Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11-09-2023 14:40
General
-
Target
1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe
-
Size
179KB
-
MD5
6ecdfd76e99ac7bf571dd21bf4d85fe4
-
SHA1
3b622b03e700c8f5115e0706e7bd510ba18daaab
-
SHA256
1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6
-
SHA512
42355f470974b0f9ffc3e65331d7384d850858e7c32986d5b004d7384282d9d20c85c5b58e6f0f94784f0ac09c5a669e9241b7a62825fe4b08cbe575df00025f
-
SSDEEP
3072:kuWvdwxYVLSroutnDnQiREOjijPwAhFbwALCYmgBO8ja+8ewQ0UM44Fn3fzT45:kuAwxVoSnDQi7kRtLCY88ja+8ewQStFI
Malware Config
Signatures
-
CrypVault
Ransomware family which makes encrypted files look like they have been quarantined by AV.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 2376 cmd.exe 54 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2784 bcdedit.exe 2796 bcdedit.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta F2BFD3CE9C25.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta F2BFD3CE9C25.exe -
Executes dropped EXE 2 IoCs
pid Process 1368 F2BFD3CE9C25.exe 1944 F2BFD3CE9C25.exe -
Loads dropped DLL 3 IoCs
pid Process 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 1368 F2BFD3CE9C25.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2960-0-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/1944-15-0x0000000000400000-0x0000000000978000-memory.dmp upx behavioral1/memory/1944-16-0x0000000000400000-0x0000000000978000-memory.dmp upx behavioral1/memory/1944-17-0x0000000000400000-0x0000000000978000-memory.dmp upx behavioral1/memory/1944-18-0x0000000000400000-0x0000000000978000-memory.dmp upx behavioral1/memory/1944-21-0x0000000000400000-0x0000000000978000-memory.dmp upx behavioral1/memory/1944-24-0x0000000000400000-0x0000000000978000-memory.dmp upx behavioral1/memory/1944-25-0x0000000000400000-0x0000000000978000-memory.dmp upx behavioral1/memory/1944-26-0x0000000000400000-0x0000000000978000-memory.dmp upx behavioral1/memory/2960-27-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/1944-28-0x0000000000400000-0x0000000000978000-memory.dmp upx behavioral1/memory/1944-95-0x0000000000400000-0x0000000000978000-memory.dmp upx behavioral1/memory/1944-132-0x0000000000400000-0x0000000000978000-memory.dmp upx behavioral1/memory/1848-141-0x0000000140000000-0x00000001405E8000-memory.dmp upx -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mshta.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1368 set thread context of 1944 1368 F2BFD3CE9C25.exe 45 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1244 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3E7C6FC1-50B1-11EE-B1CA-5EF5C936A496} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac200000000020000000000106600000001000020000000b857314495c3e891e9e0a5815d0c9309dbbd8b468322f5745c62c9fe0788ca0c000000000e800000000200002000000069d19a97c9df69ae47622f1a7ead1aac9e0f628575a5a2aed669380aa5b2e6bc90000000456b65470da8acef0315efbc843089a7724dbf29df397e8541c855b6164a07f1830046b110ecf99e6dd0885d0a7e08b6168aaff72f9e45a647b2c39cde7122af21a9087cceef7fbd180b062378c40a6bb54414a02c1bb96d29365d65cad37d48216727798919a2d7a0df97c9ae025f8be196f6fca766d26c69c90f59e9fc7fb5d33128741a4207b19151aa0ac9959eca40000000be976de163c035146b0f145ec0af3d48bedd3428e4c99fc23944bb60e43b9104b1a828a0dc09c19c3c7fc5df72c1516ff39f104d804b83e73a9ab2728c0235de iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac200000000020000000000106600000001000020000000b060a85f2fe855e1cfd601dacf5226bb8c3b2deea80a16e6f6084b3c1f6498f7000000000e800000000200002000000095202e701a7986b7a6bc94815c7f937e2ad8f2eac8d889829f2b1fe44f77876020000000e7aa8d0745d1277fd284b22d61e73268c72cc41483923fe18ebd11b8a06e447a40000000ff62fbbb4dad8009c360d43fc15f0f7547b2a6ffb11564f6ad8edda627d8ffae95c33cac5e94eeb1ec31eb610bda595d697a12f08333ae1ef3836ad5e9cafad9 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40388614bee4d901 iexplore.