gandcrab | 78a28b25b330513649439305a5d9293cb07fb796ad6521ef31f39a5453a549d8

Resubmissions

07-09-2023 14:45

230907-r45fysaf5s 10

07-09-2023 14:12

230907-rjbyxaad5s 10

Analysis

max time kernel
152s
max time network
156s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07-09-2023 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
Size

349KB
MD5

eb7138741adc746f8953a3db50d9e235
SHA1

c0adbd63648052edacdf65f74ce1ce9701125570
SHA256

4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00
SHA512

41d4a0aadbe055f6b22ead1bcc407a53e02075218e48aae18d2df5bf23f87fad0c8609725fa60e89de6fc67041acd41303c0505d1b88ddc06b7ed916a5981f8a
SSDEEP

6144:YPNS/+PNS/t7VggtOXOICLcF8t+JKrllVtqfLJC:YPPPiHcXOIFyqwjtqfLQ

Score

10^/10

gandcrab backdoor ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\OUBFQI-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .OUBFQI The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/cc0c4e2b858daf20 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAAp2s2ar3ePG/KIzNVKjYlJ8qeNMPEWJgFvblaGFZFXMqVnXR+Ul/Yuw+EenOuqOhl5fTULHb5h4zPW7k0V9TECzfX4D1owuZWsi8RbafpGbjMCf9mjSmGhnA4yZ2yaglZWn9VDQttZ42zULrzOrz0fkTCDi+r/1tPOkWFnK/JLpLM64WXG7Ul5Z8H6vt1G1XNBNmWHjtjTT93AGNs3PKkiIGkviiJLKie5FPUqLgMUyIATYHzwSMFYtQ4Lmrye0cON333DFDRnXUIhh1nSDftics1rljXxgmdb00oHmTtrh3V6H8pbMxKfXLnq9dREglHvrFnStlf8M8iSDrtLSJU/aMUWUwvjv6AfHkTfmaJXXV+Za+6KymsJ8tCKSVGiR1kWN0MIiZOg+PaPcYAquAgB5hyd5NIXRY/bq0wmGuU1JQmB+rsV7JTWSdcZXF53aY3I3vs/6dmLDUfI1gmokXlCv7Wyp1by+X6ZhQpLz4n7ryZF6xQ+OEJTGl6ikwfq83dCVpxGFiB8SV+3UGMjyXq/B7LReriKuh0awMmunncm3ZpDnW3GuLYS2GNcMH2sO8u2kgce3jP3TgGE7IqiTlqPfyh0VtVWvDb4mIEHBexh48ZiwiLAAS/19gQZPe7OF0Ge6++qhzKZ3lvefk056HMwaXbMN27aIPHpPqsO+WbqPF5hTgAE7thBM1QuKARPEwOctJYAwOmenYcKvyG/slk4aDzUyeIG3lbPYiS+0mysMzOhL6kx5Mvt8shqu7rIWcqQT6e4UNHouBJK1mpZFiI9H3/Ys5xhZ1mHzpkvZoXcT21wVz6Ob56PL2fjnjbFsVYDQXgja9EYQnEDYbEovU7WrgRFHoLr4xiRen0Qw724r6jMSlLBZKDoowZkCh+W4kxw+UxZrmqHbtB1PWH6Ss92qtBnSH0Xgf51jQxk607lu0DwSSbNSHLkdAgcqGfWblpLVuw1aM8RxIw+ilz9/DinPtfA9XZSpU7wQmuXCm8zQOt2Jm46Zd3Z6tKZgrvMjvIa1LzkVMBbbC9L+nZ88lr+XeARtK5mJpTJ3nsHrcPsBxT3kj9pkhPxrgBLTU6cdZx52D92vaEV3zS39NISiyf65k+CHelRqL27e0QXkxrZ/yiIDmPfbJwJoIf1CQyt/MpY8v2xyvZwLJCZO/xhdvMmJYpV/2fRoIVBXO2Wg20dU55l9rT5MRHRl9zUnkTdrAIdz3bpAzBeMlVgd/S4o5mzmBHjegKU3bj8V1C0RvHzdw/+PLbEVv0GEta1I0eiFCm38EZCm0d/waQvAWW/xm0LEUnUVk5p6MMdhS2zJxG3808fNXjEDUQJ1jYLmPPNmm9Fdtu+Dg98anoEZYjKi+5qtCiWXz4CRLQy4d3n7+Dn60Z3M+NCSw+i4jte/ROxrpaAOJwLheNYawp4n/jRpUo3I2sRHaKm52R9o3VAAVU/smH584Puter14NP2F04bG8iBm6m/+/ImbjvMAi1D+AvkSkkJwcxajT6bfVYN7Kr2sFe1yV8p0enKPnFFRTHUmm3v7I0G4aH71oM6oVt/4vPkPjaLAoGEHaY85TFQ0WAHCY993l2bJpQWjlCCzR5vxPvxCfg39gJB47IS/OGirZXeNzntqrfwvstpYy41f/oIQM1YHRJeEy1B84zFB3NbzkglPDHP9cEOOnpD9LsA+KhJkzl0F5Zmd/LIp8/XtMgiRwqkzAci0bkAQV7/ODI4PmuEGmHzptnTwJr8SUAOyac+XZy2wcJ3i8wg43IKshNUTYsnQxtKUOiwyx3/za+UGjv3xXCH1vwbWUS9q+0yPb8HVbwc7PU9+V27qDs/2ih8r2Aid+vnPwPPgQXRciEwgJ4/KU4hS7xruGg+bc3RmsijxvsnjWfz7PLXMpZuoljPXg8N11Ci5dfgQsgPTDSHAVO