Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
18-09-2023 10:15
Static task
static1
Behavioral task
behavioral1
Sample
b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
Resource
win10v2004-20230915-en
General
-
Target
b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
-
Size
169KB
-
MD5
98562209465bec53327e65649a2b8829
-
SHA1
3a47656ed3df213bd934aa01078a863568fe9f2b
-
SHA256
b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe
-
SHA512
c11ce14f9cb75df2bc9bd81971c1f8fa885815715f389eb8e796e0f657de59756b36a6f896c216a03c7be7bb3ddff9b8a47aee71146760e4f4d9c6bdc0ff2cc3
-
SSDEEP
3072:iFgiMd04bHHr/QFDtaruNyXgs7WL61fXbEiVkYELY2P+gA/PF:UE3bHL/ngsu61kYELNmhF
Malware Config
Extracted
C:\Users\Admin\Favorites\!!Read_Me.3C430.html
Extracted
C:\Users\Admin\Desktop\!!Read_Me.3C430.html
http://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 548 bcdedit.exe 3776 bcdedit.exe -
Renames multiple (172) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops file in Program Files directory 1 IoCs
Processes:
b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Configuration\configuration.sqlite b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4632 vssadmin.exe -
Kills process with taskkill 13 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3080 taskkill.exe 2272 taskkill.exe 1208 taskkill.exe 4940 taskkill.exe 3892 taskkill.exe 3972 taskkill.exe 3108 taskkill.exe 4776 taskkill.exe 5024 taskkill.exe 4416 taskkill.exe 3364 taskkill.exe 5052 taskkill.exe 3888 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exemsedge.exemsedge.exeidentity_helper.exepid process 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe 392 msedge.exe 392 msedge.exe 880 msedge.exe 880 msedge.exe 1540 identity_helper.exe 1540 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe -
Suspicious use of AdjustPrivilegeToken 58 IoCs
Processes:
WMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeIncreaseQuotaPrivilege 2492 WMIC.exe Token: SeSecurityPrivilege 2492 WMIC.exe Token: SeTakeOwnershipPrivilege 2492 WMIC.exe Token: SeLoadDriverPrivilege 2492 WMIC.exe Token: SeSystemProfilePrivilege 2492 WMIC.exe Token: SeSystemtimePrivilege 2492 WMIC.exe Token: SeProfSingleProcessPrivilege 2492 WMIC.exe Token: SeIncBasePriorityPrivilege 2492 WMIC.exe Token: SeCreatePagefilePrivilege 2492 WMIC.exe Token: SeBackupPrivilege 2492 WMIC.exe Token: SeRestorePrivilege 2492 WMIC.exe Token: SeShutdownPrivilege 2492 WMIC.exe Token: SeDebugPrivilege 2492 WMIC.exe Token: SeSystemEnvironmentPrivilege 2492 WMIC.exe Token: SeRemoteShutdownPrivilege 2492 WMIC.exe Token: SeUndockPrivilege 2492 WMIC.exe Token: SeManageVolumePrivilege 2492 WMIC.exe Token: 33 2492 WMIC.exe Token: 34 2492 WMIC.exe Token: 35 2492 WMIC.exe Token: 36 2492 WMIC.exe Token: SeBackupPrivilege 4372 vssvc.exe Token: SeRestorePrivilege 4372 vssvc.exe Token: SeAuditPrivilege 4372 vssvc.exe Token: SeIncreaseQuotaPrivilege 2492 WMIC.exe Token: SeSecurityPrivilege 2492 WMIC.exe Token: SeTakeOwnershipPrivilege 2492 WMIC.exe Token: SeLoadDriverPrivilege 2492 WMIC.exe Token: SeSystemProfilePrivilege 2492 WMIC.exe Token: SeSystemtimePrivilege 2492 WMIC.exe Token: SeProfSingleProcessPrivilege 2492 WMIC.exe Token: SeIncBasePriorityPrivilege 2492 WMIC.exe Token: SeCreatePagefilePrivilege 2492 WMIC.exe Token: SeBackupPrivilege 2492 WMIC.exe Token: SeRestorePrivilege 2492 WMIC.exe Token: SeShutdownPrivilege 2492 WMIC.exe Token: SeDebugPrivilege 2492 WMIC.exe Token: SeSystemEnvironmentPrivilege 2492 WMIC.exe Token: SeRemoteShutdownPrivilege 2492 WMIC.exe Token: SeUndockPrivilege 2492 WMIC.exe Token: SeManageVolumePrivilege 2492 WMIC.exe Token: 33 2492 WMIC.exe Token: 34 2492 WMIC.exe Token: 35 2492 WMIC.exe Token: 36 2492 WMIC.exe Token: SeDebugPrivilege 3364 taskkill.exe Token: SeDebugPrivilege 3972 taskkill.exe Token: SeDebugPrivilege 3892 taskkill.exe Token: SeDebugPrivilege 5024 taskkill.exe Token: SeDebugPrivilege 1208 taskkill.exe Token: SeDebugPrivilege 4416 taskkill.exe Token: SeDebugPrivilege 4940 taskkill.exe Token: SeDebugPrivilege 4776 taskkill.exe Token: SeDebugPrivilege 3888 taskkill.exe Token: SeDebugPrivilege 3108 taskkill.exe Token: SeDebugPrivilege 5052 taskkill.exe Token: SeDebugPrivilege 2272 taskkill.exe Token: SeDebugPrivilege 3080 taskkill.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3912 wrote to memory of 3144 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 3144 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 3320 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 3320 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4092 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4092 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 2192 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 2192 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4924 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4924 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3320 wrote to memory of 2492 3320 cmd.exe WMIC.exe PID 3320 wrote to memory of 2492 3320 cmd.exe WMIC.exe PID 3144 wrote to memory of 4632 3144 cmd.exe vssadmin.exe PID 3144 wrote to memory of 4632 3144 cmd.exe vssadmin.exe PID 4092 wrote to memory of 548 4092 cmd.exe bcdedit.exe PID 4092 wrote to memory of 548 4092 cmd.exe bcdedit.exe PID 2192 wrote to memory of 3776 2192 cmd.exe bcdedit.exe PID 2192 wrote to memory of 3776 2192 cmd.exe bcdedit.exe PID 4924 wrote to memory of 3016 4924 cmd.exe netsh.exe PID 4924 wrote to memory of 3016 4924 cmd.exe netsh.exe PID 3912 wrote to memory of 768 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 768 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 768 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4596 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4596 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4596 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4220 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4220 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4220 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4460 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4460 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4460 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 2572 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 2572 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 2572 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4188 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4188 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4188 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4160 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4160 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4160 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4576 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4576 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4576 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 5096 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 5096 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 5096 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 448 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 448 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 448 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4944 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4944 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4944 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4728 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4728 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4728 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4144 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4144 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 3912 wrote to memory of 4144 3912 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 5096 wrote to memory of 5024 5096 cmd.exe taskkill.exe PID 5096 wrote to memory of 5024 5096 cmd.exe taskkill.exe PID 5096 wrote to memory of 5024 5096 cmd.exe taskkill.exe PID 4596 wrote to memory of 3364 4596 cmd.exe taskkill.exe PID 4596 wrote to memory of 3364 4596 cmd.exe taskkill.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe"C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c wmic shadowcopy delete /nointeractive2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c bcdedit /set {current} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c netsh advfirewall set allprofiles state off2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im note*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im note*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im tomcat*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tomcat*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mys*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mys*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im post*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im post*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im vee*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im vee*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im python*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im python*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im java*2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im java*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im apache*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im apache*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im sql*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sql*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im Exchange*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Exchange*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im excel*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im excel*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im winword*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im powerpnt*2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im powerpnt*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1>nul & del /q C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe2⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\!!Read_Me.3C430.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8640446f8,0x7ff864044708,0x7ff8640447182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,9654966756379403102,10511398174785863725,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,9654966756379403102,10511398174785863725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,9654966756379403102,10511398174785863725,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9654966756379403102,10511398174785863725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9654966756379403102,10511398174785863725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,9654966756379403102,10511398174785863725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,9654966756379403102,10511398174785863725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9654966756379403102,10511398174785863725,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9654966756379403102,10511398174785863725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9654966756379403102,10511398174785863725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9654966756379403102,10511398174785863725,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5db9dbef3f8b1f616429f605c1ebca2f0
SHA1ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA2563e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA5124eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0e770f78-67cf-4612-bd82-24105ff37c59.tmpFilesize
24KB
MD56dcb90ba1ba8e06c1d4f27ec78f6911a
SHA171e7834c7952aeb9f1aa6eb88e1959a1ae4985d9
SHA25630d89e5026668c5a58bef231930a8bfb27ca099b24399a2615b210210d418416
SHA512dc31807eaeb5221ac60d598035ca3ccab1dbeecc95caaff5e1f5a2a89ba1c83ef0a708ee0b8ed05b588ea5d50e360032a534356f84c89d3791df91d419daeff9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5939780e3cdde761b8207301d327786f0
SHA14055c96aeab4a42c7eaf4e52684fc4e9a659913e
SHA2566c95916f3d6ef260129a782c177e2ef007584ae3f45762686599634b970e4d4c
SHA512f706b4571a20e30b9bcb952cf508ee73ab59d1a70dd9e1ecc110fd7863061407817212abc4524c717a14b8b61f6ecbce84ceb657ba99a176e23a9b6f49e60576
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD54caf81896022e43841f496b29af7c766
SHA11d8ba1f6bd08f7aa92a5785a5cb3b3590789f261
SHA2561b6f67630a28c2d90d6829db6b6734f0659043a02f6869e4e7b1a7acacec51cc
SHA512456312f659738999d48797ec71a5a88c4af2536d370b3433e646f53becc6c1373fc502019c9fa274ad94e37065c4543f5731267d5bf5d4fa0edf30f796e469d4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5aa3d9e4480b4284370d385e6a60de9f4
SHA1ec4e8b0c144a1aabe9bc60e15d2357e7985ff257
SHA256478f0744cda0bd9721c84ffb4aa80a71fd5e3c8e24c39792fcaef94ce61f85a8
SHA512ad3fa0ad03df52cef75f0aed8fd9bf3e8b9d5fef94c63458ae70a29db6cbc2e955a22e8b830b4bdd5cdac9ddae0c9d532fafb5e69a1fd1162abf61867e153efc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5c5f8a101262aae211c6825531b5c27fa
SHA167fee464915e3260d9c7962c92e82e07d53b56cd
SHA2568d03f6fcbca169a0ee6ad2ce5166d2e3243d6936b9ebaa580b3c6071008f66a9
SHA51251acb12beac6d59cb68a8b1848d563f8ebddc6562bd5560e25a0176a0c3ed2b7de6a196f848595684b0a1aa1a9f4515429387e869079d0b1788410059864819a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD56e2276a23cf05bc731b064bc529ff907
SHA19d17dbb21adbe51515767757de1686c755340b4a
SHA256b198bce8739a23af69ded3a17a21f89dbcb6925f9cbdb3fe008cca012438797c
SHA5129c305de2573dbea60b0538f7ff01dee0bcca122ad8b6ce95874f282df60e42d2073096e322c0836d5ebb5a2a6d938d0c67d378c2f2bca6e0a0926f254178b6b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD53572e75ad30846b79c00688dbf93e4a6
SHA18b149edd993ac7f01c201f6aabca36467aab2afe
SHA25645ef3ed9932ed22cbcdb5331beef0d7afcc884ddb7b682bc683bd7e3e4c54f6a
SHA512bcf9747ef0920e7f5f84d9e71fabd96cbd19da8ab14358df3340de8e5bcb1e1ab624a73a2b8908bb9c5d09bb55df61f873fb7c4582731f815b295dac8ac4ade5
-
C:\Users\Admin\Desktop\!!Read_Me.3C430.htmlFilesize
4KB
MD5ac57a3e6cfc5509927e6a1835d0d6491
SHA19c5b5a7db69031d96a49bb67868223caa9e146f8
SHA2563896acc659853879c41ba9a261cf3e84bee41391f9df8e9e5b48cd0b32e2bc6c
SHA5121c4e92c7215836e31b01ee3d77eef8a86adf265346e4953fc93a6d24b532f42aa8cb81ef762642a9f220884cb0a50059bbb7b2240b244352e1687d145839cf81
-
C:\Users\Admin\Favorites\!!Read_Me.3C430.htmlFilesize
4KB
MD5ac57a3e6cfc5509927e6a1835d0d6491
SHA19c5b5a7db69031d96a49bb67868223caa9e146f8
SHA2563896acc659853879c41ba9a261cf3e84bee41391f9df8e9e5b48cd0b32e2bc6c
SHA5121c4e92c7215836e31b01ee3d77eef8a86adf265346e4953fc93a6d24b532f42aa8cb81ef762642a9f220884cb0a50059bbb7b2240b244352e1687d145839cf81
-
\??\pipe\LOCAL\crashpad_880_FGGOKKLJAXBVXDGKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3912-0-0x0000000010000000-0x000000001001C000-memory.dmpFilesize
112KB