token: SeProfSingleProcessPrivilege 1168 WMIC.exe Token: SeIncBasePriorityPrivilege 1168 WMIC.exe Token: SeCreatePagefilePrivilege 1168 WMIC.exe Token: SeBackupPrivilege 1168 WMIC.exe Token: SeRestorePrivilege 1168 WMIC.exe Token: SeShutdownPrivilege 1168 WMIC.exe Token: SeDebugPrivilege 1168 WMIC.exe Token: SeSystemEnvironmentPrivilege 1168 WMIC.exe Token: SeRemoteShutdownPrivilege 1168 WMIC.exe Token: SeUndockPrivilege 1168 WMIC.exe Token: SeManageVolumePrivilege 1168 WMIC.exe Token: 33 1168 WMIC.exe Token: 34 1168 WMIC.exe Token: 35 1168 WMIC.exe Token: SeBackupPrivilege 976 vssvc.exe Token: SeRestorePrivilege 976 vssvc.exe Token: SeAuditPrivilege 976 vssvc.exe Token: SeIncreaseQuotaPrivilege 1168 WMIC.exe Token: SeSecurityPrivilege 1168 WMIC.exe Token: SeTakeOwnershipPrivilege 1168 WMIC.exe Token: SeLoadDriverPrivilege 1168 WMIC.exe Token: SeSystemProfilePrivilege 1168 WMIC.exe Token: SeSystemtimePrivilege 1168 WMIC.exe Token: SeProfSingleProcessPrivilege 1168 WMIC.exe Token: SeIncBasePriorityPrivilege 1168 WMIC.exe Token: SeCreatePagefilePrivilege 1168 WMIC.exe Token: SeBackupPrivilege 1168 WMIC.exe Token: SeRestorePrivilege 1168 WMIC.exe Token: SeShutdownPrivilege 1168 WMIC.exe Token: SeDebugPrivilege 1168 WMIC.exe Token: SeSystemEnvironmentPrivilege 1168 WMIC.exe Token: SeRemoteShutdownPrivilege 1168 WMIC.exe Token: SeUndockPrivilege 1168 WMIC.exe Token: SeManageVolumePrivilege 1168 WMIC.exe Token: 33 1168 WMIC.exe Token: 34 1168 WMIC.exe Token: 35 1168 WMIC.exe Token: SeIncreaseQuotaPrivilege 1264 WMIC.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2000 wrote to memory of 1804 2000 4.exe 30 PID 2000 wrote to memory of 1804 2000 4.exe 30 PID 2000 wrote to memory of 1804 2000 4.exe 30 PID 2000 wrote to memory of 1804 2000 4.exe 30 PID 1804 wrote to memory of 1288 1804 explorer.exe 32 PID 1804 wrote to memory of 1288 1804 explorer.exe 32 PID 1804 wrote to memory of 1288 1804 explorer.exe 32 PID 1804 wrote to memory of 1288 1804 explorer.exe 32 PID 1804 wrote to memory of 972 1804 explorer.exe 33 PID 1804 wrote to memory of 972 1804 explorer.exe 33 PID 1804 wrote to memory of 972 1804 explorer.exe 33 PID 1804 wrote to memory of 972 1804 explorer.exe 33 PID 1804 wrote to memory of 1620 1804 explorer.exe 36 PID 1804 wrote to memory of 1620 1804 explorer.exe 36 PID 1804 wrote to memory of 1620 1804 explorer.exe 36 PID 1804 wrote to memory of 1620 1804 explorer.exe 36 PID 1804 wrote to memory of 2044 1804 explorer.exe 37 PID 1804 wrote to memory of 2044 1804 explorer.exe 37 PID 1804 wrote to memory of 2044 1804 explorer.exe 37 PID 1804 wrote to memory of 2044 1804 explorer.exe 37 PID 1804 wrote to memory of 1060 1804 explorer.exe 39 PID 1804 wrote to memory of 1060 1804 explorer.exe 39 PID 1804 wrote to memory of 1060 1804 explorer.exe 39 PID 1804 wrote to memory of 1060 1804 explorer.exe 39 PID 1288 wrote to memory of 1264 1288 cmd.exe 41 PID 1288 wrote to memory of 1264 1288 cmd.exe 41 PID 1288 wrote to memory of 1264 1288 cmd.exe 41 PID 1288 wrote to memory of 1264 1288 cmd.exe 41 PID 1804 wrote to memory of 2020 1804 explorer.exe 42 PID 1804 wrote to memory of 2020 1804 explorer.exe 42 PID 1804 wrote to memory of 2020 1804 explorer.exe 42 PID 1804 wrote to memory of 2020 1804 explorer.exe 42 PID 1804 wrote to memory of 1588 1804 explorer.exe 44 PID 1804 wrote to memory of 1588 1804 explorer.exe 44 PID 1804 wrote to memory of 1588 1804 explorer.exe 44 PID 1804 wrote to memory of 1588 1804 explorer.exe 44 PID 1060 wrote to memory of 1600 1060 cmd.exe 46 PID 1060 wrote to memory of 1600 1060 cmd.exe 46 PID 1060 wrote to memory of 1600 1060 cmd.exe 46 PID 1060 wrote to memory of 1600 1060 cmd.exe 46 PID 2020 wrote to memory of 1168 2020 cmd.exe 47 PID 2020 wrote to memory of 1168 2020 cmd.exe 47 PID 2020 wrote to memory of 1168 2020 cmd.exe 47 PID 2020 wrote to memory of 1168 2020 cmd.exe 47 PID 2020 wrote to memory of 1300 2020 cmd.exe 50 PID 2020 wrote to memory of 1300 2020 cmd.exe 50 PID 2020 wrote to memory of 1300 2020 cmd.exe 50 PID 2020 wrote to memory of 1300 2020 cmd.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵PID:972
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵PID:1620
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵PID:2044
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1600
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1300
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1588
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:976
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize2KB
MD532db96b37f2eae8b4a5ea57eab7a06a5
SHA15c9452a956b990092a63df3149bd30f18828ebf9
SHA256f1a4ba37c974965555658c88ce6a0e2085d8a51614393d537aca65c46e09d09e
SHA512d7097cd356d07b7df806d7e0e6b5c832c0b60b0bbbffe354c3e7cf89c81b5bdb7672de9b4da2bf2ae4499e2bad95f2ff0ca7d7f28c8df767dc07c367a9759d27
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46
Filesize472B
MD52b31673c5aec0f1f947b38be3c240ea7
SHA1e315c9ab07e0163e096e8b04429ab18a1592889c
SHA25619cd82739b40d6fb3496f711b2e8cb8d2c1dca9f9b0379dc4976358bcd007c34
SHA5125a6df805b6c3637a766f5f049a53b308bb5fc26132667439cd5e00929fe7688d2b21e7608f00201bc2d61f6908eedc2dc7037d59cbf4d27e6c64a462ee0f59de
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD587975cbd581677a6d5cd26114617fd3f
SHA1419007e489475e1a31e6200d1137d013b80a35e6
SHA256dc6f87cc6bf6c82609944c30dfa67249c8cbce298a968cf03e791c62c9ec25c2
SHA5121bc31a114308b5773138a10db665409fe542eb47f4d4529ad901c64d133dfa8e41f638d57d253ca5a4155461cc847a7e284f2c43b6c3807ce37ec476df5aed57
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize484B
MD5a00b0da43b7ac75b9dd4d837604e805b
SHA1c87ced381b00a4f1f230fb0c20f255797f945106
SHA256d8fb4a861d5e5617a5ecb8c4b59b99b58d1333692155ebec95cfc138960cbc87
SHA5120aa10d53b121f33387210d739811e5ca67958f2fccd15c8e955d58368fb0f3cbff15d1d3e577b3b27d0b6850c9a2dce3877a44859aafa694b5c1f763fe401128
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46
Filesize488B
MD53ada500161edeff390b2e3705d033ec5
SHA1f75456e1ec5ac0203abcb743c855ae8a34df51ff
SHA256b6b66410783eb5a30ba0cd2e451c8f0d0571fa9a8802ea01457bc26ddb85cf4e
SHA51266f5d0760be1856b7b0b397bc818ba737554c6823d2930bbda06189e41e73d94d410c0438c02a8666976f655d63f8cdab3397905d2c310d2e2370ab877913707
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56eadb3b7230e88bcc3e408bc70e7c805
SHA19d4748fafaeafd5b2f7a0baf93f8ead2ac0612c4
SHA256f27f08e483b4cb7e01e8a326fded96ac0cd3be8a9864a0476fb270f5a199283b
SHA512692312996b0debeb5674c76eea1c06013fb7d5012384f41efd85280f0807abe9dbdf05c6697697a86bfb4834a3ee03210465aca7c9ff55520df4363e038a302e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD5663c764f5335811f8d585dc71309924b
SHA1029f5b7bbc20329e17ceaf227c95915d794d2940
SHA25625260d45a1cb3b45a20dbb2e725dbd6ee754f1f791fcb311844d12eaf16e5f61
SHA512fe3346c1987a7645bbb1027615c69cd27a3e6a7676980375863315f39dfb82c04a873392b028d0f3a86769c19a08180e3ad9a61916c434480bb394d88cd479fe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IV8L6YIU\D11NA2RX.htm
Filesize18KB
MD58615e70875c2cc0b9db16027b9adf11d
SHA14ed62cf405311c0ff562a3c59334a15ddc4f1bf9
SHA256da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d
SHA512cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PFZC0YBM\TVDTNC6N.htm
Filesize184B
MD5b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
Filesize
404B
MD578215698f8f9dc7941c9c287642bd02c
SHA1633cd0a6c76f080cdb6e0c98034b0b5dd7283a47
SHA256dc94e21e80522b2cee097064c31a7720d70a02d0c55f290d59030fd0c995cac5
SHA512c0a05f8cc400855c40b8e8eb3e7f027b06553cc592eb2ab6ad0a8c33ed2d196c7eda358977edc3f34ce1fdbff30efe288725eb10ea463e622ee9eb8085e48f7d
-
Filesize
211KB
MD58f43f1fddbcf5409408eb618a981b23b
SHA13ff15167aa71fc29c7f3ee17fc5f482d8ecceaf2
SHA2566656c50ffbdc59ce71b93474f43270dfeb42b57451724c25fa26f5bbf532e449
SHA5123a6bca15442233f9b36e51ea984353925d43ac17326742ad8a562542ca20e99da0477b583b8cc415eb8ab09b306a6b903e7ee1d79137487312ab5327f8ac2387
-
Filesize
211KB
MD58f43f1fddbcf5409408eb618a981b23b
SHA13ff15167aa71fc29c7f3ee17fc5f482d8ecceaf2
SHA2566656c50ffbdc59ce71b93474f43270dfeb42b57451724c25fa26f5bbf532e449
SHA5123a6bca15442233f9b36e51ea984353925d43ac17326742ad8a562542ca20e99da0477b583b8cc415eb8ab09b306a6b903e7ee1d79137487312ab5327f8ac2387
-
Filesize
211KB
MD58f43f1fddbcf5409408eb618a981b23b
SHA13ff15167aa71fc29c7f3ee17fc5f482d8ecceaf2
SHA2566656c50ffbdc59ce71b93474f43270dfeb42b57451724c25fa26f5bbf532e449
SHA5123a6bca15442233f9b36e51ea984353925d43ac17326742ad8a562542ca20e99da0477b583b8cc415eb8ab09b306a6b903e7ee1d79137487312ab5327f8ac2387
-
Filesize
211KB
MD58f43f1fddbcf5409408eb618a981b23b
SHA13ff15167aa71fc29c7f3ee17fc5f482d8ecceaf2
SHA2566656c50ffbdc59ce71b93474f43270dfeb42b57451724c25fa26f5bbf532e449
SHA5123a6bca15442233f9b36e51ea984353925d43ac17326742ad8a562542ca20e99da0477b583b8cc415eb8ab09b306a6b903e7ee1d79137487312ab5327f8ac2387
-
Filesize
211KB
MD58f43f1fddbcf5409408eb618a981b23b
SHA13ff15167aa71fc29c7f3ee17fc5f482d8ecceaf2
SHA2566656c50ffbdc59ce71b93474f43270dfeb42b57451724c25fa26f5bbf532e449
SHA5123a6bca15442233f9b36e51ea984353925d43ac17326742ad8a562542ca20e99da0477b583b8cc415eb8ab09b306a6b903e7ee1d79137487312ab5327f8ac2387