Analysis Overview
SHA256
6f842cb5e980860c23e5a499f73492e143eef4def47a3aede74f1df3b373f9da
Threat Level: Known bad
The file Sample.bin.zip was found to be: Known bad.
Malicious Activity Summary
Maze
Deletes shadow copies
Drops startup file
Sets desktop wallpaper using registry
Drops file in Program Files directory
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-10-13 02:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-13 02:49
Reported
2023-10-18 00:09
Platform
win7-20230831-en
Max time kernel
138s
Max time network
130s
Command Line
Signatures
Maze
Deletes shadow copies
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c350cbc26c7f372.tmp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\111.bmp" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\MeasureUnprotect.ppt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\6c350cbc26c7f372.tmp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Program Files\DECRYPT-FILES.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\HideReset.snd | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\SearchBlock.odp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\6c350cbc26c7f372.tmp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\InstallConnect.docm | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\MoveInstall.vbs | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\PushStart.wax | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\WatchStop.M2T | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\ConvertToRename.mpa | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\OpenGrant.mp3 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6c350cbc26c7f372.tmp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6c350cbc26c7f372.tmp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\InstallImport.mp4 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6c350cbc26c7f372.tmp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\SubmitCopy.htm | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Program Files (x86)\DECRYPT-FILES.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\ApproveRepair.odt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\CompressDismount.wmv | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\DismountPop.xlsx | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\UnblockSplit.xlsb | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Sample.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\Sample.dll
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\pyq\dngl\..\..\Windows\hdp\jtpa\j\..\..\..\system32\t\cauy\xkihe\..\..\..\wbem\gdjt\ci\..\..\wmic.exe" shadowcopy delete
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
Network
Files
memory/1180-0-0x00000000001F0000-0x000000000024D000-memory.dmp
memory/1180-1-0x00000000002A0000-0x00000000002FD000-memory.dmp
memory/1180-6-0x00000000002A0000-0x00000000002FD000-memory.dmp
memory/1180-10-0x00000000002A0000-0x00000000002FD000-memory.dmp
memory/1180-13-0x00000000002A0000-0x00000000002FD000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-607259312-1573743425-2763420908-1000\DECRYPT-FILES.txt
| MD5 | e2bc33fe26a2b874a4b3b3688217603d |
| SHA1 | 6e819ced935e03b02b88982eb26dbd0b8d95ad2d |
| SHA256 | 5b4b46d1c4508678f9d812eec546a7c29e390f35a441960ecf2d4fe29e5c6add |
| SHA512 | 804e73db963bb387a1b1c16542dc3f9ca0c26e5c2fa4b20f2913a77b0a08b5e6f0cf12ab1cc1f145016f16a598f012dfaa855eda8a9651c4fb87aecfebcd6802 |
memory/1180-826-0x00000000002A0000-0x00000000002FD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_F76562E7701D4B529CF3584D89B9BC9C.dat
| MD5 | 26cb4e20db267a23a4cb7da97ec7873e |
| SHA1 | befd341a8a95271c71eb267f59bd875fabcd96dd |
| SHA256 | d4e92ab73dbb91459422a854c093c3d6aa200b020779d671edd5fce9e7d9cb27 |
| SHA512 | 503ee5a5f96771d53e9ba627dbce73a89da3ab3bba37c7b691c293d61aac8bb20aa000357f5d504151470d1f87fa04e28f613db387d40d5bd2e8bba5b66555a9 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-13 02:49
Reported
2023-10-18 00:08
Platform
win10v2004-20230915-en
Max time kernel
152s
Max time network
161s
Command Line
Signatures
Maze
Deletes shadow copies
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6cfd0cc65ce16197.tmp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6cfd0cc65ce16197.tmp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\111.bmp" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\JoinAssert.bmp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\RestoreOut.avi | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\WatchSend.pub | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\6cfd0cc65ce16197.tmp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\SearchWait.xps | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\SwitchStep.otf | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\BlockMount.potx | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\ExportEdit.tiff | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\RegisterNew.aifc | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\SearchTest.ps1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Program Files (x86)\DECRYPT-FILES.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\AssertJoin.xlsm | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\ImportRename.temp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\MeasureEdit.svgz | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\RemoveRegister.html | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\SetReceive.contact | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\GrantMove.aifc | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\ResolveOptimize.wmx | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\ConfirmUpdate.i64 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\TestConvert.ps1xml | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Program Files\DECRYPT-FILES.txt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\CompleteSelect.ppsm | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\EnterSync.lock | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\StartComplete.m1v | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\6cfd0cc65ce16197.tmp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\SetCompare.dotx | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files\UnregisterClose.emz | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 824 wrote to memory of 500 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 824 wrote to memory of 500 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 824 wrote to memory of 500 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 500 wrote to memory of 3692 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 500 wrote to memory of 3692 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\system32\wbem\wmic.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Sample.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\Sample.dll
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\k\..\Windows\awihm\aukcq\..\..\system32\xxw\dwb\..\..\wbem\f\arni\..\..\wmic.exe" shadowcopy delete
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8 0x150
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
memory/500-0-0x0000000000AB0000-0x0000000000B0D000-memory.dmp
memory/500-1-0x0000000002390000-0x00000000023ED000-memory.dmp
memory/500-6-0x0000000002390000-0x00000000023ED000-memory.dmp
memory/500-10-0x0000000002390000-0x00000000023ED000-memory.dmp
memory/500-13-0x0000000002390000-0x00000000023ED000-memory.dmp
F:\$RECYCLE.BIN\DECRYPT-FILES.txt
| MD5 | 64955d1ce98e92ecebcc589169ddaa95 |
| SHA1 | 86f2d69edc989153f3339f78594c196f6413cc86 |
| SHA256 | 29c0bf34e6bcf2a96b890128fdb36aadf9982c2229b18b38686ec92b18096808 |
| SHA512 | b47dfc7d62a719bf8e54da977a83311ab6cbd7be3cf9300f5e6cbff07336264f71ace424cac178c4104da364a2f81d4aee1b7f2cabe89a30387ee1dcd2c546b3 |
memory/500-773-0x0000000002390000-0x00000000023ED000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_0F3B7EC492364DEE840501A9A32694AC.dat
| MD5 | 03ac0ad603a89ab3834f6b6bdb55bbd8 |
| SHA1 | 0e33bb3828ed99e509975eddbc01b2df38de1235 |
| SHA256 | 2411b32a85ece5fb7fbb89932a2a289bd6886afe1db4b3acf1031c423a49ad22 |
| SHA512 | 19c4dcaeabbbec9d964e595e223ecb0a74ee96f9659bd724e953de1ca3f3d9053f5e4b7d58671ada83f2c806acd23a76aaf69501fb2a038c8c7225294ff78e0b |