Analysis
-
max time kernel
102s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30-03-2023 12:29
Behavioral task
behavioral1
Sample
134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
Resource
win10v2004-20230220-en
General
-
Target
134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
-
Size
12.0MB
-
MD5
a067491773524cf499e7a0bc77ceec96
-
SHA1
e8034dfd3468dcd3d5a6d09f3fde7f63dcc9ec13
-
SHA256
134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457
-
SHA512
c759d0ace38c842f98d4a9d4a8cc342c89d40ab4238ff52625db13a4e50714aedf701798f6ea22e755e3599c4e002b4ba49ed3f9b06c56e4d95ac7ce6800fa4c
-
SSDEEP
98304:QnLu1TIRtUOV5ZQ+5jZArLu1OWWqXpy05QP:QnTRtBYk405QP
Malware Config
Extracted
C:\ProgramData\Readme_Instructions.html
href="mailto:[email protected]">[email protected]</a><br><br>
http-equiv="X-UA-Compatible"
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\logging.properties 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress-indeterminate.gif 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\optimize_poster.jpg 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\ui-strings.js 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\ui-strings.js 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\ui-strings.js 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\bun.png 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\PREVIEW.GIF 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\ui-strings.js 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-pl.xrm-ms 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fil.pak 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\pt-BR.pak.DATA 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\FM20.CHM 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\edit-pdf.png 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\ui-strings.js 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_100_percent.pak 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicsimple.dotx 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_2x.png 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_it.properties 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\tr-tr\ui-strings.js 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\eu-es\ui-strings.js 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\PlayStore_icon.svg 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-pl.xrm-ms 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN058.XML 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-awt.xml 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_icons.png 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-si\Readme_Instructions.html 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL093.XML 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_zh_4.4.0.v20140623020002.jar 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\faf_icons.png 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\welcome.png 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeBackupPrivilege 4116 vssvc.exe Token: SeRestorePrivilege 4116 vssvc.exe Token: SeAuditPrivilege 4116 vssvc.exe Token: SeIncreaseQuotaPrivilege 3472 WMIC.exe Token: SeSecurityPrivilege 3472 WMIC.exe Token: SeTakeOwnershipPrivilege 3472 WMIC.exe Token: SeLoadDriverPrivilege 3472 WMIC.exe Token: SeSystemProfilePrivilege 3472 WMIC.exe Token: SeSystemtimePrivilege 3472 WMIC.exe Token: SeProfSingleProcessPrivilege 3472 WMIC.exe Token: SeIncBasePriorityPrivilege 3472 WMIC.exe Token: SeCreatePagefilePrivilege 3472 WMIC.exe Token: SeBackupPrivilege 3472 WMIC.exe Token: SeRestorePrivilege 3472 WMIC.exe Token: SeShutdownPrivilege 3472 WMIC.exe Token: SeDebugPrivilege 3472 WMIC.exe Token: SeSystemEnvironmentPrivilege 3472 WMIC.exe Token: SeRemoteShutdownPrivilege 3472 WMIC.exe Token: SeUndockPrivilege 3472 WMIC.exe Token: SeManageVolumePrivilege 3472 WMIC.exe Token: 33 3472 WMIC.exe Token: 34 3472 WMIC.exe Token: 35 3472 WMIC.exe Token: 36 3472 WMIC.exe Token: SeIncreaseQuotaPrivilege 3472 WMIC.exe Token: SeSecurityPrivilege 3472 WMIC.exe Token: SeTakeOwnershipPrivilege 3472 WMIC.exe Token: SeLoadDriverPrivilege 3472 WMIC.exe Token: SeSystemProfilePrivilege 3472 WMIC.exe Token: SeSystemtimePrivilege 3472 WMIC.exe Token: SeProfSingleProcessPrivilege 3472 WMIC.exe Token: SeIncBasePriorityPrivilege 3472 WMIC.exe Token: SeCreatePagefilePrivilege 3472 WMIC.exe Token: SeBackupPrivilege 3472 WMIC.exe Token: SeRestorePrivilege 3472 WMIC.exe Token: SeShutdownPrivilege 3472 WMIC.exe Token: SeDebugPrivilege 3472 WMIC.exe Token: SeSystemEnvironmentPrivilege 3472 WMIC.exe Token: SeRemoteShutdownPrivilege 3472 WMIC.exe Token: SeUndockPrivilege 3472 WMIC.exe Token: SeManageVolumePrivilege 3472 WMIC.exe Token: 33 3472 WMIC.exe Token: 34 3472 WMIC.exe Token: 35 3472 WMIC.exe Token: 36 3472 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4652 wrote to memory of 1412 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 85 PID 4652 wrote to memory of 1412 4652 134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe 85 PID 1412 wrote to memory of 3472 1412 cmd.exe 87 PID 1412 wrote to memory of 3472 1412 cmd.exe 87 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe"C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe"1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A0B0B306-6CF5-4165-87A7-82F15E2F8736}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A0B0B306-6CF5-4165-87A7-82F15E2F8736}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3472
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4116
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59ae54b4efc9f30245782c6001f69b120
SHA13de64c5e9732699b76510728e43f408c131a995e
SHA256cef2395cc2ae718f07b84bdbae435752c0e7049aa6de8488ab045c07f5fd0b37
SHA512fbbb0e2bf0d11756dba1d9bf0183a2f0ec94ee729d97740ed3ba47b3f99922188fc04fdbc255f51a3544fa3bfc7ed588d3aabb45de0ed59ed96ce6d15daeed75