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2644 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1368 F2BFD3CE9C25.exe 1944 F2BFD3CE9C25.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1848 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2284 WMIC.exe Token: SeSecurityPrivilege 2284 WMIC.exe Token: SeTakeOwnershipPrivilege 2284 WMIC.exe Token: SeLoadDriverPrivilege 2284 WMIC.exe Token: SeSystemProfilePrivilege 2284 WMIC.exe Token: SeSystemtimePrivilege 2284 WMIC.exe Token: SeProfSingleProcessPrivilege 2284 WMIC.exe Token: SeIncBasePriorityPrivilege 2284 WMIC.exe Token: SeCreatePagefilePrivilege 2284 WMIC.exe Token: SeBackupPrivilege 2284 WMIC.exe Token: SeRestorePrivilege 2284 WMIC.exe Token: SeShutdownPrivilege 2284 WMIC.exe Token: SeDebugPrivilege 2284 WMIC.exe Token: SeSystemEnvironmentPrivilege 2284 WMIC.exe Token: SeRemoteShutdownPrivilege 2284 WMIC.exe Token: SeUndockPrivilege 2284 WMIC.exe Token: SeManageVolumePrivilege 2284 WMIC.exe Token: 33 2284 WMIC.exe Token: 34 2284 WMIC.exe Token: 35 2284 WMIC.exe Token: SeIncreaseQuotaPrivilege 2284 WMIC.exe Token: SeSecurityPrivilege 2284 WMIC.exe Token: SeTakeOwnershipPrivilege 2284 WMIC.exe Token: SeLoadDriverPrivilege 2284 WMIC.exe Token: SeSystemProfilePrivilege 2284 WMIC.exe Token: SeSystemtimePrivilege 2284 WMIC.exe Token: SeProfSingleProcessPrivilege 2284 WMIC.exe Token: SeIncBasePriorityPrivilege 2284 WMIC.exe Token: SeCreatePagefilePrivilege 2284 WMIC.exe Token: SeBackupPrivilege 2284 WMIC.exe Token: SeRestorePrivilege 2284 WMIC.exe Token: SeShutdownPrivilege 2284 WMIC.exe Token: SeDebugPrivilege 2284 WMIC.exe Token: SeSystemEnvironmentPrivilege 2284 WMIC.exe Token: SeRemoteShutdownPrivilege 2284 WMIC.exe Token: SeUndockPrivilege 2284 WMIC.exe Token: SeManageVolumePrivilege 2284 WMIC.exe Token: 33 2284 WMIC.exe Token: 34 2284 WMIC.exe Token: 35 2284 WMIC.exe Token: SeDebugPrivilege 1848 taskmgr.exe Token: SeBackupPrivilege 1568 vssvc.exe Token: SeRestorePrivilege 1568 vssvc.exe Token: SeAuditPrivilege 1568 vssvc.exe Token: 33 1772 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1772 AUDIODG.EXE Token: 33 1772 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1772 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 3040 iexplore.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe 1848 taskmgr.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1368 F2BFD3CE9C25.exe 2644 WINWORD.EXE 2644 WINWORD.EXE 2644 WINWORD.EXE 3040 iexplore.exe 3040 iexplore.exe 2552 IEXPLORE.EXE 2552 IEXPLORE.EXE 2600 IEXPLORE.EXE 2600 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2960 wrote to memory of 2956 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 28 PID 2960 wrote to memory of 2956 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 28 PID 2960 wrote to memory of 2956 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 28 PID 2960 wrote to memory of 2956 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 28 PID 2960 wrote to memory of 2096 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 30 PID 2960 wrote to memory of 2096 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 30 PID 2960 wrote to memory of 2096 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 30 PID 2960 wrote to memory of 2096 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 