+sFL/EGgoXkMX7syvShr4sAWgDCLD89HBaFGie69h51cP24nJ2qQVv555aOUfVleZBEWKIYFcsyNkVZxaC5Ge/Y8mivlXxJsB9QhVl11S/fCIVom82Bcbp3jAEQzlPXAY8dZjKRsLb+xqIs5Kr0d8pWUC+fQRjSry3tF81t0zeXStKmsLQ5wHare1ALCYynrDB7cwgN+d3VwJv6mhmqJTOJcco7WtY7cKTBdK3PQWBzSqNRsgUYcPVaam2Gq688HVMuzGSpW9Bx94HLSTjRkpsQqZzgWKIEN+xcw9BWEjyZc5/OuYsy86EgX5CJfsRltLSQv4= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZQTodRuHYZ7m9WqbfFTGiHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+BisLEhkUjBs+Kg/zM2E+t0GtNYaVqLBnPt/BGAEdsboScE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg73ZibpCRFE3vHLMOat1wIZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJH8Hp4Oar+NRZwP9okRV/rusrPFzMH9OHYBh9gzrewdRb9tHf+DbmDW4OIcXpVeLdQr9FxhOVLL2u9gwWmeLQ4zxgtafmr5TWEPiWMEkrI= ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/cc0c4e2b858daf20

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (343) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe

description	ioc	process
File opened (read-only)	\??\G:	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened (read-only)	\??\H:	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened (read-only)	\??\I:	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened (read-only)	\??\S:	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened (read-only)	\??\W:	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened (read-only)	\??\X:	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened (read-only)	\??\B:	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened (read-only)	\??\E:	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened (read-only)	\??\K:	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened (read-only)	\??\P:	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened (read-only)	\??\T:	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened (read-only)	\??\U:	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened (read-only)	\??\A:	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened (read-only)	\??\Q:	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened (read-only)	\??\R:	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened (read-only)	\??\Y:	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened (read-only)	\??\Z:	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened (read-only)	\??\J:	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened (read-only)	\??\L:	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened (read-only)	\??\M:	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened (read-only)	\??\N:	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened (read-only)	\??\O:	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened (read-only)	\??\V:	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp"	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe

description	pid	process	target process
PID 2392 set thread context of 2616	2392	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe

Drops file in Program Files directory 38 IoCs

Processes:

4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe

description	ioc	process
File opened for modification	C:\Program Files\ReadResolve.xltm	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\ResolveSelect.xls	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File created	C:\Program Files (x86)\OUBFQI-DECRYPT.txt	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\858da8c2858daf2f3f.lock	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File created	C:\Program Files\858da8c2858daf2f3f.lock	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\PingLock.txt	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\ConnectClose.aiff	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\DismountSave.tmp	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\EnablePing.midi	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\PingRestore.search-ms	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\ProtectEdit.jtx	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\RenameLock.ppsm	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\AddDeny.ps1	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\AssertSave.inf	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\UnlockSwitch.midi	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\858da8c2858daf2f3f.lock	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OUBFQI-DECRYPT.txt	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\BlockPush.potm	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\GroupBackup.wm	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\MoveSet.ttc	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\OutFind.tiff	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\CompleteSet.vssx	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\ExportEnter.au3	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\ReceiveComplete.vstx	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OUBFQI-DECRYPT.txt	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\858da8c2858daf2f3f.lock	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\OUBFQI-DECRYPT.txt	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\CopyBackup.m4a	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\OpenExit.wvx	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\OpenDismount.xlt	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\EditComplete.xht	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File created	C:\Program Files\OUBFQI-DECRYPT.txt	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\ApproveOpen.wav	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\ClearUpdate.ppt	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\ImportSend.vsw	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File created	C:\Program Files (x86)\858da8c2858daf2f3f.lock	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\AddUnpublish.aifc	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
File opened for modification	C:\Program Files\CheckpointUnlock.WTV	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe

pid	process
2616	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
2616	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exewmic.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2392	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
Token: SeIncreaseQuotaPrivilege	328	wmic.exe
Token: SeSecurityPrivilege	328	wmic.exe
Token: SeTakeOwnershipPrivilege	328	wmic.exe
Token: SeLoadDriverPrivilege	328	wmic.exe
Token: SeSystemProfilePrivilege	328	wmic.exe
Token: SeSystemtimePrivilege	328	wmic.exe
Token: SeProfSingleProcessPrivilege	328	wmic.exe
Token: SeIncBasePriorityPrivilege	328	wmic.exe
Token: SeCreatePagefilePrivilege	328	wmic.exe
Token: SeBackupPrivilege	328	wmic.exe
Token: SeRestorePrivilege	328	wmic.exe
Token: SeShutdownPrivilege	328	wmic.exe
Token: SeDebugPrivilege	328	wmic.exe
Token: SeSystemEnvironmentPrivilege	328	wmic.exe
Token: SeRemoteShutdownPrivilege	328	wmic.exe
Token: SeUndockPrivilege	328	wmic.exe
Token: SeManageVolumePrivilege	328	wmic.exe
Token: 33	328	wmic.exe
Token: 34	328	wmic.exe
Token: 35	328	wmic.exe
Token: SeIncreaseQuotaPrivilege	328	wmic.exe
Token: SeSecurityPrivilege	328	wmic.exe
Token: SeTakeOwnershipPrivilege	328	wmic.exe
Token: SeLoadDriverPrivilege	328	wmic.exe
Token: SeSystemProfilePrivilege	328	wmic.exe
Token: SeSystemtimePrivilege	328	wmic.exe
Token: SeProfSingleProcessPrivilege	328	wmic.exe
Token: SeIncBasePriorityPrivilege	328	wmic.exe
Token: SeCreatePagefilePrivilege	328	wmic.exe
Token: SeBackupPrivilege	328	wmic.exe
Token: SeRestorePrivilege	328	wmic.exe
Token: SeShutdownPrivilege	328	wmic.exe
Token: SeDebugPrivilege	328	wmic.exe
Token: SeSystemEnvironmentPrivilege	328	wmic.exe
Token: SeRemoteShutdownPrivilege	328	wmic.exe
Token: SeUndockPrivilege	328	wmic.exe
Token: SeManageVolumePrivilege	328	wmic.exe
Token: 33	328	wmic.exe
Token: 34	328	wmic.exe
Token: 35	328	wmic.exe
Token: SeBackupPrivilege	2800	vssvc.exe
Token: SeRestorePrivilege	2800	vssvc.exe
Token: SeAuditPrivilege	2800	vssvc.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
"C:\Users\Admin\AppData\Local\Temp\4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
  "C:\Users\Admin\AppData\Local\Temp\4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe"
  2⤵
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:328

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\OUBFQI-DECRYPT.txt

Filesize
8KB

MD5
585f32a1c3e4ba6d3d121364f1fb135f

SHA1
2273482eb3d84487b5b2e25e9318afff6026f19a

SHA256
503a71e0d772a3cdbc7d1febc49a47b24438a2617f490f5dc0c4a65eb813a533

SHA512
250466b2f15c59177ba8be3758796d69849d1bf7157973120b7767791b94942d3418879de619dfb7314f371aae0808b2d9c9796c34e3796cca523677033e7977

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
483e73d4d410e44af1ab38efb46427b3

SHA1
3b683d8a18e8acaeb14a6599be8b2c7f30062d37

SHA256
314e585ca1e01aa4833fc6ccd4e65205817b0b7d3bdce6419d5a09de431e641d

SHA512
b8ce29ed86b3f7e09e6d23daa1fbbafed9de781f48f276c1b7e0f7a4b43eafde8d1be6cbf4c045c58f0dcb022dae3b174f66ca4813b1114c82bb9755b5084609

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a8ea1dbd57002bed85791e61d195f27

SHA1
8f83e7eb6440bed4b40f695f2c068417ae1f538d

SHA256
d41bcfe8aeddb375f2eb08dc2b7d53acef6c2a214a284a0452a1a3a37774eaf0

SHA512
6ff1896a9148c5aebf22472ec7de6d4dd1989d11af6568fdf68386489e936409927759b600565271907908db69acc82ded34d0502b057ed65e5ccd269f762674

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab43E5.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar44C3.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
memory/2392-4-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-0-0x0000000000BD0000-0x0000000000C2A000-memory.dmp

Filesize
360KB

Download
memory/2392-1-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-2-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/2392-3-0x0000000000620000-0x0000000000660000-memory.dmp

Filesize
256KB

Download
memory/2392-17-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-6-0x0000000000620000-0x0000000000660000-memory.dmp

Filesize
256KB

Download
memory/2392-5-0x0000000000620000-0x0000000000660000-memory.dmp

Filesize
256KB

Download
memory/2616-32-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/2616-868-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/2616-18-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/2616-16-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/2616-12-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/2616-8-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download

description	pid	process	target process
PID 2392 wrote to memory of 2616	2392	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
PID 2392 wrote to memory of 2616	2392	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
PID 2392 wrote to memory of 2616	2392	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
PID 2392 wrote to memory of 2616	2392	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
PID 2392 wrote to memory of 2616	2392	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
PID 2392 wrote to memory of 2616	2392	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
PID 2392 wrote to memory of 2616	2392	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
PID 2392 wrote to memory of 2616	2392	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
PID 2392 wrote to memory of 2616	2392	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
PID 2392 wrote to memory of 2616	2392	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
PID 2392 wrote to memory of 2616	2392	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
PID 2616 wrote to memory of 328	2616	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe	wmic.exe
PID 2616 wrote to memory of 328	2616	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe	wmic.exe
PID 2616 wrote to memory of 328	2616	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe	wmic.exe
PID 2616 wrote to memory of 328	2616	4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe	wmic.exe