Analysis Overview
SHA256
1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6
Threat Level: Known bad
The file 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
CrypVault
Modifies boot configuration data using bcdedit
Deletes shadow copies
UPX packed file
Drops startup file
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy service COM API
Suspicious behavior: AddClipboardFormatListener
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Interacts with shadow copies
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-11 14:40
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-11 14:40
Reported
2023-09-11 14:42
Platform
win7-20230831-en
Max time kernel
150s
Max time network
134s
Command Line
Signatures
CrypVault
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\cmd.exe |
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1368 set thread context of 1944 | N/A | C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe | C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3E7C6FC1-50B1-11EE-B1CA-5EF5C936A496} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac200000000020000000000106600000001000020000000b857314495c3e891e9e0a5815d0c9309dbbd8b468322f5745c62c9fe0788ca0c000000000e800000000200002000000069d19a97c9df69ae47622f1a7ead1aac9e0f628575a5a2aed669380aa5b2e6bc90000000456b65470da8acef0315efbc843089a7724dbf29df397e8541c855b6164a07f1830046b110ecf99e6dd0885d0a7e08b6168aaff72f9e45a647b2c39cde7122af21a9087cceef7fbd180b062378c40a6bb54414a02c1bb96d29365d65cad37d48216727798919a2d7a0df97c9ae025f8be196f6fca766d26c69c90f59e9fc7fb5d33128741a4207b19151aa0ac9959eca40000000be976de163c035146b0f145ec0af3d48bedd3428e4c99fc23944bb60e43b9104b1a828a0dc09c19c3c7fc5df72c1516ff39f104d804b83e73a9ab2728c0235de | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac200000000020000000000106600000001000020000000b060a85f2fe855e1cfd601dacf5226bb8c3b2deea80a16e6f6084b3c1f6498f7000000000e800000000200002000000095202e701a7986b7a6bc94815c7f937e2ad8f2eac8d889829f2b1fe44f77876020000000e7aa8d0745d1277fd284b22d61e73268c72cc41483923fe18ebd11b8a06e447a40000000ff62fbbb4dad8009c360d43fc15f0f7547b2a6ffb11564f6ad8edda627d8ffae95c33cac5e94eeb1ec31eb610bda595d697a12f08333ae1ef3836ad5e9cafad9 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40388614bee4d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe
"C:\Users\Admin\AppData\Local\Temp\1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo F2BFD3CE9C25
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo DCFF019CDE
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25" F2BFD3CE9C25.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo DCFF019CDE
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo F2BFD3CE9C25
C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe
"C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\DCFF019CDE" DCFF019CDE.doc
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo DCFF019CDE
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo F2BFD3CE9C25
C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe
"C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe"
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DCFF019CDE.doc"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo F2BFD3CE9C25DCFF019CDE
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\VAULT.hta"
C:\Windows\SysWOW64\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:1848323 /prefetch:2
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ru.wikipedia.org | udp |
| N/A | 100.76.86.52:443 | ru.wikipedia.org | tcp |
| N/A | 100.76.86.52:443 | ru.wikipedia.org | tcp |