30 PID 2960 wrote to memory of 2776 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 32 PID 2960 wrote to memory of 2776 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 32 PID 2960 wrote to memory of 2776 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 32 PID 2960 wrote to memory of 2776 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 32 PID 2960 wrote to memory of 2892 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 34 PID 2960 wrote to memory of 2892 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 34 PID 2960 wrote to memory of 2892 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 34 PID 2960 wrote to memory of 2892 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 34 PID 2960 wrote to memory of 2896 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 36 PID 2960 wrote to memory of 2896 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 36 PID 2960 wrote to memory of 2896 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 36 PID 2960 wrote to memory of 2896 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 36 PID 2960 wrote to memory of 1368 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 38 PID 2960 wrote to memory of 1368 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 38 PID 2960 wrote to memory of 1368 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 38 PID 2960 wrote to memory of 1368 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 38 PID 2960 wrote to memory of 2528 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 39 PID 2960 wrote to memory of 2528 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 39 PID 2960 wrote to memory of 2528 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 39 PID 2960 wrote to memory of 2528 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 39 PID 2960 wrote to memory of 2492 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 41 PID 2960 wrote to memory of 2492 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 41 PID 2960 wrote to memory of 2492 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 41 PID 2960 wrote to memory of 2492 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 41 PID 2960 wrote to memory of 2700 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 43 PID 2960 wrote to memory of 2700 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 43 PID 2960 wrote to memory of 2700 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 43 PID 2960 wrote to memory of 2700 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 43 PID 1368 wrote to memory of 1944 1368 F2BFD3CE9C25.exe 45 PID 1368 wrote to memory of 1944 1368 F2BFD3CE9C25.exe 45 PID 1368 wrote to memory of 1944 1368 F2BFD3CE9C25.exe 45 PID 1368 wrote to memory of 1944 1368 F2BFD3CE9C25.exe 45 PID 1368 wrote to memory of 1944 1368 F2BFD3CE9C25.exe 45 PID 1368 wrote to memory of 1944 1368 F2BFD3CE9C25.exe 45 PID 1368 wrote to memory of 1944 1368 F2BFD3CE9C25.exe 45 PID 1368 wrote to memory of 1944 1368 F2BFD3CE9C25.exe 45 PID 1368 wrote to memory of 1944 1368 F2BFD3CE9C25.exe 45 PID 1368 wrote to memory of 1944 1368 F2BFD3CE9C25.exe 45 PID 1368 wrote to memory of 1944 1368 F2BFD3CE9C25.exe 45 PID 2960 wrote to memory of 2644 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 46 PID 2960 wrote to memory of 2644 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 46 PID 2960 wrote to memory of 2644 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 46 PID 2960 wrote to memory of 2644 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 46 PID 2960 wrote to memory of 1092 