Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2023, 10:48
Static task
static1
Behavioral task
behavioral1
Sample
2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe
Resource
win10v2004-20231023-en
General
-
Target
2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe
-
Size
192KB
-
MD5
089d624ce16de85ba8f8d0431d6688f7
-
SHA1
fcc52416e27b7c5980096d7cab4c052eb6dcc5c3
-
SHA256
2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff
-
SHA512
51cb1af56c657593abcbc1b73ed499ac0f14bac951094df1da77c4db6df021b534d0d6729aa01daf7109094023bf4da52eab244df7a1f548f937e723176de0a9
-
SSDEEP
3072:NTzI7wjFPJkvsn2oYK9c1PQ2xQgGdHpbSAo8qW1EntxdvyyqbWI6lTNfWhDsO4YZ:JuwZPuvs2oYOcRQ24H0Wy3dv3OhZNn5l
Malware Config
Extracted
F:\$RECYCLE.BIN\HOW TO BACK FILES.txt
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (3266) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened (read-only) \??\D: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened (read-only) \??\B: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened (read-only) \??\G: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened (read-only) \??\J: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened (read-only) \??\R: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened (read-only) \??\U: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened (read-only) \??\T: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened (read-only) \??\S: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened (read-only) \??\V: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened (read-only) \??\E: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened (read-only) \??\H: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened (read-only) \??\I: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened (read-only) \??\L: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened (read-only) \??\N: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened (read-only) \??\Q: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened (read-only) \??\Z: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened (read-only) \??\Y: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened (read-only) \??\A: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened (read-only) \??\K: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened (read-only) \??\M: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened (read-only) \??\O: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened (read-only) \??\P: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened (read-only) \??\X: 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 37 api.ipify.org -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\sl.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-sl\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUABI.TTF 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-200_contrast-black.png 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\ui-strings.js 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-40_contrast-white.png 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\AppxMetadata\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-tw\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-200_contrast-white.png 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_altform-unplated_contrast-white.png 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\VideoLAN\VLC\AUTHORS.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_TeethSmile.png 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-16_altform-unplated.png 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreLargeTile.scale-200.png 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\cs-CZ\View3d\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-pl.xrm-ms 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-20.png 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-72.png 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLargeTile.contrast-black_scale-200.png 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-80_altform-unplated.png 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Eyebrow.png 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-150_contrast-white.png 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\Welcome.html 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-pl.xrm-ms 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-36_altform-unplated_contrast-white.png 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-200.png 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_es-MX.json 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-default_32.svg 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\PREVIEW.GIF 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.177.11\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerMedTile.contrast-white_scale-100.png 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\HOW TO BACK FILES.txt 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\FormatRead.jpeg 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\VEN2232.OLB 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\SpotlightCalendar_2017-03.gif 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-30.png 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 216 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 524 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4764 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe 4764 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4764 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe Token: SeDebugPrivilege 4764 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe Token: SeBackupPrivilege 2380 vssvc.exe Token: SeRestorePrivilege 2380 vssvc.exe Token: SeAuditPrivilege 2380 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4764 wrote to memory of 940 4764 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe 97 PID 4764 wrote to memory of 940 4764 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe 97 PID 4764 wrote to memory of 940 4764 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe 97 PID 4764 wrote to memory of 524 4764 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe 92 PID 4764 wrote to memory of 524 4764 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe 92 PID 4764 wrote to memory of 2564 4764 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe 91 PID 4764 wrote to memory of 2564 4764 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe 91 PID 4764 wrote to memory of 2564 4764 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe 91 PID 4764 wrote to memory of 228 4764 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe 93 PID 4764 wrote to memory of 228 4764 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe 93 PID 4764 wrote to memory of 228 4764 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe 93 PID 2564 wrote to memory of 216 2564 cmd.exe 100 PID 2564 wrote to memory of 216 2564 cmd.exe 100 PID 2564 wrote to memory of 216 2564 cmd.exe 100 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" 2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe"C:\Users\Admin\AppData\Local\Temp\2044bc33cf855b4add30312da75ac8daa408197408da88ecd520d90bdef550ff.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\sc.exesc delete "MSSQLFDLauncher"3⤵
- Launches sc.exe
PID:216
-
-
-
C:\Windows\system32\vssadmin.exe"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:524
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no2⤵PID:228
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵PID:940
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5dfc5d72eec9932774841f9bb7ce429ce
SHA18611ef751f4a9cd552c48018b2d9b00dd54385a9
SHA2561284b8267b507edf6fe273c4cc459611e5497cace7e8b30c428f964cb1acb5eb
SHA512a55b60e4795a266aa00b6dcebd0b138d3155722e1f2c20d4ef1317f3c418615f51a818309c9eac1be5d7c94d450838b247de27b3601c2cd88f4d088693ca441c