Files
memory/2960-0-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25
| MD5 | 78c0fd404013b383118911009d0384db |
| SHA1 | 75535aa0caef3a54ae373be8f91b521cf640e0b4 |
| SHA256 | 002c428f1eb592b922fb31d11d71d4a8a95ac2804274f969709a2549740a633a |
| SHA512 | 213edf2156aed06778f72f81bc0b26bbfcd8ca132e02f88994443277c44e9de91ed6935fb1a38a646c328b552324beafe5beaf7b3d7a830de55a822770222b95 |
\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe
| MD5 | 78c0fd404013b383118911009d0384db |
| SHA1 | 75535aa0caef3a54ae373be8f91b521cf640e0b4 |
| SHA256 | 002c428f1eb592b922fb31d11d71d4a8a95ac2804274f969709a2549740a633a |
| SHA512 | 213edf2156aed06778f72f81bc0b26bbfcd8ca132e02f88994443277c44e9de91ed6935fb1a38a646c328b552324beafe5beaf7b3d7a830de55a822770222b95 |
\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe
| MD5 | 78c0fd404013b383118911009d0384db |
| SHA1 | 75535aa0caef3a54ae373be8f91b521cf640e0b4 |
| SHA256 | 002c428f1eb592b922fb31d11d71d4a8a95ac2804274f969709a2549740a633a |
| SHA512 | 213edf2156aed06778f72f81bc0b26bbfcd8ca132e02f88994443277c44e9de91ed6935fb1a38a646c328b552324beafe5beaf7b3d7a830de55a822770222b95 |
C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe
| MD5 | 78c0fd404013b383118911009d0384db |
| SHA1 | 75535aa0caef3a54ae373be8f91b521cf640e0b4 |
| SHA256 | 002c428f1eb592b922fb31d11d71d4a8a95ac2804274f969709a2549740a633a |
| SHA512 | 213edf2156aed06778f72f81bc0b26bbfcd8ca132e02f88994443277c44e9de91ed6935fb1a38a646c328b552324beafe5beaf7b3d7a830de55a822770222b95 |
C:\Users\Admin\AppData\Local\Temp\DCFF019CDE
| MD5 | 903cdb04837bfbbdcf04865d6a9636cc |
| SHA1 | 973b5ff90f2ba32848661e209b15f5344a081428 |
| SHA256 | 70649a3e84b9df3b2af94a7c4f8fe433a71ec8321f41ead0518b824df1522454 |
| SHA512 | c034610eba204fbeac363ead9ce1068b78f80715962857c7402fd4c655076e17f87b150272ea81ca3f5dd22d0559f29652e2759f7ef6bd87f8833aac92ef5228 |
memory/1944-12-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1368-11-0x00000000001E0000-0x00000000001E5000-memory.dmp
memory/1944-13-0x0000000000400000-0x0000000000978000-memory.dmp
\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe
| MD5 | 78c0fd404013b383118911009d0384db |
| SHA1 | 75535aa0caef3a54ae373be8f91b521cf640e0b4 |
| SHA256 | 002c428f1eb592b922fb31d11d71d4a8a95ac2804274f969709a2549740a633a |
| SHA512 | 213edf2156aed06778f72f81bc0b26bbfcd8ca132e02f88994443277c44e9de91ed6935fb1a38a646c328b552324beafe5beaf7b3d7a830de55a822770222b95 |
memory/1944-15-0x0000000000400000-0x0000000000978000-memory.dmp
memory/1944-16-0x0000000000400000-0x0000000000978000-memory.dmp
memory/1944-17-0x0000000000400000-0x0000000000978000-memory.dmp
memory/1944-18-0x0000000000400000-0x0000000000978000-memory.dmp
memory/1944-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe
| MD5 | 78c0fd404013b383118911009d0384db |
| SHA1 | 75535aa0caef3a54ae373be8f91b521cf640e0b4 |
| SHA256 | 002c428f1eb592b922fb31d11d71d4a8a95ac2804274f969709a2549740a633a |
| SHA512 | 213edf2156aed06778f72f81bc0b26bbfcd8ca132e02f88994443277c44e9de91ed6935fb1a38a646c328b552324beafe5beaf7b3d7a830de55a822770222b95 |
memory/1944-21-0x0000000000400000-0x0000000000978000-memory.dmp
memory/1944-24-0x0000000000400000-0x0000000000978000-memory.dmp
memory/1944-25-0x0000000000400000-0x0000000000978000-memory.dmp
memory/1944-26-0x0000000000400000-0x0000000000978000-memory.dmp
memory/2960-27-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2644-29-0x000000002F5B0000-0x000000002F70D000-memory.dmp
memory/1944-28-0x0000000000400000-0x0000000000978000-memory.dmp
C:\VAULT.KEY
| MD5 | d32314d0f3bdc752286263cf0199bdee |
| SHA1 | 14ba33f922fe7972b8b725796de17cb326e9a4b0 |
| SHA256 | c00154744bed4f46ac7afec536d37f2964cb40b3542a787daba4cd358aee3977 |
| SHA512 | e1b77ede0cc01ea59d8e93a8b075ddd0a20d049b0f4ec1f28b2cf904c927d097507abc626d46ba37df7edb4387e421b542a179f49c9cbc4f76a5714c3d422c6c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta
| MD5 | bd8577184fec08569ac3b53c8fea8644 |
| SHA1 | e80067fb4b329df6a4067ecc82f78f810a103068 |
| SHA256 | 8c3b5663c3b4de4788d70835a71cd828df92a956cd51f0b4cd576a48cf81a820 |
| SHA512 | 99736d92862e67f6bdb18df86b0504ba0e049260fe73aea5e8641092d096e4f668808584373fea03d8eef61e3627fa6827787a90385fd7d6147cd66e8d8c8300 |
C:\VAULT.KEY
| MD5 | 64a18ce60fa7843f9c828cffd339bad9 |
| SHA1 | 58c50a7bc361de9df764cac7da491fd6d19a91aa |
| SHA256 | f8bcc2ebf43c1be01a57de0ee9783d06f1627e5d4273d6f6ebbcd0edca770e5e |
| SHA512 | 9d9b398c3e28e75cf66f6e34f697804d490371a840dabeeb0dc9e74cf079dce5f6d8f49abd8f258657bbd04d7f7f03aa4453a83e566372ebf4c4f3b3d2bcb4b9 |
memory/1944-95-0x0000000000400000-0x0000000000978000-memory.dmp
C:\VAULT.KEY
| MD5 | 64a18ce60fa7843f9c828cffd339bad9 |
| SHA1 | 58c50a7bc361de9df764cac7da491fd6d19a91aa |
| SHA256 | f8bcc2ebf43c1be01a57de0ee9783d06f1627e5d4273d6f6ebbcd0edca770e5e |
| SHA512 | 9d9b398c3e28e75cf66f6e34f697804d490371a840dabeeb0dc9e74cf079dce5f6d8f49abd8f258657bbd04d7f7f03aa4453a83e566372ebf4c4f3b3d2bcb4b9 |
C:\VAULT.KEY
| MD5 | 64a18ce60fa7843f9c828cffd339bad9 |
| SHA1 | 58c50a7bc361de9df764cac7da491fd6d19a91aa |
| SHA256 | f8bcc2ebf43c1be01a57de0ee9783d06f1627e5d4273d6f6ebbcd0edca770e5e |
| SHA512 | 9d9b398c3e28e75cf66f6e34f697804d490371a840dabeeb0dc9e74cf079dce5f6d8f49abd8f258657bbd04d7f7f03aa4453a83e566372ebf4c4f3b3d2bcb4b9 |
memory/2644-133-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1944-132-0x0000000000400000-0x0000000000978000-memory.dmp
memory/2644-134-0x00000000704CD000-0x00000000704D8000-memory.dmp
C:\Users\Admin\Desktop\VAULT.hta
| MD5 | bd8577184fec08569ac3b53c8fea8644 |
| SHA1 | e80067fb4b329df6a4067ecc82f78f810a103068 |
| SHA256 | 8c3b5663c3b4de4788d70835a71cd828df92a956cd51f0b4cd576a48cf81a820 |
| SHA512 | 99736d92862e67f6bdb18df86b0504ba0e049260fe73aea5e8641092d096e4f668808584373fea03d8eef61e3627fa6827787a90385fd7d6147cd66e8d8c8300 |
memory/1848-141-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1848-143-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2644-148-0x000000002F5B0000-0x000000002F70D000-memory.dmp
memory/1848-149-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2644-150-0x00000000704CD000-0x00000000704D8000-memory.dmp
memory/1848-151-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1848-152-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1848-153-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1084-154-0x0000000003640000-0x0000000003642000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabAE.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DV38LGVA\favicon[1].ico
| MD5 | 8a80554c91d9fca8acb82f023de02f11 |
| SHA1 | 5f36b2ea290645ee34d943220a14b54ee5ea5be5 |
| SHA256 | ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356 |
| SHA512 | ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a |
C:\Users\Admin\AppData\Local\Temp\~DFF4B83FB48921CE45.TMP
| MD5 | 06e55a8b8e00781ff9f6c26a152b5b4c |
| SHA1 | 8cd02426a0123f3e6a3af435a624f6235e34f144 |
| SHA256 | 503d9c5af3fd659e7f4ed8456fa34f9c9ca85c1b8bfbd26620877aeb756177be |
| SHA512 | 9613cdbb2a3273c8b1c238ce285cd838532b01a736840147339d3a9fba61acb90ead7e42cd50b48d12fe3bf667d16e710cb841dcd108fd8d66f56f617427c700 |