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 47 PID 2960 wrote to memory of 1092 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 47 PID 2960 wrote to memory of 1092 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 47 PID 2960 wrote to memory of 1092 2960 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe 47 PID 1944 wrote to memory of 2284 1944 F2BFD3CE9C25.exe 50 PID 1944 wrote to memory of 2284 1944 F2BFD3CE9C25.exe 50 PID 1944 wrote to memory of 2284 1944 F2BFD3CE9C25.exe 50 PID 1944 wrote to memory of 2284 1944 F2BFD3CE9C25.exe 50 PID 1944 wrote to memory of 1084 1944 F2BFD3CE9C25.exe 49 PID 1944 wrote to memory of 1084 1944 F2BFD3CE9C25.exe 49 PID 1944 wrote to memory of 1084 1944 F2BFD3CE9C25.exe 49 PID 1944 wrote to memory of 1084 1944 F2BFD3CE9C25.exe 49 PID 1292 wrote to memory of 1244 1292 cmd.exe 58 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe"C:\Users\Admin\AppData\Local\Temp\1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo F2BFD3CE9C252⤵PID:2956
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo DCFF019CDE2⤵PID:2096
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25" F2BFD3CE9C25.exe2⤵PID:2776
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo DCFF019CDE2⤵PID:2892
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo F2BFD3CE9C252⤵PID:2896
-
-
C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe"C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe"C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\VAULT.hta"4⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:1084
-
-
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\DCFF019CDE" DCFF019CDE.doc2⤵PID:2528
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo DCFF019CDE2⤵PID:2492
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo F2BFD3CE9C252⤵PID:2700
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DCFF019CDE.doc"2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2644
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo F2BFD3CE9C25DCFF019CDE2⤵PID:1092
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1848
-
C:\Windows\system32\cmd.execmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1244
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:2784
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:2796
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3040 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2552
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:1848323 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2600
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1656
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5141⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DV38LGVA\favicon[1].ico
Filesize3B
MD58a80554c91d9fca8acb82f023de02f11
SHA15f36b2ea290645ee34d943220a14b54ee5ea5be5
SHA256ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356
SHA512ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
22KB
MD5903cdb04837bfbbdcf04865d6a9636cc
SHA1973b5ff90f2ba32848661e209b15f5344a081428
SHA25670649a3e84b9df3b2af94a7c4f8fe433a71ec8321f41ead0518b824df1522454
SHA512c034610eba204fbeac363ead9ce1068b78f80715962857c7402fd4c655076e17f87b150272ea81ca3f5dd22d0559f29652e2759f7ef6bd87f8833aac92ef5228
-
Filesize
152KB
MD578c0fd404013b383118911009d0384db
SHA175535aa0caef3a54ae373be8f91b521cf640e0b4
SHA256002c428f1eb592b922fb31d11d71d4a8a95ac2804274f969709a2549740a633a
SHA512213edf2156aed06778f72f81bc0b26bbfcd8ca132e02f88994443277c44e9de91ed6935fb1a38a646c328b552324beafe5beaf7b3d7a830de55a822770222b95
-
Filesize
152KB
MD578c0fd404013b383118911009d0384db
SHA175535aa0caef3a54ae373be8f91b521cf640e0b4
SHA256002c428f1eb592b922fb31d11d71d4a8a95ac2804274f969709a2549740a633a
SHA512213edf2156aed06778f72f81bc0b26bbfcd8ca132e02f88994443277c44e9de91ed6935fb1a38a646c328b552324beafe5beaf7b3d7a830de55a822770222b95
-
Filesize
152KB
MD578c0fd404013b383118911009d0384db
SHA175535aa0caef3a54ae373be8f91b521cf640e0b4
SHA256002c428f1eb592b922fb31d11d71d4a8a95ac2804274f969709a2549740a633a
SHA512213edf2156aed06778f72f81bc0b26bbfcd8ca132e02f88994443277c44e9de91ed6935fb1a38a646c328b552324beafe5beaf7b3d7a830de55a822770222b95
-
Filesize
16KB
MD506e55a8b8e00781ff9f6c26a152b5b4c
SHA18cd02426a0123f3e6a3af435a624f6235e34f144
SHA256503d9c5af3fd659e7f4ed8456fa34f9c9ca85c1b8bfbd26620877aeb756177be
SHA5129613cdbb2a3273c8b1c238ce285cd838532b01a736840147339d3a9fba61acb90ead7e42cd50b48d12fe3bf667d16e710cb841dcd108fd8d66f56f617427c700
-
Filesize
4KB
MD5bd8577184fec08569ac3b53c8fea8644
SHA1e80067fb4b329df6a4067ecc82f78f810a103068
SHA2568c3b5663c3b4de4788d70835a71cd828df92a956cd51f0b4cd576a48cf81a820
SHA51299736d92862e67f6bdb18df86b0504ba0e049260fe73aea5e8641092d096e4f668808584373fea03d8eef61e3627fa6827787a90385fd7d6147cd66e8d8c8300
-
Filesize
4KB
MD5bd8577184fec08569ac3b53c8fea8644
SHA1e80067fb4b329df6a4067ecc82f78f810a103068
SHA2568c3b5663c3b4de4788d70835a71cd828df92a956cd51f0b4cd576a48cf81a820
SHA51299736d92862e67f6bdb18df86b0504ba0e049260fe73aea5e8641092d096e4f668808584373fea03d8eef61e3627fa6827787a90385fd7d6147cd66e8d8c8300
-
Filesize
1KB
MD564a18ce60fa7843f9c828cffd339bad9
SHA158c50a7bc361de9df764cac7da491fd6d19a91aa
SHA256f8bcc2ebf43c1be01a57de0ee9783d06f1627e5d4273d6f6ebbcd0edca770e5e
SHA5129d9b398c3e28e75cf66f6e34f697804d490371a840dabeeb0dc9e74cf079dce5f6d8f49abd8f258657bbd04d7f7f03aa4453a83e566372ebf4c4f3b3d2bcb4b9
-
Filesize
1KB
MD5d32314d0f3bdc752286263cf0199bdee
SHA114ba33f922fe7972b8b725796de17cb326e9a4b0
SHA256c00154744bed4f46ac7afec536d37f2964cb40b3542a787daba4cd358aee3977
SHA512e1b77ede0cc01ea59d8e93a8b075ddd0a20d049b0f4ec1f28b2cf904c927d097507abc626d46ba37df7edb4387e421b542a179f49c9cbc4f76a5714c3d422c6c
-
Filesize
1KB
MD564a18ce60fa7843f9c828cffd339bad9
SHA158c50a7bc361de9df764cac7da491fd6d19a91aa
SHA256f8bcc2ebf43c1be01a57de0ee9783d06f1627e5d4273d6f6ebbcd0edca770e5e
SHA5129d9b398c3e28e75cf66f6e34f697804d490371a840dabeeb0dc9e74cf079dce5f6d8f49abd8f258657bbd04d7f7f03aa4453a83e566372ebf4c4f3b3d2bcb4b9
-
Filesize
1KB
MD564a18ce60fa7843f9c828cffd339bad9
SHA158c50a7bc361de9df764cac7da491fd6d19a91aa
SHA256f8bcc2ebf43c1be01a57de0ee9783d06f1627e5d4273d6f6ebbcd0edca770e5e
SHA5129d9b398c3e28e75cf66f6e34f697804d490371a840dabeeb0dc9e74cf079dce5f6d8f49abd8f258657bbd04d7f7f03aa4453a83e566372ebf4c4f3b3d2bcb4b9
-
Filesize
152KB
MD578c0fd404013b383118911009d0384db
SHA175535aa0caef3a54ae373be8f91b521cf640e0b4
SHA256002c428f1eb592b922fb31d11d71d4a8a95ac2804274f969709a2549740a633a
SHA512213edf2156aed06778f72f81bc0b26bbfcd8ca132e02f88994443277c44e9de91ed6935fb1a38a646c328b552324beafe5beaf7b3d7a830de55a822770222b95
-
Filesize
152KB
MD578c0fd404013b383118911009d0384db
SHA175535aa0caef3a54ae373be8f91b521cf640e0b4
SHA256002c428f1eb592b922fb31d11d71d4a8a95ac2804274f969709a2549740a633a
SHA512213edf2156aed06778f72f81bc0b26bbfcd8ca132e02f88994443277c44e9de91ed6935fb1a38a646c328b552324beafe5beaf7b3d7a830de55a822770222b95
-
Filesize
152KB
MD578c0fd404013b383118911009d0384db
SHA175535aa0caef3a54ae373be8f91b521cf640e0b4
SHA256002c428f1eb592b922fb31d11d71d4a8a95ac2804274f969709a2549740a633a
SHA512213edf2156aed06778f72f81bc0b26bbfcd8ca132e02f88994443277c44e9de91ed6935fb1a38a646c328b552324beafe5beaf7b3d7a830de55a822770222b95