1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690

Resubmissions

02/02/2023, 15:10

230202-skgffsad87 10

30/01/2023, 21:04

30/01/2023, 19:19

30/01/2023, 19:18

30/01/2023, 19:16

30/01/2023, 16:57

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2023, 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
Size

1.5MB
MD5

fee7c379f3a555c5c821e872ec384a91
SHA1

7346e2e29faddd63ae5c610c07acab46b2b1b176
SHA256

1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690
SHA512

5daecbea4102f9b6c431afa1d6d5bb196594e7c9640d7a8b388669268d737d6e4277797504a86169b410ccf3cd6e92e0c55065d15a495a398bc27607567d1497
SSDEEP

24576:uSR66R9LwWCc9FFZUZVClJYkLbdf/nixuiO4DGDGW3628rKR1q+ClmJcpd++GMzr:uQvL9SWTVilyfMFo8D1b

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops file in Drivers directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4246620582-653642754-1174164128-1000\desktop.ini	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\jvm.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ppd.xrm-ms	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\vlc.mo	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libzvbi_plugin.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\vlc.mo	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteLargeTile.scale-150.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_whats_new_v2.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\XboxNotificationLogo.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\ValueProp_Unknown.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LargeTile.scale-200_contrast-white.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\TURABIAN.XSL	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-process-l1-1-0.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libx264_plugin.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-200_contrast-white.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdasql.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\MedTile.scale-125.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\prism_common.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-synch-l1-2-0.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\JOURNAL.INF	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-96_altform-unplated_contrast-white.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-200_contrast-white.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\MANIFEST.MF	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages.properties	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-oob.xrm-ms	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-100.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-256_altform-lightunplated.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_altform-unplated_contrast-black.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-timezone-l1-1-0.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_altform-unplated_contrast-white.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-200.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\CloseWrite.au3	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\LICENSE	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_altform-lightunplated.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-336.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailLargeTile.scale-400.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\vlc.mo	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FirstRunMailBlurred.layoutdir-RTL.jpg	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_mms_plugin.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_altform-unplated_contrast-black.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-48_contrast-white.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\ECLIPSE.ELM	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.js	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_col.hxc	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Mozilla Firefox\msvcp140.dll	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\resources.pri	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-24_altform-unplated.png	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3856	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
Token: SeSecurityPrivilege	3856	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
Token: SeRestorePrivilege	3856	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
Token: SeBackupPrivilege	3856	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
Token: SeShutdownPrivilege	3856	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
Token: SeIncreaseQuotaPrivilege	4840	wmic.exe
Token: SeSecurityPrivilege	4840	wmic.exe
Token: SeTakeOwnershipPrivilege	4840	wmic.exe
Token: SeLoadDriverPrivilege	4840	wmic.exe
Token: SeSystemProfilePrivilege	4840	wmic.exe
Token: SeSystemtimePrivilege	4840	wmic.exe
Token: SeProfSingleProcessPrivilege	4840	wmic.exe
Token: SeIncBasePriorityPrivilege	4840	wmic.exe
Token: SeCreatePagefilePrivilege	4840	wmic.exe
Token: SeBackupPrivilege	4840	wmic.exe
Token: SeRestorePrivilege	4840	wmic.exe
Token: SeShutdownPrivilege	4840	wmic.exe
Token: SeDebugPrivilege	4840	wmic.exe
Token: SeSystemEnvironmentPrivilege	4840	wmic.exe
Token: SeRemoteShutdownPrivilege	4840	wmic.exe
Token: SeUndockPrivilege	4840	wmic.exe
Token: SeManageVolumePrivilege	4840	wmic.exe
Token: 33	4840	wmic.exe
Token: 34	4840	wmic.exe
Token: 35	4840	wmic.exe
Token: 36	4840	wmic.exe
Token: SeIncreaseQuotaPrivilege	4840	wmic.exe
Token: SeSecurityPrivilege	4840	wmic.exe
Token: SeTakeOwnershipPrivilege	4840	wmic.exe
Token: SeLoadDriverPrivilege	4840	wmic.exe
Token: SeSystemProfilePrivilege	4840	wmic.exe
Token: SeSystemtimePrivilege	4840	wmic.exe
Token: SeProfSingleProcessPrivilege	4840	wmic.exe
Token: SeIncBasePriorityPrivilege	4840	wmic.exe
Token: SeCreatePagefilePrivilege	4840	wmic.exe
Token: SeBackupPrivilege	4840	wmic.exe
Token: SeRestorePrivilege	4840	wmic.exe
Token: SeShutdownPrivilege	4840	wmic.exe
Token: SeDebugPrivilege	4840	wmic.exe
Token: SeSystemEnvironmentPrivilege	4840	wmic.exe
Token: SeRemoteShutdownPrivilege	4840	wmic.exe
Token: SeUndockPrivilege	4840	wmic.exe
Token: SeManageVolumePrivilege	4840	wmic.exe
Token: 33	4840	wmic.exe
Token: 34	4840	wmic.exe
Token: 35	4840	wmic.exe
Token: 36	4840	wmic.exe
Token: SeBackupPrivilege	4380	vssvc.exe
Token: SeRestorePrivilege	4380	vssvc.exe
Token: SeAuditPrivilege	4380	vssvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3856 wrote to memory of 4840	3856	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe	80
PID 3856 wrote to memory of 4840	3856	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe	80
PID 3856 wrote to memory of 4840	3856	1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe	80

C:\Users\Admin\AppData\Local\Temp\1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe
"C:\Users\Admin\AppData\Local\Temp\1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690.exe"
1⤵
- Drops file in Drivers directory
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads