Analysis Overview
SHA256
77b2731ff3c7a14b8b962ea387c41293415b3478e73973888851991105777560
Threat Level: Known bad
The file f83fb9ce6a83da58b20685c1d7e1e546.zip was found to be: Known bad.
Malicious Activity Summary
Maze
Deletes shadow copies
Reads user/profile data of web browsers
Drops startup file
Sets desktop wallpaper using registry
Unsigned PE
Enumerates physical storage devices
Uses Volume Shadow Copy service COM API
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-09-25 08:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-25 08:16
Reported
2023-09-25 10:24
Platform
win7-20230831-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Maze
Deletes shadow copies
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rprk85vp7.dat | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | N/A |
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\4Ax2_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\4Ax2_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\.4Ax2 | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\.4Ax2\ = "4Ax2_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\4Ax2_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\4Ax2_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\4Ax2_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\4Ax2_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"
C:\Windows\system32\wbem\wmic.exe
"C:\jcjwk\j\..\..\Windows\l\..\system32\nwjci\vcls\..\..\wbem\o\..\wmic.exe" shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\x\df\p\..\..\..\Windows\qbvqm\alw\..\..\system32\ybg\..\wbem\grd\..\wmic.exe" shadowcopy delete
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\GroupRevoke.wma.4Ax2
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\GroupRevoke.wma.4Ax2"
Network
| Country | Destination | Domain | Proto |
| TR | 92.63.8.47:80 | tcp | |
| TR | 92.63.8.47:80 | tcp | |
| TR | 92.63.8.47:80 | tcp | |
| TR | 92.63.8.47:80 | tcp | |
| TR | 92.63.8.47:80 | tcp | |
| TR | 92.63.8.47:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| RU | 92.63.194.20:80 | 92.63.194.20 | tcp |
| RU | 92.63.194.20:80 | 92.63.194.20 | tcp |
| SI | 92.63.17.245:80 | 92.63.17.245 | tcp |
| PL | 92.63.32.55:80 | tcp | |
| PL | 92.63.32.55:80 | tcp | |
| PL | 92.63.32.55:80 | tcp | |
| TR | 92.63.11.151:80 | tcp | |
| RU | 92.63.194.20:80 | 92.63.194.20 | tcp |
| SI | 92.63.17.245:80 | 92.63.17.245 | tcp |
| PL | 92.63.32.55:80 | tcp |
Files
memory/1916-0-0x0000000000180000-0x00000000001D9000-memory.dmp
memory/1916-1-0x0000000000540000-0x000000000059B000-memory.dmp
memory/1916-6-0x0000000000540000-0x000000000059B000-memory.dmp
memory/1916-10-0x0000000000540000-0x000000000059B000-memory.dmp
memory/1916-14-0x0000000000540000-0x000000000059B000-memory.dmp
C:\Users\DECRYPT-FILES.html
| MD5 | 5c0f52f4f89609b9f8a41cbd4ac84b64 |
| SHA1 | d6bf7f59f8ea4aa312e6f260930a55b9710b3767 |
| SHA256 | 7d717c0034d41a2411919beef0dec4b3c0bff2879e79b7d4d25f4053a6e7a22e |
| SHA512 | 6c3063c4bedfbfaea05538d142235fdfb6c239ecd1f7e8edc7a27b73a859ecdc4d1bc7091974196dbdffe3f8f22556635b642f1b45ae40372c5c77d248342523 |
memory/1916-1780-0x0000000000540000-0x000000000059B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_ED66E6A8328745CF89A50A716B5CA0B8.dat
| MD5 | e3f3f89380c9ee6aee108491e9b98715 |
| SHA1 | 56760b5ad12929d05381044ad1913d9bcd2322f9 |
| SHA256 | d60e0bbc5098fafc765f35affc549addc029c87a7402ab29a28f9a39a46fd992 |
| SHA512 | bc045e29760ece914d02d85f84affca262a9bce866c84acd8c42f124d45e325fd82337f002ac6faad390388fdc80541f20dee028dd0876a768072718896da077 |
C:\Users\Admin\Desktop\GroupRevoke.wma.4Ax2
| MD5 | 5e3323fcbdaaed6cde4f9c8595b709b0 |
| SHA1 | 85de5ace9b5656896caa48739a29d99bae2f3d31 |
| SHA256 | 2999075bc0f46094cf80bef5d78722a582604674a52c6d11abfdc5d8d24f33fe |
| SHA512 | 36f4fc530cba38ad77be4a33b1f5b5c591b53de14f193639220e5ece671f973af4149446ea6062e66f1f0c73004aadc5a9be6c144cfce87912b355825a87ef89 |
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | edd75ab59496847a2d0c8e73982f7a1c |
| SHA1 | 51cc13fc90e9e09b5f7e5b496aefc9a220354022 |
| SHA256 | bebeb0e653ee953d98bdb0e9b5cc6a6ff0b6d90917f717cf86a2d74ead849394 |
| SHA512 | 46040d0d34591cadea5fe2742a0051f5250bba3730d37a2fac34381fe466f68cb08f786796cb2f5172ac640db441a0b754aea12cb07715350f1e66669571dfd8 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-25 08:16
Reported
2023-09-25 10:24
Platform
win10v2004-20230915-en
Max time kernel
141s
Max time network
151s
Command Line
Signatures
Maze
Deletes shadow copies
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tdn6imu0w.dat | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.html | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\tdn6imu0w.dat | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | N/A |
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4632 wrote to memory of 4916 | N/A | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 4632 wrote to memory of 4916 | N/A | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 4632 wrote to memory of 5084 | N/A | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 4632 wrote to memory of 5084 | N/A | C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe | C:\Windows\system32\wbem\wmic.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"
C:\Windows\system32\wbem\wmic.exe
"C:\p\uiuxv\klmfu\..\..\..\Windows\ua\..\system32\i\ucukl\..\..\wbem\ky\uor\d\..\..\..\wmic.exe" shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\t\morjo\..\..\Windows\ruflo\xkoc\..\..\system32\r\..\wbem\fgl\jw\oyx\..\..\..\wmic.exe" shadowcopy delete
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304 0x308
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| TR | 92.63.8.47:80 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| TR | 92.63.8.47:80 | tcp | |
| TR | 92.63.8.47:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| TR | 92.63.8.47:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| PL | 92.63.32.2:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| RU | 92.63.194.20:80 | 92.63.194.20 | tcp |
| RU | 92.63.194.20:80 | 92.63.194.20 | tcp |
| SI | 92.63.17.245:80 | 92.63.17.245 | tcp |
| US | 8.8.8.8:53 | 20.194.63.92.in-addr.arpa | udp |
| PL | 92.63.32.55:80 | tcp | |
| US | 8.8.8.8:53 | 245.17.63.92.in-addr.arpa | udp |
| PL | 92.63.32.55:80 | tcp | |
| TR | 92.63.11.151:80 | tcp | |
| PL | 92.63.37.100:80 | tcp | |
| TR | 92.63.11.151:80 | tcp | |
| RU | 92.63.194.20:80 | 92.63.194.20 | tcp |
| SI | 92.63.17.245:80 | 92.63.17.245 | tcp |
| PL | 92.63.32.55:80 | tcp | |
| PL | 92.63.32.55:80 | tcp | |
| TR | 92.63.11.151:80 | tcp | |
| US | 8.8.8.8:53 | 131.109.69.13.in-addr.arpa | udp |
Files
memory/4632-0-0x0000000002B90000-0x0000000002BE9000-memory.dmp
memory/4632-1-0x0000000002D30000-0x0000000002D8B000-memory.dmp
memory/4632-6-0x0000000002D30000-0x0000000002D8B000-memory.dmp
memory/4632-10-0x0000000002D30000-0x0000000002D8B000-memory.dmp
memory/4632-11-0x0000000002D30000-0x0000000002D8B000-memory.dmp
memory/4632-15-0x0000000002D30000-0x0000000002D8B000-memory.dmp
C:\odt\DECRYPT-FILES.html
| MD5 | 112e6e70d90a92e067b81fff517ad5b6 |
| SHA1 | e142476f4d07bdfffaa6a42d89a3d3bb0f61f1c6 |
| SHA256 | c5168fe3ce0582e934f9395e425e272e140d188b0df7a4da97500b8a9b57370a |
| SHA512 | 1bbcce91759e1ac7dcb2d80c718e8557911e8afc8ba694fd523df6c45a7ceae599a3dfe710edbbe41028781bfcfbcd1881c447396466d170e99d9c6031b04690 |
memory/4632-5327-0x0000000002D30000-0x0000000002D8B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_8E7D15DCE096497CAA7E089555ED9DAA.dat
| MD5 | c6e08dc6a6b73b710daae3e80c18e847 |
| SHA1 | 33f598376bbbabbd8827763bf71424d692655241 |
| SHA256 | 8911185b28c1f6b1e28a6d6e396e1d0880c07f7dda48ce745f925720351c8194 |
| SHA512 | 98b15c2d06feec5f54765372015ef0b24d544927d6f695788251136325c8a871d045094cd8877d319f9236916bfe759433134d479f88ec574d3f65660a21f6c8 |