733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e

Analysis

max time kernel
129s
max time network
123s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
16/11/2023, 08:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
Size

244KB
MD5

c91d610830720daaf552f5f7ac2259bc
SHA1

b566d48ae9127d8841afc4df802b1a957f0bbdcb
SHA256

733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e
SHA512

34fc24e2939370b3e532370aaa1f70c0eabb55286f24822ed3ecabff24dac5463b695f780ccebac1f1413d778e674ee4dc3613a6c1c5820161ce3ffe140dc88c
SSDEEP

6144:pN2Q8nvV11UyrSYVnr+9V3C6jx444444v:pmvV1qymYCJC6j

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 38 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00161_.GIF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01130_.WMF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Clarity.eftx	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Discussion14.gta	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Almaty	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02736U.BMP	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR32F.GIF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREQ.CFG	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Atikokan	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD10890_.GIF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0160590.WMF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00668_.WMF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\ICE.INF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-GB.pak	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00172_.WMF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297749.WMF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROGRAM.XML	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDECL.ICO	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01772_.WMF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00586_.WMF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02845G.GIF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages.properties	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Tunis	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR11F.GIF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\APA.XSL	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR1F.GIF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_COL.HXC	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.HOL	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.AR.XML	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPQUOT.XML	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21294_.GIF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115875.GIF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01329_.WMF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102594.WMF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10300_.GIF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SHOW_01.MID	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\PREVIEW.GIF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR29F.GIF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297229.WMF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00200_.WMF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\resources.pak	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14595_.GIF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoDev.png	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01660_.WMF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02298_.WMF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Thatch.xml	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143744.GIF	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309567.JPG	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBARV.POC	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCARD.DPV	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2976	vssvc.exe
Token: SeRestorePrivilege	2976	vssvc.exe
Token: SeAuditPrivilege	2976	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2784	WMIC.exe
Token: SeSecurityPrivilege	2784	WMIC.exe
Token: SeTakeOwnershipPrivilege	2784	WMIC.exe
Token: SeLoadDriverPrivilege	2784	WMIC.exe
Token: SeSystemProfilePrivilege	2784	WMIC.exe
Token: SeSystemtimePrivilege	2784	WMIC.exe
Token: SeProfSingleProcessPrivilege	2784	WMIC.exe
Token: SeIncBasePriorityPrivilege	2784	WMIC.exe
Token: SeCreatePagefilePrivilege	2784	WMIC.exe
Token: SeBackupPrivilege	2784	WMIC.exe
Token: SeRestorePrivilege	2784	WMIC.exe
Token: SeShutdownPrivilege	2784	WMIC.exe
Token: SeDebugPrivilege	2784	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2784	WMIC.exe
Token: SeRemoteShutdownPrivilege	2784	WMIC.exe
Token: SeUndockPrivilege	2784	WMIC.exe
Token: SeManageVolumePrivilege	2784	WMIC.exe
Token: 33	2784	WMIC.exe
Token: 34	2784	WMIC.exe
Token: 35	2784	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2784	WMIC.exe
Token: SeSecurityPrivilege	2784	WMIC.exe
Token: SeTakeOwnershipPrivilege	2784	WMIC.exe
Token: SeLoadDriverPrivilege	2784	WMIC.exe
Token: SeSystemProfilePrivilege	2784	WMIC.exe
Token: SeSystemtimePrivilege	2784	WMIC.exe
Token: SeProfSingleProcessPrivilege	2784	WMIC.exe
Token: SeIncBasePriorityPrivilege	2784	WMIC.exe
Token: SeCreatePagefilePrivilege	2784	WMIC.exe
Token: SeBackupPrivilege	2784	WMIC.exe
Token: SeRestorePrivilege	2784	WMIC.exe
Token: SeShutdownPrivilege	2784	WMIC.exe
Token: SeDebugPrivilege	2784	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2784	WMIC.exe
Token: SeRemoteShutdownPrivilege	2784	WMIC.exe
Token: SeUndockPrivilege	2784	WMIC.exe
Token: SeManageVolumePrivilege	2784	WMIC.exe
Token: 33	2784	WMIC.exe
Token: 34	2784	WMIC.exe
Token: 35	2784	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2740	WMIC.exe
Token: SeSecurityPrivilege	2740	WMIC.exe
Token: SeTakeOwnershipPrivilege	2740	WMIC.exe
Token: SeLoadDriverPrivilege	2740	WMIC.exe
Token: SeSystemProfilePrivilege	2740	WMIC.exe
Token: SeSystemtimePrivilege	2740	WMIC.exe
Token: SeProfSingleProcessPrivilege	2740	WMIC.exe
Token: SeIncBasePriorityPrivilege	2740	WMIC.exe
Token: SeCreatePagefilePrivilege	2740	WMIC.exe
Token: SeBackupPrivilege	2740	WMIC.exe
Token: SeRestorePrivilege	2740	WMIC.exe
Token: SeShutdownPrivilege	2740	WMIC.exe
Token: SeDebugPrivilege	2740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2740	WMIC.exe
Token: SeRemoteShutdownPrivilege	2740	WMIC.exe
Token: SeUndockPrivilege	2740	WMIC.exe
Token: SeManageVolumePrivilege	2740	WMIC.exe
Token: 33	2740	WMIC.exe
Token: 34	2740	WMIC.exe
Token: 35	2740	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2740	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2836	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	32
PID 1320 wrote to memory of 2836	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	32
PID 1320 wrote to memory of 2836	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	32
PID 2836 wrote to memory of 2784	2836	cmd.exe	33
PID 2836 wrote to memory of 2784	2836	cmd.exe	33
PID 2836 wrote to memory of 2784	2836	cmd.exe	33
PID 1320 wrote to memory of 2664	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	34
PID 1320 wrote to memory of 2664	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	34
PID 1320 wrote to memory of 2664	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	34
PID 2664 wrote to memory of 2740	2664	cmd.exe	36
PID 2664 wrote to memory of 2740	2664	cmd.exe	36
PID 2664 wrote to memory of 2740	2664	cmd.exe	36
PID 1320 wrote to memory of 2536	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	37
PID 1320 wrote to memory of 2536	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	37
PID 1320 wrote to memory of 2536	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	37
PID 2536 wrote to memory of 2616	2536	cmd.exe	39
PID 2536 wrote to memory of 2616	2536	cmd.exe	39
PID 2536 wrote to memory of 2616	2536	cmd.exe	39
PID 1320 wrote to memory of 2296	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	40
PID 1320 wrote to memory of 2296	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	40
PID 1320 wrote to memory of 2296	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	40
PID 2296 wrote to memory of 2472	2296	cmd.exe	42
PID 2296 wrote to memory of 2472	2296	cmd.exe	42
PID 2296 wrote to memory of 2472	2296	cmd.exe	42
PID 1320 wrote to memory of 2872	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	43
PID 1320 wrote to memory of 2872	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	43
PID 1320 wrote to memory of 2872	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	43
PID 2872 wrote to memory of 2808	2872	cmd.exe	45
PID 2872 wrote to memory of 2808	2872	cmd.exe	45
PID 2872 wrote to memory of 2808	2872	cmd.exe	45
PID 1320 wrote to memory of 2928	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	46
PID 1320 wrote to memory of 2928	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	46
PID 1320 wrote to memory of 2928	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	46
PID 2928 wrote to memory of 2948	2928	cmd.exe	48
PID 2928 wrote to memory of 2948	2928	cmd.exe	48
PID 2928 wrote to memory of 2948	2928	cmd.exe	48
PID 1320 wrote to memory of 2532	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	49
PID 1320 wrote to memory of 2532	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	49
PID 1320 wrote to memory of 2532	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	49
PID 2532 wrote to memory of 2184	2532	cmd.exe	51
PID 2532 wrote to memory of 2184	2532	cmd.exe	51
PID 2532 wrote to memory of 2184	2532	cmd.exe	51
PID 1320 wrote to memory of 1804	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	52
PID 1320 wrote to memory of 1804	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	52
PID 1320 wrote to memory of 1804	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	52
PID 1804 wrote to memory of 548	1804	cmd.exe	54
PID 1804 wrote to memory of 548	1804	cmd.exe	54
PID 1804 wrote to memory of 548	1804	cmd.exe	54
PID 1320 wrote to memory of 1628	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	55
PID 1320 wrote to memory of 1628	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	55
PID 1320 wrote to memory of 1628	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	55
PID 1628 wrote to memory of 2720	1628	cmd.exe	57
PID 1628 wrote to memory of 2720	1628	cmd.exe	57
PID 1628 wrote to memory of 2720	1628	cmd.exe	57
PID 1320 wrote to memory of 860	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	58
PID 1320 wrote to memory of 860	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	58
PID 1320 wrote to memory of 860	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	58
PID 860 wrote to memory of 1508	860	cmd.exe	60
PID 860 wrote to memory of 1508	860	cmd.exe	60
PID 860 wrote to memory of 1508	860	cmd.exe	60
PID 1320 wrote to memory of 2332	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	61
PID 1320 wrote to memory of 2332	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	61
PID 1320 wrote to memory of 2332	1320	733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe	61
PID 2332 wrote to memory of 2856	2332	cmd.exe	63

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe
"C:\Users\Admin\AppData\Local\Temp\733a65332795b87d6823360df7f0b9cd01955aedf9f516d1f43c983c69834b0e.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C30046CF-B330-4116-B19D-3907F56E78DF}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C30046CF-B330-4116-B19D-3907F56E78DF}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5434434E-5303-4440-9DDE-923A4474E301}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5434434E-5303-4440-9DDE-923A4474E301}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{065A2E1B-2F32-4B42-94A3-080AD11AF8C0}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{065A2E1B-2F32-4B42-94A3-080AD11AF8C0}'" delete
    3⤵
    PID:2616
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{55CD7D1A-7F8C-4A0C-B08C-7C9235BE67A6}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{55CD7D1A-7F8C-4A0C-B08C-7C9235BE67A6}'" delete
    3⤵
    PID:2472
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CDCB8359-BB55-4254-B547-F0F4A17C26B3}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CDCB8359-BB55-4254-B547-F0F4A17C26B3}'" delete
    3⤵
    PID:2808
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DC606B48-7971-4131-95DF-3B81FD582B64}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DC606B48-7971-4131-95DF-3B81FD582B64}'" delete
    3⤵
    PID:2948
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8F0F5338-BFBE-4CE5-962B-D6837CD11E60}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8F0F5338-BFBE-4CE5-962B-D6837CD11E60}'" delete
    3⤵
    PID:2184
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{67B36C8F-9166-4A06-A0DA-9B5FA409472E}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{67B36C8F-9166-4A06-A0DA-9B5FA409472E}'" delete
    3⤵
    PID:548
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{49210D85-E091-4C8F-B0BF-F3450C61B4ED}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{49210D85-E091-4C8F-B0BF-F3450C61B4ED}'" delete
    3⤵
    PID:2720
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2A73262F-FF96-48CE-BF3F-608073D79047}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2A73262F-FF96-48CE-BF3F-608073D79047}'" delete
    3⤵
    PID:1508
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{279C7090-298E-4577-A2D1-3F1CA0B08E77}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{279C7090-298E-4577-A2D1-3F1CA0B08E77}'" delete
    3⤵
    PID:2856
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4B21BC4F-429F-42EA-8B4C-F354FAA1C1E3}'" delete
  2⤵
  PID:628
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4B21BC4F-429F-42EA-8B4C-F354FAA1C1E3}'" delete
    3⤵
    PID:1552
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6BC086FC-C77C-45BF-83E5-D5378F8E7938}'" delete
  2⤵
  PID:1764
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6BC086FC-C77C-45BF-83E5-D5378F8E7938}'" delete
    3⤵
    PID:1380
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6CD0DD6C-116E-47DA-826F-49336B360923}'" delete
  2⤵
  PID:2232
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6CD0DD6C-116E-47DA-826F-49336B360923}'" delete
    3⤵
    PID:2260
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5B95C8E5-0EC7-4DAB-91D8-93B4F3BE799A}'" delete
  2⤵
  PID:2032
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5B95C8E5-0EC7-4DAB-91D8-93B4F3BE799A}'" delete
    3⤵
    PID:2060
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{69C393A9-38B4-4B55-BF5C-3D4A1ABE9B5D}'" delete
  2⤵
  PID:2256
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{69C393A9-38B4-4B55-BF5C-3D4A1ABE9B5D}'" delete
    3⤵
    PID:1796
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{62EDDC6A-E788-436C-9A3F-A16093BB09A1}'" delete
  2⤵
  PID:1360
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{62EDDC6A-E788-436C-9A3F-A16093BB09A1}'" delete
    3⤵
    PID:2300
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A3432411-7E71-4E5C-9B47-133BBE633E21}'" delete
  2⤵
  PID:1080
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A3432411-7E71-4E5C-9B47-133BBE633E21}'" delete
    3⤵
    PID:1936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2976

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads