zeppelin | 8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

Analysis

max time kernel
78s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
22-01-2023 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5.exe
Size

218KB
MD5

b8845a76e3942ff4d20ba4660ae926bb
SHA1

eb90f945087c270a2ecc11753180ba4ecc270696
SHA256

8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee
SHA512

9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc
SSDEEP

6144:aC61i972rJmciP98f2H64DQFu/U3buRKlemZ9DnGAe/Ix3Sd7+:aK972I/Gf2a4DQFu/U3buRKlemZ9DnG9

Score

10^/10

zeppelin persistence ransomware

Malware Config

Signatures

Detects Zeppelin payload 5 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122f6-55.dat	family_zeppelin
behavioral1/files/0x000c0000000122f6-56.dat	family_zeppelin
behavioral1/files/0x000c0000000122f6-58.dat	family_zeppelin
behavioral1/files/0x000c0000000122f6-71.dat	family_zeppelin
behavioral1/files/0x000c0000000122f6-68.dat	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
1984	TrustedInstaller.exe
1312	TrustedInstaller.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\EditTest.tiff	TrustedInstaller.exe
File opened for modification	C:\Users\Admin\Pictures\ReadJoin.tiff	TrustedInstaller.exe
File opened for modification	C:\Users\Admin\Pictures\TraceExit.tiff	TrustedInstaller.exe

Deletes itself 1 IoCs

pid	Process
1500	notepad.exe

Loads dropped DLL 2 IoCs

pid	Process
2032	5.exe
2032	5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\TrustedInstaller.exe\" -start"	5.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	TrustedInstaller.exe
File opened (read-only)	\??\Y:	TrustedInstaller.exe
File opened (read-only)	\??\E:	TrustedInstaller.exe
File opened (read-only)	\??\R:	TrustedInstaller.exe
File opened (read-only)	\??\Q:	TrustedInstaller.exe
File opened (read-only)	\??\O:	TrustedInstaller.exe
File opened (read-only)	\??\L:	TrustedInstaller.exe
File opened (read-only)	\??\H:	TrustedInstaller.exe
File opened (read-only)	\??\F:	TrustedInstaller.exe
File opened (read-only)	\??\Z:	TrustedInstaller.exe
File opened (read-only)	\??\S:	TrustedInstaller.exe
File opened (read-only)	\??\T:	TrustedInstaller.exe
File opened (read-only)	\??\M:	TrustedInstaller.exe
File opened (read-only)	\??\J:	TrustedInstaller.exe
File opened (read-only)	\??\A:	TrustedInstaller.exe
File opened (read-only)	\??\X:	TrustedInstaller.exe
File opened (read-only)	\??\W:	TrustedInstaller.exe
File opened (read-only)	\??\P:	TrustedInstaller.exe
File opened (read-only)	\??\N:	TrustedInstaller.exe
File opened (read-only)	\??\K:	TrustedInstaller.exe
File opened (read-only)	\??\I:	TrustedInstaller.exe
File opened (read-only)	\??\G:	TrustedInstaller.exe
File opened (read-only)	\??\V:	TrustedInstaller.exe
File opened (read-only)	\??\U:	TrustedInstaller.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Scoresbysund.ORCA.7F8-B13-114	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00395_.WMF.ORCA.7F8-B13-114	TrustedInstaller.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png	TrustedInstaller.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\chkrzm.exe.mui.ORCA.7F8-B13-114	TrustedInstaller.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\HOW_TO_RECOVER_DATA.hta	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe.ORCA.7F8-B13-114	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04326_.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	TrustedInstaller.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\CIEXYZ.pf	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Louisville	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00076_.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105396.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0172035.WMF.ORCA.7F8-B13-114	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0213243.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Marketing Projects.accdt.ORCA.7F8-B13-114	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sendopts.jar.ORCA.7F8-B13-114	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182888.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml.ORCA.7F8-B13-114	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDEBARVERTBB.POC.ORCA.7F8-B13-114	TrustedInstaller.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\HOW_TO_RECOVER_DATA.hta	TrustedInstaller.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt.ORCA.7F8-B13-114	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Blog.dotx	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\ZoneInfoMappings.ORCA.7F8-B13-114	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR47F.GIF	TrustedInstaller.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\HOW_TO_RECOVER_DATA.hta	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar.ORCA.7F8-B13-114	TrustedInstaller.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\HOW_TO_RECOVER_DATA.hta	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01905_.WMF.ORCA.7F8-B13-114	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME17.CSS	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSRETRO.WMF.ORCA.7F8-B13-114	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01805_.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21312_.GIF	TrustedInstaller.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_ja.jar	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHighMask.bmp	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIconMask.bmp.ORCA.7F8-B13-114	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\US_export_policy.jar	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rankin_Inlet	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar.ORCA.7F8-B13-114	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00454_.WMF.ORCA.7F8-B13-114	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\messageboxalert.ico.ORCA.7F8-B13-114	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-core.jar.ORCA.7F8-B13-114	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01172_.WMF.ORCA.7F8-B13-114	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-templates.xml_hidden	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099146.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18200_.WMF.ORCA.7F8-B13-114	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam.ORCA.7F8-B13-114	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar.ORCA.7F8-B13-114	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar.ORCA.7F8-B13-114	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00394_.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar.ORCA.7F8-B13-114	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01151_.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0229389.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21318_.GIF	TrustedInstaller.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\HOW_TO_RECOVER_DATA.hta	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CHECKBOX.JPG.ORCA.7F8-B13-114	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN048.XML.ORCA.7F8-B13-114	TrustedInstaller.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\HOW_TO_RECOVER_DATA.hta	TrustedInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1556	vssadmin.exe
1676	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe
1984	TrustedInstaller.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	5.exe
Token: SeDebugPrivilege	2032	5.exe
Token: SeIncreaseQuotaPrivilege	984	WMIC.exe
Token: SeSecurityPrivilege	984	WMIC.exe
Token: SeTakeOwnershipPrivilege	984	WMIC.exe
Token: SeLoadDriverPrivilege	984	WMIC.exe
Token: SeSystemProfilePrivilege	984	WMIC.exe
Token: SeSystemtimePrivilege	984	WMIC.exe
Token: SeProfSingleProcessPrivilege	984	WMIC.exe
Token: SeIncBasePriorityPrivilege	984	WMIC.exe
Token: SeCreatePagefilePrivilege	984	WMIC.exe
Token: SeBackupPrivilege	984	WMIC.exe
Token: SeRestorePrivilege	984	WMIC.exe
Token: SeShutdownPrivilege	984	WMIC.exe
Token: SeDebugPrivilege	984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	984	WMIC.exe
Token: SeRemoteShutdownPrivilege	984	WMIC.exe
Token: SeUndockPrivilege	984	WMIC.exe
Token: SeManageVolumePrivilege	984	WMIC.exe
Token: 33	984	WMIC.exe
Token: 34	984	WMIC.exe
Token: 35	984	WMIC.exe
Token: SeBackupPrivilege	1876	vssvc.exe
Token: SeRestorePrivilege	1876	vssvc.exe
Token: SeAuditPrivilege	1876	vssvc.exe
Token: SeIncreaseQuotaPrivilege	628	WMIC.exe
Token: SeSecurityPrivilege	628	WMIC.exe
Token: SeTakeOwnershipPrivilege	628	WMIC.exe
Token: SeLoadDriverPrivilege	628	WMIC.exe
Token: SeSystemProfilePrivilege	628	WMIC.exe
Token: SeSystemtimePrivilege	628	WMIC.exe
Token: SeProfSingleProcessPrivilege	628	WMIC.exe
Token: SeIncBasePriorityPrivilege	628	WMIC.exe
Token: SeCreatePagefilePrivilege	628	WMIC.exe
Token: SeBackupPrivilege	628	WMIC.exe
Token: SeRestorePrivilege	628	WMIC.exe
Token: SeShutdownPrivilege	628	WMIC.exe
Token: SeDebugPrivilege	628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	628	WMIC.exe
Token: SeRemoteShutdownPrivilege	628	WMIC.exe
Token: SeUndockPrivilege	628	WMIC.exe
Token: SeManageVolumePrivilege	628	WMIC.exe
Token: 33	628	WMIC.exe
Token: 34	628	WMIC.exe
Token: 35	628	WMIC.exe
Token: SeIncreaseQuotaPrivilege	984	WMIC.exe
Token: SeSecurityPrivilege	984	WMIC.exe
Token: SeTakeOwnershipPrivilege	984	WMIC.exe
Token: SeLoadDriverPrivilege	984	WMIC.exe
Token: SeSystemProfilePrivilege	984	WMIC.exe
Token: SeSystemtimePrivilege	984	WMIC.exe
Token: SeProfSingleProcessPrivilege	984	WMIC.exe
Token: SeIncBasePriorityPrivilege	984	WMIC.exe
Token: SeCreatePagefilePrivilege	984	WMIC.exe
Token: SeBackupPrivilege	984	WMIC.exe
Token: SeRestorePrivilege	984	WMIC.exe
Token: SeShutdownPrivilege	984	WMIC.exe
Token: SeDebugPrivilege	984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	984	WMIC.exe
Token: SeRemoteShutdownPrivilege	984	WMIC.exe
Token: SeUndockPrivilege	984	WMIC.exe
Token: SeManageVolumePrivilege	984	WMIC.exe
Token: 33	984	WMIC.exe
Token: 34	984	WMIC.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1984	2032	5.exe	28
PID 2032 wrote to memory of 1984	2032	5.exe	28
PID 2032 wrote to memory of 1984	2032	5.exe	28
PID 2032 wrote to memory of 1984	2032	5.exe	28
PID 2032 wrote to memory of 1500	2032	5.exe	29
PID 2032 wrote to memory of 1500	2032	5.exe	29
PID 2032 wrote to memory of 1500	2032	5.exe	29
PID 2032 wrote to memory of 1500	2032	5.exe	29
PID 2032 wrote to memory of 1500	2032	5.exe	29
PID 2032 wrote to memory of 1500	2032	5.exe	29
PID 2032 wrote to memory of 1500	2032	5.exe	29
PID 1984 wrote to memory of 864	1984	TrustedInstaller.exe	30
PID 1984 wrote to memory of 864	1984	TrustedInstaller.exe	30
PID 1984 wrote to memory of 864	1984	TrustedInstaller.exe	30
PID 1984 wrote to memory of 864	1984	TrustedInstaller.exe	30
PID 1984 wrote to memory of 1068	1984	TrustedInstaller.exe	32
PID 1984 wrote to memory of 1068	1984	TrustedInstaller.exe	32
PID 1984 wrote to memory of 1068	1984	TrustedInstaller.exe	32
PID 1984 wrote to memory of 1068	1984	TrustedInstaller.exe	32
PID 1984 wrote to memory of 380	1984	TrustedInstaller.exe	33
PID 1984 wrote to memory of 380	1984	TrustedInstaller.exe	33
PID 1984 wrote to memory of 380	1984	TrustedInstaller.exe	33
PID 1984 wrote to memory of 380	1984	TrustedInstaller.exe	33
PID 1984 wrote to memory of 440	1984	TrustedInstaller.exe	34
PID 1984 wrote to memory of 440	1984	TrustedInstaller.exe	34
PID 1984 wrote to memory of 440	1984	TrustedInstaller.exe	34
PID 1984 wrote to memory of 440	1984	TrustedInstaller.exe	34
PID 1984 wrote to memory of 2008	1984	TrustedInstaller.exe	35
PID 1984 wrote to memory of 2008	1984	TrustedInstaller.exe	35
PID 1984 wrote to memory of 2008	1984	TrustedInstaller.exe	35
PID 1984 wrote to memory of 2008	1984	TrustedInstaller.exe	35
PID 1984 wrote to memory of 1160	1984	TrustedInstaller.exe	37
PID 1984 wrote to memory of 1160	1984	TrustedInstaller.exe	37
PID 1984 wrote to memory of 1160	1984	TrustedInstaller.exe	37
PID 1984 wrote to memory of 1160	1984	TrustedInstaller.exe	37
PID 1984 wrote to memory of 1312	1984	TrustedInstaller.exe	41
PID 1984 wrote to memory of 1312	1984	TrustedInstaller.exe	41
PID 1984 wrote to memory of 1312	1984	TrustedInstaller.exe	41
PID 1984 wrote to memory of 1312	1984	TrustedInstaller.exe	41
PID 864 wrote to memory of 984	864	cmd.exe	42
PID 864 wrote to memory of 984	864	cmd.exe	42
PID 864 wrote to memory of 984	864	cmd.exe	42
PID 864 wrote to memory of 984	864	cmd.exe	42
PID 2008 wrote to memory of 1556	2008	cmd.exe	44
PID 2008 wrote to memory of 1556	2008	cmd.exe	44
PID 2008 wrote to memory of 1556	2008	cmd.exe	44
PID 2008 wrote to memory of 1556	2008	cmd.exe	44
PID 1160 wrote to memory of 628	1160	cmd.exe	46
PID 1160 wrote to memory of 628	1160	cmd.exe	46
PID 1160 wrote to memory of 628	1160	cmd.exe	46
PID 1160 wrote to memory of 628	1160	cmd.exe	46
PID 1160 wrote to memory of 1676	1160	cmd.exe	48
PID 1160 wrote to memory of 1676	1160	cmd.exe	48
PID 1160 wrote to memory of 1676	1160	cmd.exe	48
PID 1160 wrote to memory of 1676	1160	cmd.exe	48
PID 1984 wrote to memory of 928	1984	TrustedInstaller.exe	50
PID 1984 wrote to memory of 928	1984	TrustedInstaller.exe	50
PID 1984 wrote to memory of 928	1984	TrustedInstaller.exe	50
PID 1984 wrote to memory of 928	1984	TrustedInstaller.exe	50
PID 1984 wrote to memory of 928	1984	TrustedInstaller.exe	50
PID 1984 wrote to memory of 928	1984	TrustedInstaller.exe	50
PID 1984 wrote to memory of 928	1984	TrustedInstaller.exe	50

C:\Users\Admin\AppData\Local\Temp\5.exe
"C:\Users\Admin\AppData\Local\Temp\5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:984
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:380
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:440
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1556
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:628
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1676
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Modifies extensions of user files
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:1312
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:928
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:1500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
521B

MD5
8a55e9dcda6d9b5b2a7c0ecaccf13068

SHA1
4804d35c80a15f7d63c3a143aa26778391537e2b

SHA256
db6cd89149e838122410fd50253ce2460444dea299d5c49b1a2f97b561b0d749

SHA512
c849477241bc950994dd85387f51be5e050604c7d46f10c4b9fb3bc7e308d658a08a7f3aa0b691eefb5fac2baaf7a5dd799bb159758b600e4f8d332329b44e9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe

Filesize
218KB

MD5
b8845a76e3942ff4d20ba4660ae926bb

SHA1
eb90f945087c270a2ecc11753180ba4ecc270696

SHA256
8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

SHA512
9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe

Filesize
218KB

MD5
b8845a76e3942ff4d20ba4660ae926bb

SHA1
eb90f945087c270a2ecc11753180ba4ecc270696

SHA256
8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

SHA512
9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe

Filesize
218KB

MD5
b8845a76e3942ff4d20ba4660ae926bb

SHA1
eb90f945087c270a2ecc11753180ba4ecc270696

SHA256
8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

SHA512
9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc

Download Submit
C:\Users\Admin\Desktop\AddCheckpoint.3gpp.ORCA.7F8-B13-114

Filesize
534KB

MD5
1d52f063f1e430123e0d53da0f4f3d59

SHA1
473a9192568870026ac4406b0f2bd42425b6f475

SHA256
9c2566cd58c31744cfd35297c174c8b60392b37cf93764f96c9fafb61840ff3e

SHA512
61db04e5f64989d3df7f0bced931d38d25499b6393725ed14aa8786bc0b85c178c6cf405b561367023df25809fc49103ecebbcd7d900e14c664eb61bf62079e8

Download Submit
C:\Users\Admin\Desktop\AssertRedo.wmv.ORCA.7F8-B13-114

Filesize
933KB

MD5
e7123b44affa193051361ed2655a8697

SHA1
628347c031d4cee5a1d01735528a03eebdc4eff4

SHA256
8ce2c3cdc6a9142ba698f82ee42d64d1e4f7850ddd1055cf1996c4672d1371cf

SHA512
94c16f4fc3de516ba8ec31227c158374c50eb715e6b28a350cc71440302ea7cbecb0056110ae7c9de8d586444cae36ad00b876c01934f059c27207444e964873

Download Submit
C:\Users\Admin\Desktop\ClearSplit.wps.ORCA.7F8-B13-114

Filesize
800KB

MD5
ad20e47ccfbe3418e788df2c1c0823bb

SHA1
af1aba99f749fdfe8f28c88ec9b9b4a12d515ed3

SHA256
5fc3d7683f9680b80a4be4d4958da973eee27894fb7f959bb76ed74b60dd2c78

SHA512
a070eae25999b5bfae695732c8c4e97b58b1828303548da2c8d6f19f0ba0e83907851a84e6a9ec19c077f5f54ab43bd4346802ef9154d3965445856eaf4d587b

Download Submit
C:\Users\Admin\Desktop\ConnectImport.ppsm.ORCA.7F8-B13-114

Filesize
733KB

MD5
a7a1952c120422da9ba1ddcc18a736a5

SHA1
6f37254c327270f3231830d1b5f6e02021c20766

SHA256
f2afc3c3311eb832150722daedd335414d4485ab8bfa920827e5ec61098c54e4

SHA512
a21451565b47fd9af9488fc2d5fdb0d17a5bb1ca603d1ff5e4dfef7a493b7b4d133dc7023d0ddd69dc0d0fd69affed0c79ab5dcf69b5be147e1982611758be0a

Download Submit
C:\Users\Admin\Desktop\ConvertEdit.aifc.ORCA.7F8-B13-114

Filesize
1.3MB

MD5
5eb7b258c5563cd9e4dab30f734a3413

SHA1
dd5dcf3175466bd885e09659b82d813b392fb1d4

SHA256
468e34b919681583d9a4d079c36b9d524c495fcfb8c253abcbad1c0c2ca70bf4

SHA512
4397fa52574f05be3de1a232b6b0f91bebc2c279d59a0b3594a247d4de6340b812cad011ee94a535cfc06a91b9ce25c4e7983b859e5c043cc72c8891463597f1

Download Submit
C:\Users\Admin\Desktop\CopyImport.midi.ORCA.7F8-B13-114

Filesize
467KB

MD5
66e0d5b445e01c10a443c92acdbd4f27

SHA1
3cfbfb1dcd6151b58ad30cbf9c480b4d30f53400

SHA256
18588df0a6afe6804f46fb6b675e7eb7c670b2ccf91b010ab55f414b79ab1ff9

SHA512
c8b6661b80b98cb3d103b345c2e1810b056da4aa2fc8ff3778b45328c9c7461a2690c34d8fec12b60b525a2a4b4dbd1f39f2e81e44eaf76708854da1cb7df6a4

Download Submit
C:\Users\Admin\Desktop\MeasureSkip.7z.ORCA.7F8-B13-114

Filesize
900KB

MD5
0ee58620205b4142f051372d39afae95

SHA1
1cef14173347554d31a171e4b5b8cf487dc6586b

SHA256
aa3383920d885b48f2302360272d44a232e5cb32cea83d3480c6f981cf6c79db

SHA512
cf1a6ae0e1280bd68104be8d95accb088afd5b7d2fe2173b25da97dc5670a7c80506fdfc91b8b932959e10a80383ee404e80c5ee22a3b3cbb18653bae9833650

Download Submit
C:\Users\Admin\Desktop\NewAdd.vsdm.ORCA.7F8-B13-114

Filesize
833KB

MD5
8f346774c00f64657d42810d9a90f3cb

SHA1
7dbc3365d3e3c932d083fdde4e7e030b81e2f5e0

SHA256
74165475f249cd84d3e204f02254b30d9b0489979f633e5bd9944e59d3adb9eb

SHA512
bc2c8f5b11461575f0c891afd03d281802299f6ad45483d372abb369a488a4c8d64089a23d682a0040bb8cf1c815bd2e4f666c6f71497e4ae55ee35b698b90ff

Download Submit
C:\Users\Admin\Desktop\PublishPop.docx.ORCA.7F8-B13-114

Filesize
400KB

MD5
105f2ff6d2bbd4ff75b017bb3bd3ff3b

SHA1
765914f6c2cb672c7bbee429a0dd14e4ba05c251

SHA256
d25a42c9e83f1e7f7b73b52d4bce09a60a6c0f7a7862f3936ec219cefd9c860b

SHA512
c0ee74667cf8584974587f21673364d584171858b452c65e273f16232488cdfb62d4277ee53a4c6fda55e338d6c858fbc0c21eee692d4facd8299a11d96da83f

Download Submit
C:\Users\Admin\Desktop\RemoveStop.avi.ORCA.7F8-B13-114

Filesize
434KB

MD5
e6c7e5709f2b42e65cb5d329a6603391

SHA1
729dea952933beacb41f5d0a37b94af2329b3457

SHA256
5291d789d6aa5a8a90b3cacd03c5f5887bd04d3552dcfd5c2b1bcaddcfd44c29

SHA512
30aa90f4520e37f1e8be66af96c80863a57b68166b27d1bd047783d6d4266b4bf73cb443b58d34358af87e77186d644344c22bf53a37e97a04b3bdc04d1f1ef0

Download Submit
C:\Users\Admin\Desktop\RestartSubmit.wma.ORCA.7F8-B13-114

Filesize
334KB

MD5
1b5c37c8758c6e705f7500c09e891e79

SHA1
6f18be513c0a9b7422744d8d79e7e0d803279924

SHA256
0bada7edbc563e19add96ce83febfe0b43aa52c6dfcade1c360f2fd6298ad4d6

SHA512
c2417d4f4abf7fd7a761a281f0e6cda430f7895427b5d5ada923737335848bbe40121e76f35a1a2301d8a37f9e5a39f42d16230b8cd28d7b6b3e7b1859857b1b

Download Submit
C:\Users\Admin\Desktop\SetClose.mov.ORCA.7F8-B13-114

Filesize
367KB

MD5
5c6a6facdeb0df0813a080285a0e7c02

SHA1
cb99c020e97e701eb1a1cad3b1412962126a2395

SHA256
9dc2d4ee7aa4e8674d15b9491e31b304c5055a9675309229612dd7b59495c3b5

SHA512
85a5f6c2a298c33c1b45529ecc1981f32c857885635af4e2e5a3494b4d9601e25d565243be58db0cfda282f6065f76be054a888702c51cbd3b3a4f4ae76fd04b

Download Submit
C:\Users\Admin\Desktop\ShowSplit.ppsx.ORCA.7F8-B13-114

Filesize
700KB

MD5
89a8ff5d7ae347ea2547e93b4feeff10

SHA1
5adb6c234b88724ced9b344913b843fd3f0eaaba

SHA256
2d4f14242b839a6ab983658c96cc16a34b8fb0e09b6f81bd19e27e11c7b1d28f

SHA512
d8addeba728e3e31f21f8f876e0546b440b1f3399bdd7fed3482e874ff0dd0aa5be96f76f0787f9c3e33574c8f3799c7eebaa9a2eba14a01c8a690668527fdf6

Download Submit
C:\Users\Admin\Desktop\ShowUnpublish.htm.ORCA.7F8-B13-114

Filesize
866KB

MD5
a542118cd7da222b2f1493eaa4409e93

SHA1
029e5027a8102eceeb37a92419eef31033f47636

SHA256
d6e1d90a51727213291502761dec852e1582e217d9728d46f361b2e01decda0d

SHA512
c17c3a429bea658ff95ce27ada9ce9ee2e6693ffd78554e902844b32d1095cfd4b50e396c898c3b08e61ae93faa89c3907a87fd68bb7e165bd8a3893bc4dffd4

Download Submit
C:\Users\Admin\Desktop\StopUnregister.vsd.ORCA.7F8-B13-114

Filesize
500KB

MD5
73a4b4e0098780a7ffedc9340953efed

SHA1
90cbfb0832dc8fb385052d13d49a03a5c4a2dc9f

SHA256
2299e41361cc047f1073b01a001b3cd677c4c291276682bd3b477bcae95a4cd8

SHA512
16bb15607bda2a3d6180acef895299d4dce4843e4235c8f989fa357ccced1fee0602847cb263b2bd9adb2f45538498fe0e878d40a991fcae278b14c2fde94e4a

Download Submit
C:\Users\Admin\Desktop\SubmitCopy.M2V.ORCA.7F8-B13-114

Filesize
600KB

MD5
636f203e5f7a8bee8914206b5b8f4535

SHA1
6f04ce96522cd7af1fc52d6b89c38a5b6b9f55c2

SHA256
ab30ba0a10b935124a3984c5b7fba3fc28fda921cd8bb1127498927ef96eb4b7

SHA512
60b63c3ccb5c41a6fc2a1073ac0574b8339912db076386ee22769533c48195e1c38af5526c26b6ca9d9ce5ca5942b36ddb3b29f2effcd2b984b74b159e49fbc1

Download Submit
C:\Users\Admin\Desktop\SubmitSet.tif.ORCA.7F8-B13-114

Filesize
767KB

MD5
baa3ba64b0252fca22e695bbf4bbc3ee

SHA1
4013087f23dff79dd4bc51174b8d38b8055a308e

SHA256
8e875730742312ad187db9f6491ad5868ed1eec2ef8c1b16e527c8a23dc1813f

SHA512
2f53c154fb5add659d103e793cb9572f6ec14edca8fd28a65542ebe0df5bf61a48ab0a886f84be079a513cdf7dcd2b4e7adb2b037c041aab67144525a3a7e584

Download Submit
C:\Users\Admin\Desktop\SuspendRemove.raw.ORCA.7F8-B13-114

Filesize
633KB

MD5
94be3b78bcbf9b86eaa18953ed2ae63d

SHA1
6e76233bdea8a964ce0126a49230a7e8db9df0b4

SHA256
60efeb79b0b7ea88c41dad70c9e821eaf9c3efdf9957327a3f3c1e6280ece92b

SHA512
ff3585b1ed6e8a41e6172151f4a8d661151a859b63c6463923b53921b25bda14588dddf36c81eabe520b9baecc574e3d98b63bcc41cee8d11c5a98327d8bd13b

Download Submit
C:\Users\Admin\Desktop\UnblockSelect.exe.ORCA.7F8-B13-114

Filesize
567KB

MD5
6f54ecc97e40f39a4f5cc273e5567866

SHA1
24963ee7f9fb6ee5d6f93f07108f7b920a83042c

SHA256
1a248b3cf34a131cce2652bec0798d354018002d2b74fdfe33b6f99919fef25b

SHA512
5fefc2c1c5d589d2c3ef36cb25de5dc1d829f3d0dd3376dc63c93ce310c12a571c927a68942d56afb2a9c94cc67a0991c458f19f3866b941ba597ab74adaacf6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe

Filesize
218KB

MD5
b8845a76e3942ff4d20ba4660ae926bb

SHA1
eb90f945087c270a2ecc11753180ba4ecc270696

SHA256
8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

SHA512
9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe

Filesize
218KB

MD5
b8845a76e3942ff4d20ba4660ae926bb

SHA1
eb90f945087c270a2ecc11753180ba4ecc270696

SHA256
8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee

SHA512
9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc

Download Submit
memory/2032-54-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download