Analysis Overview
SHA256
4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167
Threat Level: Known bad
The file 4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167 was found to be: Known bad.
Malicious Activity Summary
Maze
Deletes shadow copies
Modifies extensions of user files
Drops startup file
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-18 07:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-18 07:41
Reported
2023-04-18 07:43
Platform
win7-20230220-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Maze
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ConvertToAssert.png => C:\Users\Admin\Pictures\ConvertToAssert.png.FScU | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\OpenGrant.crw => C:\Users\Admin\Pictures\OpenGrant.crw.MteC | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b6d0ca26acccfb0.tmp | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1920 wrote to memory of 1936 | N/A | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1920 wrote to memory of 1936 | N/A | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1920 wrote to memory of 1936 | N/A | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1920 wrote to memory of 1936 | N/A | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | C:\Windows\system32\wbem\wmic.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
"C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\vh\..\Windows\jjxs\cch\..\..\system32\fuijv\..\wbem\mxxiu\g\b\..\..\..\wmic.exe" shadowcopy delete
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x52c
Network
| Country | Destination | Domain | Proto |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp |
Files
memory/1920-54-0x0000000000220000-0x000000000027E000-memory.dmp
memory/1920-58-0x0000000000220000-0x000000000027E000-memory.dmp
memory/1920-60-0x0000000000220000-0x000000000027E000-memory.dmp
memory/1920-64-0x0000000000220000-0x000000000027E000-memory.dmp
C:\MSOCache\DECRYPT-FILES.txt
| MD5 | 35f688f865d5a34b8e4444bbf6e7ad92 |
| SHA1 | 5c40e5737fb1a038d72cdca1bf42b6c05d663e27 |
| SHA256 | 990d839eeaae6173b85b0ba2d637e6e7a775a8f471c2733632b81f4888f62dbe |
| SHA512 | cba39f91d88d793f50e5cd576f2d9f1d2c0e9c203ed88b55078d4e9ad1c0830332748049aec7c75592a82d24dfab267e04490379758c592c5125c15a49dbc8a5 |
memory/1920-875-0x0000000000220000-0x000000000027E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_101AA4744BB248A9B5A923AD21B1BE56.dat
| MD5 | c73b4f4c1e5b532718c5de9aa69f3167 |
| SHA1 | 9176238645716870b98c12110a30a546b93ce672 |
| SHA256 | 1123c3c9fdd1fb43152194fcc8cf7a5c9a970fddbb41d75b236446ece8d3bc4e |
| SHA512 | 96224af520e1055cc8c5c20d53df1c40887de4d60714246a77e6a198c9d0a834b284e7e93d20dc828cdc886250ec61ddb5b5cbd0827da984963964062f87a9b5 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-18 07:41
Reported
2023-04-18 07:43
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Maze
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\AddUnpublish.png => C:\Users\Admin\Pictures\AddUnpublish.png.BrglIC | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CopySend.png => C:\Users\Admin\Pictures\CopySend.png.xvwQvWV | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\LockUnblock.raw => C:\Users\Admin\Pictures\LockUnblock.raw.UMLHJo2 | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\NewUndo.tiff => C:\Users\Admin\Pictures\NewUndo.tiff.UMLHJo2 | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnblockMerge.png => C:\Users\Admin\Pictures\UnblockMerge.png.GCAOuaS | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnlockWait.raw => C:\Users\Admin\Pictures\UnlockWait.raw.xXkNmvK | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnpublishTrace.tiff => C:\Users\Admin\Pictures\UnpublishTrace.tiff.xXkNmvK | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertUnprotect.crw => C:\Users\Admin\Pictures\ConvertUnprotect.crw.xvwQvWV | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ExpandResume.tif => C:\Users\Admin\Pictures\ExpandResume.tif.xvwQvWV | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\NewUndo.tiff | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PopUnregister.tif => C:\Users\Admin\Pictures\PopUnregister.tif.UMLHJo2 | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PushNew.png => C:\Users\Admin\Pictures\PushNew.png.m0As8 | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UnpublishTrace.tiff | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6ac70ca52f513004.tmp | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6ac70ca52f513004.tmp | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3392 wrote to memory of 3820 | N/A | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 3392 wrote to memory of 3820 | N/A | C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe | C:\Windows\system32\wbem\wmic.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe
"C:\Users\Admin\AppData\Local\Temp\4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\flh\wbf\fi\..\..\..\Windows\ilr\nhkkv\lxer\..\..\..\system32\qli\epjwd\..\..\wbem\rdtg\..\wmic.exe" shadowcopy delete
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4bc 0x338
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RU | 91.218.114.4:80 | tcp | |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.232.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| RU | 91.218.114.4:80 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.4:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.11:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.25:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.32:80 | tcp |
Files
memory/3392-133-0x00000000004E0000-0x000000000053E000-memory.dmp
memory/3392-137-0x00000000004E0000-0x000000000053E000-memory.dmp
memory/3392-139-0x00000000004E0000-0x000000000053E000-memory.dmp
memory/3392-143-0x00000000004E0000-0x000000000053E000-memory.dmp
C:\odt\DECRYPT-FILES.txt
| MD5 | 69cd83c204636981023e424195942205 |
| SHA1 | 90a78b664d5de9d59346c3a567ff1adf6317f8ee |
| SHA256 | 55091462cb3d3d4883275dfcf12f9811258509e21e50130325f1ce7dba2b08a3 |
| SHA512 | 019cfc60a6e11a67c46ab05443b4528e2b5e684c76cd6057023e5e0de7c588630a3e8208b23471a792bb68dc788ddd4f19abde4fb597a94a105f08090aeedaa5 |
memory/3392-943-0x00000000004E0000-0x000000000053E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_0E61896514C2437DB2020C9DF093567C.dat
| MD5 | 884c1b47ee4eea9c39b8e21c86c3ca77 |
| SHA1 | 2739890d1f4dc662551f381e962ac84dcfa50c36 |
| SHA256 | cecbddb3f77458c997becfa7d35d338ee2fa8e581bdf5c7685ad612d37020586 |
| SHA512 | 98cd858b15281c4c20b0ee507d0fd160ab5d66247ef206e55ae3bf70f3ee5835014bb3850b6672ae70ee8bf6e6d9d64e665cfccab37f8ba6b9a6b7f7df988d07 |