6e5f7ac150e500bc95e33a16b8a6c6a80f750145fd428b16c83ec4e6f21dc957

General

Target

Eterna.exe
Size

4.2MB
MD5

4b16139ce122c3d0dc2c15a04b1d5110
SHA1

9e3321d739ff3813e4289d6dcb177ae3beb93eb5
SHA256

6e5f7ac150e500bc95e33a16b8a6c6a80f750145fd428b16c83ec4e6f21dc957
SHA512

1df0388665e159f2dd26536150b2cab670d9fc7f58cf686dd074dd68875ad9f9793c5139b66bf0ea621b3c41afd2503455ee66c5b71ad9b497f29cde2b8f3b4d
SSDEEP

98304:xIC4bj8JKA9CYVzVJnUxnwsipGxnP3c4+qrUrAqFjrYolcfEBNHA40lZf:WC4bAJPFVJnUxw3UlPcIUrAqFjEEbBNy

Score

9^/10

evasion persistence ransomware themida trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Eterna.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Eterna.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Eterna.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Eterna.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Eterna.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Eterna.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2076-133-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmp	themida
behavioral2/memory/2076-134-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmp	themida
behavioral2/memory/2076-135-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmp	themida
behavioral2/memory/2076-136-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmp	themida
behavioral2/memory/2076-137-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmp	themida
behavioral2/memory/2076-147-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Eterna.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Eterna.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Eterna.exe

pid process

2076 Eterna.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Eterna.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

pid	process
2076	Eterna.exe

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

560 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4992 taskkill.exe

pid	process
560	vssadmin.exe

pid	process
4992	taskkill.exe

Modifies registry class 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2805025096-2326403612-4231045514-1000\{7DCC6AAE-EE72-469E-A981-C3CD240399E9}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Eterna.exe

pid process

2076 Eterna.exe
2076 Eterna.exe

pid	process
2076	Eterna.exe
2076	Eterna.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

taskkill.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	4992	taskkill.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe
Token: SeShutdownPrivilege	3608	explorer.exe
Token: SeCreatePagefilePrivilege	3608	explorer.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

explorer.exe

pid process

3608 explorer.exe
3608 explorer.exe
3608 explorer.exe
3608 explorer.exe
3608 explorer.exe
3608 explorer.exe
3608 explorer.exe
3608 explorer.exe

Suspicious use of SendNotifyMessage 11 IoCs

Processes:

explorer.exe

pid	process
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe
3608	explorer.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Eterna.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2076 wrote to memory of 2568	2076	Eterna.exe	cmd.exe
PID 2076 wrote to memory of 2568	2076	Eterna.exe	cmd.exe
PID 2568 wrote to memory of 2168	2568	cmd.exe	certutil.exe
PID 2568 wrote to memory of 2168	2568	cmd.exe	certutil.exe
PID 2568 wrote to memory of 2704	2568	cmd.exe	find.exe
PID 2568 wrote to memory of 2704	2568	cmd.exe	find.exe
PID 2568 wrote to memory of 3600	2568	cmd.exe	find.exe
PID 2568 wrote to memory of 3600	2568	cmd.exe	find.exe
PID 2076 wrote to memory of 736	2076	Eterna.exe	cmd.exe
PID 2076 wrote to memory of 736	2076	Eterna.exe	cmd.exe
PID 736 wrote to memory of 4992	736	cmd.exe	taskkill.exe
PID 736 wrote to memory of 4992	736	cmd.exe	taskkill.exe
PID 2076 wrote to memory of 1280	2076	Eterna.exe	cmd.exe
PID 2076 wrote to memory of 1280	2076	Eterna.exe	cmd.exe
PID 1280 wrote to memory of 3608	1280	cmd.exe	explorer.exe
PID 1280 wrote to memory of 3608	1280	cmd.exe	explorer.exe
PID 2076 wrote to memory of 948	2076	Eterna.exe	cmd.exe
PID 2076 wrote to memory of 948	2076	Eterna.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Eterna.exe
"C:\Users\Admin\AppData\Local\Temp\Eterna.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Eterna.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
2⤵
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Eterna.exe" MD5
3⤵
PID:2168

C:\Windows\system32\find.exe
find /i /v "md5"
3⤵
PID:2704

C:\Windows\system32\find.exe
find /i /v "certutil"
3⤵
PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Windows\explorer.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\explorer.exe
C:\Windows\explorer.exe
3⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
2⤵
PID:3936

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop winmgmt /Y
2⤵
PID:4028

C:\Windows\system32\net.exe
net stop winmgmt /Y
3⤵
PID:4992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop winmgmt /Y
4⤵
PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\VCK.exe -prv 1 -map C:\ProgramData\KA.sys
2⤵
PID:1652

C:\ProgramData\VCK.exe
C:\ProgramData\VCK.exe -prv 1 -map C:\ProgramData\KA.sys
3⤵
PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\ProgramData\VCK.exe
2⤵
PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\ProgramData\KA.sys
2⤵
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\ProgramData\drv64.dll
2⤵
PID:940

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4944

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:4376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KA.sys
Filesize
20KB

MD5
55d14577a0a00b5a0f1d68a1f5cf36f7

SHA1
66f18c58849e950568fbe7875fe38958a672db65

SHA256
14285c1c3cbcfaf33759cbb7798c3435bfc074a8f7addd915dcdc49b11f11bf0

SHA512
28199e90f44cad0607c3b4c644421852b09faf061c4f5801ae1516272efe0944a60b088a5fba0fd1211ee1f8c8d4b81ff4790309e0ed2f20f67cb849686f57a8

Download Submit
C:\ProgramData\KA.sys
Filesize
20KB

MD5
55d14577a0a00b5a0f1d68a1f5cf36f7

SHA1
66f18c58849e950568fbe7875fe38958a672db65

SHA256
14285c1c3cbcfaf33759cbb7798c3435bfc074a8f7addd915dcdc49b11f11bf0

SHA512
28199e90f44cad0607c3b4c644421852b09faf061c4f5801ae1516272efe0944a60b088a5fba0fd1211ee1f8c8d4b81ff4790309e0ed2f20f67cb849686f57a8

Download Submit
C:\ProgramData\VCK.exe
Filesize
301KB

MD5
ba13d70e03425c3a2cba08e4fb9d4a64

SHA1
34e76a3ae4835fd9f151017ee2ec4343f995a636

SHA256
dd108f763a70e747e560de7320e7839d9502e5f9716037eeac0c0b775eb4c403

SHA512
edee4e29fc514304b12aad732d82f78316dc03e924831f7687c939e8af0eee1372d8234c25f9cf79fad6fe03c06fcaf6f0a5616d61d4660d541fae5186008476

Download Submit
C:\ProgramData\VCK.exe
Filesize
301KB

MD5
ba13d70e03425c3a2cba08e4fb9d4a64

SHA1
34e76a3ae4835fd9f151017ee2ec4343f995a636

SHA256
dd108f763a70e747e560de7320e7839d9502e5f9716037eeac0c0b775eb4c403

SHA512
edee4e29fc514304b12aad732d82f78316dc03e924831f7687c939e8af0eee1372d8234c25f9cf79fad6fe03c06fcaf6f0a5616d61d4660d541fae5186008476

Download Submit
C:\ProgramData\drv64.dll
Filesize
866KB

MD5
2c0bce066169333db8570c99f976bfe6

SHA1
7b2ae355c4aa020778c77d222801eea774d15b7c

SHA256
9d794df0dbed3eefdd66bff31f373233dc1e8888793a7e479fd757e812277579

SHA512
31774013cdf6305a7a9cc882a05d6dbcb3f584ca6c0926698411cf6e71a27cc1e0289f696c50c3e612bdb06d2b57d3dc968f47e0fdd872b4e168298aacec4d97

Download Submit
C:\ProgramData\drv64.dll
Filesize
866KB

MD5
2c0bce066169333db8570c99f976bfe6

SHA1
7b2ae355c4aa020778c77d222801eea774d15b7c

SHA256
9d794df0dbed3eefdd66bff31f373233dc1e8888793a7e479fd757e812277579

SHA512
31774013cdf6305a7a9cc882a05d6dbcb3f584ca6c0926698411cf6e71a27cc1e0289f696c50c3e612bdb06d2b57d3dc968f47e0fdd872b4e168298aacec4d97

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133237968612825884.txt
Filesize
75KB

MD5
30466909c6fd3bdb0f6d20f8bd1c4b39

SHA1
f0e015ecc6e6f60ac5871f2f62a0fff521d02932

SHA256
45d64a3ff61f03c84e611eeb213108e1de7877e8a802067698e518937ac08029

SHA512
5f84125cc967bd7ae3fc30026472ff15c5b41122ec36f776f7c2fef7f1b07319c51d1300b657e42f0a6f116f14371ce37b89821fe837867f5d06d11e25ec2909

Download Submit
memory/2076-137-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmp

Filesize
11.2MB

Download
memory/2076-147-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmp

Filesize
11.2MB

Download
memory/2076-133-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmp

Filesize
11.2MB

Download
memory/2076-136-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmp

Filesize
11.2MB

Download
memory/2076-135-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmp

Filesize
11.2MB

Download
memory/2076-134-0x00007FF7F6370000-0x00007FF7F6EA3000-memory.dmp

Filesize
11.2MB

Download
memory/3608-152-0x0000000004520000-0x0000000004521000-memory.dmp

Filesize
4KB

Download
memory/4960-162-0x0000014C83CD0000-0x0000014C83CF0000-memory.dmp

Filesize
128KB

Download
memory/4960-164-0x0000014C840E0000-0x0000014C84100000-memory.dmp

Filesize
128KB

Download
memory/4960-159-0x0000014C83D10000-0x0000014C83D30000-memory.dmp

Filesize
128KB

Download
memory/4960-289-0x0000014481340000-0x0000014482C6F000-memory.dmp

Filesize
25.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads