Analysis
-
max time kernel
97s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
27-09-2023 08:36
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
Resource
win10v2004-20230915-en
General
-
Target
SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
-
Size
1.9MB
-
MD5
1b87684768db892932be3f0661c54251
-
SHA1
e5acdb93f6eb75656c9a8242e21b01bf978dc7cf
-
SHA256
65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636
-
SHA512
0fc3cc6ed99e45a3d1ca7cd2dd4d7bfc2f5f11ee7cf0e3d58bfbb4db26f16599cae45b96fc032cd6a050c1ea70bfd02291537088168dd149eee85b38d2527a82
-
SSDEEP
24576:jx4Ul0rrIOGz9I6U7AeyGvHynlLghECQl4L529dktxtPCv1ri+J/ac//zWOYopmB:mUl0/2kHW8ECQl4wi+snopp2vQ
Malware Config
Extracted
smokeloader
2022
http://servermlogs27.xyz/statweb255/
http://servmblog45.xyz/statweb255/
http://demblog575.xyz/statweb255/
http://admlogs85x.xyz/statweb255/
http://blogmstat389.xyz/statweb255/
http://blogmstat255.xyz/statweb255/
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\35EB.tmp\svchost.exe family_ammyyadmin C:\Users\Admin\AppData\Local\Temp\35EB.tmp\svchost.exe family_ammyyadmin -
Detect rhadamanthys stealer shellcode 6 IoCs
Processes:
resource yara_rule behavioral2/memory/3092-14-0x0000000003000000-0x0000000003400000-memory.dmp family_rhadamanthys behavioral2/memory/3092-15-0x0000000003000000-0x0000000003400000-memory.dmp family_rhadamanthys behavioral2/memory/3092-16-0x0000000003000000-0x0000000003400000-memory.dmp family_rhadamanthys behavioral2/memory/3092-17-0x0000000003000000-0x0000000003400000-memory.dmp family_rhadamanthys behavioral2/memory/3092-27-0x0000000003000000-0x0000000003400000-memory.dmp family_rhadamanthys behavioral2/memory/3092-29-0x0000000003000000-0x0000000003400000-memory.dmp family_rhadamanthys -
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exedescription pid process target process PID 3092 created 3132 3092 SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 4936 bcdedit.exe 2132 bcdedit.exe -
Renames multiple (346) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exepid process 2412 wbadmin.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 1 IoCs
Processes:
pES[YI.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\pES[YI.exe pES[YI.exe -
Executes dropped EXE 17 IoCs
Processes:
pES[YI.exeX6(A({C.exepES[YI.exeX6(A({C.exeX6(A({C.exepES[YI.exepES[YI.exepES[YI.exeEC4F.exeED0C.exeEC4F.exeEC4F.exeF356.exeF356.exesvchost.exe5760.exe5760.exepid process 2324 pES[YI.exe 3772 X6(A({C.exe 2812 pES[YI.exe 4288 X6(A({C.exe 3580 X6(A({C.exe 3380 pES[YI.exe 3964 pES[YI.exe 5076 pES[YI.exe 872 EC4F.exe 1296 ED0C.exe 3744 EC4F.exe 3676 EC4F.exe 2636 F356.exe 3516 F356.exe 4940 svchost.exe 4200 5760.exe 4048 5760.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2020 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
Processes:
certreq.exeexplorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
pES[YI.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pES[YI = "C:\\Users\\Admin\\AppData\\Local\\pES[YI.exe" pES[YI.exe Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pES[YI = "C:\\Users\\Admin\\AppData\\Local\\pES[YI.exe" pES[YI.exe -
Drops desktop.ini file(s) 4 IoCs
Processes:
pES[YI.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-1141987721-3945596982-3297311814-1000\desktop.ini pES[YI.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1141987721-3945596982-3297311814-1000\desktop.ini pES[YI.exe File opened for modification C:\Program Files\desktop.ini pES[YI.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI pES[YI.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
svchost.exedescription ioc process File opened for modification \??\PhysicalDrive0 svchost.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exepES[YI.exeX6(A({C.exepES[YI.exeEC4F.exeF356.exe5760.exedescription pid process target process PID 4892 set thread context of 3092 4892 SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe PID 2324 set thread context of 2812 2324 pES[YI.exe pES[YI.exe PID 3772 set thread context of 3580 3772 X6(A({C.exe X6(A({C.exe PID 3380 set thread context of 5076 3380 pES[YI.exe pES[YI.exe PID 872 set thread context of 3676 872 EC4F.exe EC4F.exe PID 2636 set thread context of 3516 2636 F356.exe F356.exe PID 4200 set thread context of 4048 4200 5760.exe 5760.exe -
Drops file in Program Files directory 64 IoCs
Processes:
pES[YI.exedescription ioc process File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak.id[7660D832-3483].[[email protected]].8base pES[YI.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+NewSQLServerConnection.odc pES[YI.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libreal_plugin.dll pES[YI.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\DirectionalDot.png pES[YI.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black.png pES[YI.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-125.png pES[YI.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.id[7660D832-3483].[[email protected]].8base pES[YI.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ppd.xrm-ms.id[7660D832-3483].[[email protected]].8base pES[YI.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72_altform-unplated_contrast-black.png pES[YI.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar.id[7660D832-3483].[[email protected]].8base pES[YI.exe File created C:\Program Files\Microsoft Office\root\Office16\ONBttnWD.dll.id[7660D832-3483].[[email protected]].8base pES[YI.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\FileAssociation\FileAssociation.targetsize-24.png pES[YI.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\splashscreen.dll pES[YI.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-400.png pES[YI.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x pES[YI.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-125.png pES[YI.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\PaintLargeTile.scale-400.png pES[YI.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_altform-unplated_contrast-white_devicefamily-colorfulunplated.png pES[YI.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_altform-unplated_contrast-black.png pES[YI.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\dkjson.luac pES[YI.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA pES[YI.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms.id[7660D832-3483].[[email protected]].8base pES[YI.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl pES[YI.exe File created C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.tree.dat.id[7660D832-3483].[[email protected]].8base pES[YI.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-125.png pES[YI.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\ffjcext.zip pES[YI.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.js pES[YI.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEWDAT.DLL.id[7660D832-3483].[[email protected]].8base pES[YI.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-96_altform-unplated_contrast-white.png pES[YI.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png pES[YI.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar.id[7660D832-3483].[[email protected]].8base pES[YI.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll pES[YI.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar pES[YI.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar.id[7660D832-3483].[[email protected]].8base pES[YI.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.id[7660D832-3483].[[email protected]].8base pES[YI.exe File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms.id[7660D832-3483].[[email protected]].8base pES[YI.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\SplashWideTile.scale-200_contrast-black.png pES[YI.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml pES[YI.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms.id[7660D832-3483].[[email protected]].8base pES[YI.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsepia_plugin.dll pES[YI.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png pES[YI.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll pES[YI.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms.id[7660D832-3483].[[email protected]].8base pES[YI.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-60_altform-unplated.png pES[YI.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\dt_shmem.dll.id[7660D832-3483].[[email protected]].8base pES[YI.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar.id[7660D832-3483].[[email protected]].8base pES[YI.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml pES[YI.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-locale-l1-1-0.dll pES[YI.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-256_altform-unplated_contrast-black.png pES[YI.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png pES[YI.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml pES[YI.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\BCSRuntimeRes.dll.id[7660D832-3483].[[email protected]].8base pES[YI.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSB.TTF pES[YI.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\resources.pri pES[YI.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzmappings pES[YI.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-options.jar pES[YI.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms pES[YI.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms pES[YI.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\PREVIEW.GIF.id[7660D832-3483].[[email protected]].8base pES[YI.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Xml.Linq.Resources.dll pES[YI.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-30.png pES[YI.exe File created C:\Program Files\7-Zip\Lang\nb.txt.id[7660D832-3483].[[email protected]].8base pES[YI.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe pES[YI.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWAD.TTF pES[YI.exe -
Checks SCSI registry key(s) 3 TTPs 10 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
X6(A({C.exevds.exeF356.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI X6(A({C.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI X6(A({C.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI F356.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI F356.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI F356.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI X6(A({C.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
certreq.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 804 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exeSecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.execertreq.exeX6(A({C.exeX6(A({C.exepES[YI.exeExplorer.EXEpES[YI.exepid process 4892 SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe 3092 SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe 3092 SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe 3092 SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe 3092 SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe 804 certreq.exe 804 certreq.exe 804 certreq.exe 804 certreq.exe 3772 X6(A({C.exe 3772 X6(A({C.exe 3580 X6(A({C.exe 3580 X6(A({C.exe 3380 pES[YI.exe 3380 pES[YI.exe 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 2812 pES[YI.exe 2812 pES[YI.exe 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 2812 pES[YI.exe 2812 pES[YI.exe 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 2812 pES[YI.exe 2812 pES[YI.exe 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 2812 pES[YI.exe 2812 pES[YI.exe 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3132 Explorer.EXE -
Suspicious behavior: MapViewOfSection 34 IoCs
Processes:
X6(A({C.exeExplorer.EXEF356.exeexplorer.exepid process 3580 X6(A({C.exe 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3516 F356.exe 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3132 Explorer.EXE 3516 explorer.exe 3516 explorer.exe -
Suspicious use of AdjustPrivilegeToken 62 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exepES[YI.exeX6(A({C.exepES[YI.exepES[YI.exevssvc.exeExplorer.EXEWMIC.exewbengine.exeEC4F.exeF356.exeED0C.exe5760.exe5760.exedescription pid process Token: SeDebugPrivilege 4892 SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe Token: SeDebugPrivilege 2324 pES[YI.exe Token: SeDebugPrivilege 3772 X6(A({C.exe Token: SeDebugPrivilege 3380 pES[YI.exe Token: SeDebugPrivilege 2812 pES[YI.exe Token: SeBackupPrivilege 5004 vssvc.exe Token: SeRestorePrivilege 5004 vssvc.exe Token: SeAuditPrivilege 5004 vssvc.exe Token: SeShutdownPrivilege 3132 Explorer.EXE Token: SeCreatePagefilePrivilege 3132 Explorer.EXE Token: SeIncreaseQuotaPrivilege 4820 WMIC.exe Token: SeSecurityPrivilege 4820 WMIC.exe Token: SeTakeOwnershipPrivilege 4820 WMIC.exe Token: SeLoadDriverPrivilege 4820 WMIC.exe Token: SeSystemProfilePrivilege 4820 WMIC.exe Token: SeSystemtimePrivilege 4820 WMIC.exe Token: SeProfSingleProcessPrivilege 4820 WMIC.exe Token: SeIncBasePriorityPrivilege 4820 WMIC.exe Token: SeCreatePagefilePrivilege 4820 WMIC.exe Token: SeBackupPrivilege 4820 WMIC.exe Token: SeRestorePrivilege 4820 WMIC.exe Token: SeShutdownPrivilege 4820 WMIC.exe Token: SeDebugPrivilege 4820 WMIC.exe Token: SeSystemEnvironmentPrivilege 4820 WMIC.exe Token: SeRemoteShutdownPrivilege 4820 WMIC.exe Token: SeUndockPrivilege 4820 WMIC.exe Token: SeManageVolumePrivilege 4820 WMIC.exe Token: 33 4820 WMIC.exe Token: 34 4820 WMIC.exe Token: 35 4820 WMIC.exe Token: 36 4820 WMIC.exe Token: SeIncreaseQuotaPrivilege 4820 WMIC.exe Token: SeSecurityPrivilege 4820 WMIC.exe Token: SeTakeOwnershipPrivilege 4820 WMIC.exe Token: SeLoadDriverPrivilege 4820 WMIC.exe Token: SeSystemProfilePrivilege 4820 WMIC.exe Token: SeSystemtimePrivilege 4820 WMIC.exe Token: SeProfSingleProcessPrivilege 4820 WMIC.exe Token: SeIncBasePriorityPrivilege 4820 WMIC.exe Token: SeCreatePagefilePrivilege 4820 WMIC.exe Token: SeBackupPrivilege 4820 WMIC.exe Token: SeRestorePrivilege 4820 WMIC.exe Token: SeShutdownPrivilege 4820 WMIC.exe Token: SeDebugPrivilege 4820 WMIC.exe Token: SeSystemEnvironmentPrivilege 4820 WMIC.exe Token: SeRemoteShutdownPrivilege 4820 WMIC.exe Token: SeUndockPrivilege 4820 WMIC.exe Token: SeManageVolumePrivilege 4820 WMIC.exe Token: 33 4820 WMIC.exe Token: 34 4820 WMIC.exe Token: 35 4820 WMIC.exe Token: 36 4820 WMIC.exe Token: SeBackupPrivilege 508 wbengine.exe Token: SeRestorePrivilege 508 wbengine.exe Token: SeSecurityPrivilege 508 wbengine.exe Token: SeShutdownPrivilege 3132 Explorer.EXE Token: SeCreatePagefilePrivilege 3132 Explorer.EXE Token: SeDebugPrivilege 872 EC4F.exe Token: SeDebugPrivilege 2636 F356.exe Token: SeDebugPrivilege 1296 ED0C.exe Token: SeDebugPrivilege 4200 5760.exe Token: SeDebugPrivilege 4048 5760.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
svchost.exepid process 4940 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exeSecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exepES[YI.exeX6(A({C.exepES[YI.exepES[YI.execmd.execmd.exeExplorer.EXEdescription pid process target process PID 4892 wrote to memory of 3092 4892 SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe PID 4892 wrote to memory of 3092 4892 SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe PID 4892 wrote to memory of 3092 4892 SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe PID 4892 wrote to memory of 3092 4892 SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe PID 4892 wrote to memory of 3092 4892 SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe PID 4892 wrote to memory of 3092 4892 SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe PID 4892 wrote to memory of 3092 4892 SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe PID 4892 wrote to memory of 3092 4892 SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe PID 3092 wrote to memory of 804 3092 SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe certreq.exe PID 3092 wrote to memory of 804 3092 SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe certreq.exe PID 3092 wrote to memory of 804 3092 SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe certreq.exe PID 3092 wrote to memory of 804 3092 SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe certreq.exe PID 2324 wrote to memory of 2812 2324 pES[YI.exe pES[YI.exe PID 2324 wrote to memory of 2812 2324 pES[YI.exe pES[YI.exe PID 2324 wrote to memory of 2812 2324 pES[YI.exe pES[YI.exe PID 2324 wrote to memory of 2812 2324 pES[YI.exe pES[YI.exe PID 2324 wrote to memory of 2812 2324 pES[YI.exe pES[YI.exe PID 2324 wrote to memory of 2812 2324 pES[YI.exe pES[YI.exe PID 2324 wrote to memory of 2812 2324 pES[YI.exe pES[YI.exe PID 2324 wrote to memory of 2812 2324 pES[YI.exe pES[YI.exe PID 2324 wrote to memory of 2812 2324 pES[YI.exe pES[YI.exe PID 2324 wrote to memory of 2812 2324 pES[YI.exe pES[YI.exe PID 3772 wrote to memory of 4288 3772 X6(A({C.exe X6(A({C.exe PID 3772 wrote to memory of 4288 3772 X6(A({C.exe X6(A({C.exe PID 3772 wrote to memory of 4288 3772 X6(A({C.exe X6(A({C.exe PID 3772 wrote to memory of 3580 3772 X6(A({C.exe X6(A({C.exe PID 3772 wrote to memory of 3580 3772 X6(A({C.exe X6(A({C.exe PID 3772 wrote to memory of 3580 3772 X6(A({C.exe X6(A({C.exe PID 3772 wrote to memory of 3580 3772 X6(A({C.exe X6(A({C.exe PID 3772 wrote to memory of 3580 3772 X6(A({C.exe X6(A({C.exe PID 3772 wrote to memory of 3580 3772 X6(A({C.exe X6(A({C.exe PID 3380 wrote to memory of 3964 3380 pES[YI.exe pES[YI.exe PID 3380 wrote to memory of 3964 3380 pES[YI.exe pES[YI.exe PID 3380 wrote to memory of 3964 3380 pES[YI.exe pES[YI.exe PID 3380 wrote to memory of 5076 3380 pES[YI.exe pES[YI.exe PID 3380 wrote to memory of 5076 3380 pES[YI.exe pES[YI.exe PID 3380 wrote to memory of 5076 3380 pES[YI.exe pES[YI.exe PID 3380 wrote to memory of 5076 3380 pES[YI.exe pES[YI.exe PID 3380 wrote to memory of 5076 3380 pES[YI.exe pES[YI.exe PID 3380 wrote to memory of 5076 3380 pES[YI.exe pES[YI.exe PID 3380 wrote to memory of 5076 3380 pES[YI.exe pES[YI.exe PID 3380 wrote to memory of 5076 3380 pES[YI.exe pES[YI.exe PID 3380 wrote to memory of 5076 3380 pES[YI.exe pES[YI.exe PID 3380 wrote to memory of 5076 3380 pES[YI.exe pES[YI.exe PID 2812 wrote to memory of 3692 2812 pES[YI.exe cmd.exe PID 2812 wrote to memory of 3692 2812 pES[YI.exe cmd.exe PID 2812 wrote to memory of 2392 2812 pES[YI.exe cmd.exe PID 2812 wrote to memory of 2392 2812 pES[YI.exe cmd.exe PID 2392 wrote to memory of 4676 2392 cmd.exe netsh.exe PID 2392 wrote to memory of 4676 2392 cmd.exe netsh.exe PID 3692 wrote to memory of 804 3692 cmd.exe vssadmin.exe PID 3692 wrote to memory of 804 3692 cmd.exe vssadmin.exe PID 2392 wrote to memory of 1380 2392 cmd.exe netsh.exe PID 2392 wrote to memory of 1380 2392 cmd.exe netsh.exe PID 3692 wrote to memory of 4820 3692 cmd.exe WMIC.exe PID 3692 wrote to memory of 4820 3692 cmd.exe WMIC.exe PID 3692 wrote to memory of 4936 3692 cmd.exe bcdedit.exe PID 3692 wrote to memory of 4936 3692 cmd.exe bcdedit.exe PID 3692 wrote to memory of 2132 3692 cmd.exe bcdedit.exe PID 3692 wrote to memory of 2132 3692 cmd.exe bcdedit.exe PID 3692 wrote to memory of 2412 3692 cmd.exe wbadmin.exe PID 3692 wrote to memory of 2412 3692 cmd.exe wbadmin.exe PID 3132 wrote to memory of 872 3132 Explorer.EXE EC4F.exe PID 3132 wrote to memory of 872 3132 Explorer.EXE EC4F.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:804 -
C:\Users\Admin\AppData\Local\Temp\EC4F.exeC:\Users\Admin\AppData\Local\Temp\EC4F.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:872 -
C:\Users\Admin\AppData\Local\Temp\EC4F.exeC:\Users\Admin\AppData\Local\Temp\EC4F.exe3⤵
- Executes dropped EXE
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\EC4F.exeC:\Users\Admin\AppData\Local\Temp\EC4F.exe3⤵
- Executes dropped EXE
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\ED0C.exeC:\Users\Admin\AppData\Local\Temp\ED0C.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\ED0C.exe"C:\Users\Admin\AppData\Local\Temp\ED0C.exe"3⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\F356.exeC:\Users\Admin\AppData\Local\Temp\F356.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\F356.exeC:\Users\Admin\AppData\Local\Temp\F356.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3516 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3240 -
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:4688
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:1120
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2920
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:828
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:3696
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:3048
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:1692
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:804
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:4572
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4220
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4108
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:3116
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:3240
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Suspicious behavior: MapViewOfSection
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\35EB.tmp\svchost.exeC:\Users\Admin\AppData\Local\Temp\35EB.tmp\svchost.exe -debug3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
PID:4940 -
C:\Windows\SYSTEM32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\35EB.tmp\aa_nts.dll",run4⤵
- Loads dropped DLL
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\5760.exeC:\Users\Admin\AppData\Local\Temp\5760.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\5760.exeC:\Users\Admin\AppData\Local\Temp\5760.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4048
-
C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe"C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exeC:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe"C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exeC:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe4⤵
- Executes dropped EXE
PID:3964 -
C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exeC:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe4⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:804 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4820 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:4936 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:2132 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:2412 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
PID:4676 -
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable4⤵
- Modifies Windows Firewall
PID:1380
-
C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe"C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exeC:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe2⤵
- Executes dropped EXE
PID:4288 -
C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exeC:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3580
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:508
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4572
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3664
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==1⤵PID:1916
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Indicator Removal
3File Deletion
3Modify Registry
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id[7660D832-3483].[[email protected]].8base
Filesize2.7MB
MD5882601a28cc18c925d93e77f13491b54
SHA1255324fd392e1efecdeaea6444e2bbb3b51bc39e
SHA256c916dd961cfc3d5247651e248d5e323abdac10a0f29880b1823ce4b622fe53a0
SHA512bd242c56b54f1be1974386797ecb4de846a4200fbf946930a14d38870c0d9e6b0dc6640e14c68ae02928d43328505bbdf8abd6ea03f582240a1fcb0b61e5600c
-
Filesize
1KB
MD59f5d0107d96d176b1ffcd5c7e7a42dc9
SHA1de83788e2f18629555c42a3e6fada12f70457141
SHA256d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097
SHA51286cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61
-
Filesize
927B
MD54a911455784f74e368a4c2c7876d76f4
SHA1a1700a0849ffb4f26671eb76da2489946b821c34
SHA256264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA5124617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d
-
Filesize
927B
MD54a911455784f74e368a4c2c7876d76f4
SHA1a1700a0849ffb4f26671eb76da2489946b821c34
SHA256264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA5124617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d
-
Filesize
250KB
MD52931ff8f30f41984e58e2bb3d4c82000
SHA1c71353633077fadacbe07ed6e2939262f89f9ad3
SHA256ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7
SHA5120a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0
-
Filesize
250KB
MD52931ff8f30f41984e58e2bb3d4c82000
SHA1c71353633077fadacbe07ed6e2939262f89f9ad3
SHA256ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7
SHA5120a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0
-
Filesize
250KB
MD52931ff8f30f41984e58e2bb3d4c82000
SHA1c71353633077fadacbe07ed6e2939262f89f9ad3
SHA256ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7
SHA5120a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0
-
Filesize
250KB
MD52931ff8f30f41984e58e2bb3d4c82000
SHA1c71353633077fadacbe07ed6e2939262f89f9ad3
SHA256ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7
SHA5120a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0
-
Filesize
261KB
MD5614d1cd9e8513df074caa93ac0aeeb2e
SHA15a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA2563d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA51211f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289
-
Filesize
261KB
MD5614d1cd9e8513df074caa93ac0aeeb2e
SHA15a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA2563d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA51211f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289
-
Filesize
261KB
MD5614d1cd9e8513df074caa93ac0aeeb2e
SHA15a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA2563d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA51211f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289
-
Filesize
261KB
MD5614d1cd9e8513df074caa93ac0aeeb2e
SHA15a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA2563d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA51211f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289
-
Filesize
261KB
MD5614d1cd9e8513df074caa93ac0aeeb2e
SHA15a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA2563d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA51211f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289
-
Filesize
261KB
MD5614d1cd9e8513df074caa93ac0aeeb2e
SHA15a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA2563d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA51211f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289
-
Filesize
902KB
MD5480a66902e6e7cdafaa6711e8697ff8c
SHA16ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA2567eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA5127d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5
-
Filesize
902KB
MD5480a66902e6e7cdafaa6711e8697ff8c
SHA16ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA2567eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA5127d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5
-
Filesize
46B
MD53f05819f995b4dafa1b5d55ce8d1f411
SHA1404449b79a16bfc4f64f2fd55cd73d5d27a85d71
SHA2567e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0
SHA51234abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026
-
Filesize
798KB
MD590aadf2247149996ae443e2c82af3730
SHA1050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
Filesize
798KB
MD590aadf2247149996ae443e2c82af3730
SHA1050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
Filesize
1008KB
MD5b198acab3a32e992031632f2b99bf083
SHA13750f70adfd21117a123cc498002050bbe9ec37c
SHA25697cab0037b5553b6703dcee9f9230ec7807c32348dc258ecc7dbadefb2a1e9e2
SHA51230752cbbac2eb6448a53941e5f1717302a589c579815b9e1cf75f2f09189b828fb63c21b8d89c223ee10b479ec3c85899bc0237e5f5e3ce8ec77f48e8c683721
-
Filesize
1008KB
MD5b198acab3a32e992031632f2b99bf083
SHA13750f70adfd21117a123cc498002050bbe9ec37c
SHA25697cab0037b5553b6703dcee9f9230ec7807c32348dc258ecc7dbadefb2a1e9e2
SHA51230752cbbac2eb6448a53941e5f1717302a589c579815b9e1cf75f2f09189b828fb63c21b8d89c223ee10b479ec3c85899bc0237e5f5e3ce8ec77f48e8c683721
-
Filesize
1008KB
MD5b198acab3a32e992031632f2b99bf083
SHA13750f70adfd21117a123cc498002050bbe9ec37c
SHA25697cab0037b5553b6703dcee9f9230ec7807c32348dc258ecc7dbadefb2a1e9e2
SHA51230752cbbac2eb6448a53941e5f1717302a589c579815b9e1cf75f2f09189b828fb63c21b8d89c223ee10b479ec3c85899bc0237e5f5e3ce8ec77f48e8c683721
-
Filesize
261KB
MD5614d1cd9e8513df074caa93ac0aeeb2e
SHA15a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA2563d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA51211f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289
-
Filesize
261KB
MD5614d1cd9e8513df074caa93ac0aeeb2e
SHA15a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA2563d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA51211f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289
-
Filesize
261KB
MD5614d1cd9e8513df074caa93ac0aeeb2e
SHA15a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA2563d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA51211f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289
-
Filesize
261KB
MD5614d1cd9e8513df074caa93ac0aeeb2e
SHA15a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA2563d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA51211f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289
-
Filesize
261KB
MD5614d1cd9e8513df074caa93ac0aeeb2e
SHA15a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA2563d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA51211f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289
-
Filesize
468KB
MD520bb118569b859e64feaaf30227e04b8
SHA13fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c
-
Filesize
468KB
MD520bb118569b859e64feaaf30227e04b8
SHA13fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c
-
Filesize
413KB
MD5a539a3b01f640912b3e70b0624d6e779
SHA1d21349894faf0b19e292d2fe779fd25a05d347c2
SHA256fe89c1419eb7fc7222dc3f2e6554dd4418d02d264d41853d82deb4f37173bfec
SHA5122b6950363159d4a5748c6cd06f027512c8fcd9492a3dee78220747fc7562d54249d7a99d5f6c22e9e9fbb269fb25f8c74606252d3646d2bf13a885db8f041a26
-
Filesize
413KB
MD5a539a3b01f640912b3e70b0624d6e779
SHA1d21349894faf0b19e292d2fe779fd25a05d347c2
SHA256fe89c1419eb7fc7222dc3f2e6554dd4418d02d264d41853d82deb4f37173bfec
SHA5122b6950363159d4a5748c6cd06f027512c8fcd9492a3dee78220747fc7562d54249d7a99d5f6c22e9e9fbb269fb25f8c74606252d3646d2bf13a885db8f041a26
-
Filesize
413KB
MD5a539a3b01f640912b3e70b0624d6e779
SHA1d21349894faf0b19e292d2fe779fd25a05d347c2
SHA256fe89c1419eb7fc7222dc3f2e6554dd4418d02d264d41853d82deb4f37173bfec
SHA5122b6950363159d4a5748c6cd06f027512c8fcd9492a3dee78220747fc7562d54249d7a99d5f6c22e9e9fbb269fb25f8c74606252d3646d2bf13a885db8f041a26
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x00o19f5.default-release\cookies.sqlite.id[7660D832-3483].[[email protected]].8base
Filesize96KB
MD5a6cbd4f2473ea413fcb5d112d4e4df82
SHA1848bfd0ff65898a8d4e8504078063bf75af45aa4
SHA2565f8b54efde3931807a21850f5490a21d581a18a212d69018d3aab2e8d3671c3a
SHA5124eeecfc743f2422fcd95e4923d21a9f3f0ae4809929971fba5b7700ad67f944d65070a09753a31fe0f3202c1f28600e485de1d3bc9903ecbc1c73a45764a3863
-
Filesize
413KB
MD5a539a3b01f640912b3e70b0624d6e779
SHA1d21349894faf0b19e292d2fe779fd25a05d347c2
SHA256fe89c1419eb7fc7222dc3f2e6554dd4418d02d264d41853d82deb4f37173bfec
SHA5122b6950363159d4a5748c6cd06f027512c8fcd9492a3dee78220747fc7562d54249d7a99d5f6c22e9e9fbb269fb25f8c74606252d3646d2bf13a885db8f041a26