ef99a1844cbf354868a70cdcc2584ec94ffceafc4ffcd3a6b5563fa1d632844e

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
Size

74KB
MD5

85110da3605b25aaaa7533e2bdbdc6fb
SHA1

8eb6f6e0e50d1d6e496e1c3498d500e00c47b8ae
SHA256

6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac
SHA512

f49ddeb9c0ad79f5979b299fbb231f225c0e6c149633c1d1cdfe0f4d94ce2cf28ee65e17c020624dadb036c20270d343f5f869da3d01b535181e7e7aafae0312
SSDEEP

1536:naDpA+SIN1RWDmGN7NuoH4T+p9yF+KUFP4VuBs7hu7HU0QU9v:1lHNZuoHnyQKrVhWHLQU

Score

9^/10

persistence ransomware

Malware Config

Signatures

Renames multiple (1985) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 2 IoCs

Processes:

6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jcJejgZS.lnk	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jcJejgZS.lnk	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jcJejgZS = "C:\\Users\\Admin\\AppData\\Local\\PeerDistRepub\\VePwBuDE.exe"	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe

Drops file in Program Files directory 64 IoCs

Processes:

6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\meta-index	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jvisualvm.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\InstallerMainShell.tlb	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado26.tlb	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\INFO.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion.thmx	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\accessibility.properties	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngom.md	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\EUROTOOL.XLAM	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\INFO.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_it.properties	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART15.BDR	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File created	C:\Program Files\7-Zip\Lang\INFO.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado20.tlb	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\INFO.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\webkit.md	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\asm.md	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART1.BDR	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveNoDrop32x32.gif	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-80.png	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\FileSystemMetadata.xml	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\gstreamer.md	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\tools.jar	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado27.tlb	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jre-1.8\README.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+NewSQLServerConnection.odc	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART6.BDR	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe

pid	process
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe

description	pid	process
Token: SeRestorePrivilege	1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
Token: SeBackupPrivilege	1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
Token: SeSecurityPrivilege	1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
Token: SeDebugPrivilege	1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe

C:\Users\Admin\AppData\Local\Temp\6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
"C:\Users\Admin\AppData\Local\Temp\6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties!@#$%^&-()_+.1C
Filesize
5KB

MD5
bf1169e49d7ce0a4ce0ac34f3cfb3209

SHA1
bee7931ed28e5689ed1f0c94d73059a1653c801e

SHA256
29640b8b1b98c1597d3968db559d75612fc3446105ad5273f70fcdd67fe6ba27

SHA512
bede3abbd7c8e32f1eebac57dee312b5b78119984187ce09dc3a2769f1af5bdd7f0d65682e8b13cdc05f8cbb1a350091b8dc3c6fccf57d27e9308e9c43db6af3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\INFO.txt
Filesize
176B

MD5
0e9097cdaf73b5053a84416311a398a6

SHA1
193c87f698f1b3e7bbb596def0951f3049720068

SHA256
04d6c1fb3bb657babb6947b58ff11a315e852839b1a4bf737648eef7a1990188

SHA512
a5b369b977be1f74739bf52bda7578886d4ccf5f11eee4a4560842ff80bb7358b5cca29f73d25bf7bb802ac6c64dd78e16c6bcf814375514b8f23cfaff132f94

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USStmp.jtx
Filesize
3.0MB

MD5
e4da6b8f3cc3f5e1304a7185a08a2e70

SHA1
4002cb1a8124e9f8521b306798d68b4fab4e4b7b

SHA256
2d1e1772e002f286c92bb30576d712f968ef86faa49989a399aa1b6b9643bc0d

SHA512
c396a917f4db584ca0a4b0ed0bc8356359549112b09048ce07933c1efc87d3d204de6e18e03ac063896407718783a0cb9901b1ed675d65d3ffff6f5f5ce03f96

Download Submit
C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\Settings\settings.dat
Filesize
9KB

MD5
880f7614c5c66107863e3cdf40369d65

SHA1
3b392bbd30f48eb276604cbdee7227d808fb269e

SHA256
0bc7c919425ca139a670b3634f0f4872cfd5aaa6119ab64d6688a3a10f93b72c

SHA512
c7beccc58b7789eb3242ef79ddb0ea89259a831a40e2f5b65bb5f2df26691374dae3f3b9ffba252133dd0b369615c0f6deb9f1ae9439c8c6f276695029339938

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\Settings\settings.dat
Filesize
9KB

MD5
14bd569f984d18c0ad60fd70a25a2a01

SHA1
ceabd3649a64243e324c1ccd1d9e2023e918248e

SHA256
841c06cee9f2eaba778dad8f9021cc9c4fd4a1c336e184b2a8443bea22d21226

SHA512
5cdb622b06cce8aeb38bdebf60e08f2c3a008a59b3504e68a55f138fc63ae7d04eebd5a23bb25934b8fcfb463e3c78a06f58d00124955032d68fff2822e703c7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\Settings\settings.dat
Filesize
9KB

MD5
d58d13d8933220b03b0f2d8f8ab37d2b

SHA1
dd8bd52eec2a05c7fa767f1f79837e01f5acb42b

SHA256
564838488f4eb098208e4f058215e15beef8a9262cc19bdb532048d530efb39c

SHA512
f44f26d869cec5470c2411d04fd011e6d4414915f5f17b2069a19ddff4476e55f9c58f7e8cc9c885c2a7715289fe2b8dd4cb353436c61559b3453c4f3713d800

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_msotd_exe_15
Filesize
38KB

MD5
f96092cf846d4ae2e4eb9e7554447dea

SHA1
35a4df73053a888b318ddfd85c46b25971b47aeb

SHA256
94c5081de63160be8624944af74ecb789abdfac24f3c279825d532581571dda8

SHA512
8c75d3447c07228bbc2b720685f73a6b050f335190964b79c058193056071fadbfd475142262cecf88e0ef52a614c179481ce045d1cbb404f33245dbf555a20a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_powershell_exe
Filesize
38KB

MD5
1a37a069f752a9ef7bac79772a17a21b

SHA1
954ab0d00cb24204f120d19d2e72bce9a8f70444

SHA256
43b7b609dd8186a2aef263113d0169e38bd8e1845e4138e23ad32a2c7dd8c929

SHA512
4bba5a8b286e657bd5dd74352f716c6bdca696e382a38ddb930e99ad277ec61d1589022d55e3889f239785c027101ea1b376a0665a107aed40e7064dab3ef6e1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc
Filesize
38KB

MD5
cfc383741976ee5a75a34ee7a61304d8

SHA1
9ea8b66ea2dda12c12cbbae73567472aee801d26

SHA256
adcbf6284e28920e9566972012665bedc4c07a09929903dbfd139597305a96bb

SHA512
2df43bc27a9bee564b1b40f9d2c7fdf99d4e3e0dfb26128b2d0f559bb5365f5bdb262b32cb9876899fb714db137ece931f7e11eb448bbae2978233cc4f5be919

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_7-Zip_7zFM_exe
Filesize
38KB

MD5
250f57d0cfafe7c8a03aef7f2e140c02

SHA1
72d9fba2858f0fb5002318141a5ee14ac9052976

SHA256
ce1ad4d13384da00e790ffe6e852e5f9f7f176dd865fedba0bdbaa74bf47a197

SHA512
a0652f93faef00318ef046d9183fc7a78cb692c03a0d785d279132198807857e885e09a27c4a06486ebc8f2c732668b328964254b94c0bcb93aa096a34c0f43b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_NEWS_txt
Filesize
38KB

MD5
a8d614865cef3fc9e43a3684704686c2

SHA1
c840a7d901696664a62a13329ae9683b3453d1c6

SHA256
6b1f296034fa952c0d18888949c67be965f6d7774ac012f22a66e17c2b9c178a

SHA512
b18b264f308b4395cf8d0c283fca8588f79e5628635a60d963c360ab309b2e775420549d1d9817b7ffd7201d9f65abf19d12642415a56b2cff8bb3155e238336

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_WindowsPowerShell_v1_0_powershell_exe
Filesize
38KB

MD5
7af5033bdeb240b70f0eda9b69ff9a03

SHA1
5f68abc62a06e096019089323627bde650879410

SHA256
f58ea200821b36c20b459d1d9e9cacff5ebc859dafc7ca9286777c4b4e1d1c9c

SHA512
e8630e0e175041b88ad98747cea37e81c632fc7fe2f36ada16bcb8b6764bf48adc017af0d980031f64d6c757daa9877907c7a26505eb73878e80188806ffc187

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fec781a2-b4f5-4e30-860d-9fb2744d0554}\0.0.filtertrie.intermediate.txt
Filesize
206KB

MD5
ab1514cbf429c1c6f5793b937258cf35

SHA1
e2a6aa049aaf068e216508caf1b735e0e15e4a08

SHA256
fc8976370e658731e4dfe8cefd7cddceff570792648b3f8f4eb63fdbe10cc8b0

SHA512
0f6c8d47ff086410bf913d2677994a034d7ef9272c7b16cedfd5aad727b56b8851158f4fd7163fa27145338fe0f85306772d3dd742f8c747d9418fe4341504a0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fec781a2-b4f5-4e30-860d-9fb2744d0554}\Settings.ft
Filesize
98KB

MD5
cb8e8eb76766688b8f39acd9acb1a655

SHA1
e0cacaf36c725276f0e8c1be322fa575a8ef9ce2

SHA256
7fc411f55f5dd9563b5c6999ee72f38c82f9d5a18d4f7616cf89b022a33dbdfd

SHA512
a723cfd65ce4a16188bd08ecb2762962f7c4db5170366564ace64799dcda25a30b0f275b2d7f9e4872f6095faba84207e472539a8906ee04e15b90b5ee213c29

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133471134637266675.txt
Filesize
79KB

MD5
93abad7a7702d89fa0b2f37685fc21d8

SHA1
902aac0bfaf7dd9589fcaf1fba1c8f52ce239821

SHA256
77475a7139ffeb8336dbae77d020cdf113846267b64d5f791d8930fbb22f2731

SHA512
47bdb7cdd1c0979743b712d7d2abb983a7a7f9f6b4db4441bcf562886796081e725ad595d9ae10fe513412274e28ec47a82852408f5c63964e7674ba4874671b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133471141905215248.txt
Filesize
65KB

MD5
e404d371472032abcc9ed6aa0cf45542

SHA1
9aac08a53dd8f895fa885ca972ab49223750adfb

SHA256
19514ba1ff4ebfac0d5fe8d2b8ec8774ce0d5c5d742f968eba256b2995306c28

SHA512
0818ec50c323cb0348ee850f771a2395edbbba1b5cb60d4aa6b2abee9d0c02409a4fe9e66afc51809bb7f3caabc7e5e35fdf76eeab63866b524d8b1ea30b63d9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133471156900973231.txt
Filesize
76KB

MD5
99eecb2549f89a5510317b04d72d1416

SHA1
38f34971625e121f39b5615c879cf1cff4781982

SHA256
ed635253bbd681a36260199dcb4d0c7e7c3b04db923929c763949ff6e001aa93

SHA512
d00d867756c92c53f18a379caf9a4243deabddfa8f3401490d9a517b10f673c1aea99f2a24263959b39f47078968c98f73d073c1b244b8c5537343d497e09882

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133485957313909422.txt
Filesize
76KB

MD5
4e8638696f7de01cd6853def4833f62a

SHA1
c5eda2eb198a399984dc3776e36965c58bba107a

SHA256
8365ad51241690b9d90120614719e15910175e93f4f2cc42abd9287ec8f92d84

SHA512
83f5edfd41c44be809379b8e882e19a14aeb6b7f1efd86d4edcd94e2bb1313a82e0fa24eacb307e6e9a0c49dbb5fa7158534c7f9832ee9b1ab115b4aaa372c1d

Download Submit
C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Settings\settings.dat
Filesize
9KB

MD5
743afbce73297430c8ca4d0132ce3302

SHA1
0f7633a5a1d5ec1c41d9351b72ad6ae71ef3d12e

SHA256
92287096dc2a09fa4dc00aa918471f4cfe84606278f18969beb1083cb2785264

SHA512
248f5058e75498e6a332bf7885d8fe8ca2f45ff02eac89ee5b0a330ad86eea7e347aeffb5f1ef72d67bc07d30d23c31df4eea32ea9c1030f905f6c25e2b4e756

Download Submit
C:\Users\Admin\AppData\Local\PeerDistRepub\VePwBuDE.exe
Filesize
74KB

MD5
85110da3605b25aaaa7533e2bdbdc6fb

SHA1
8eb6f6e0e50d1d6e496e1c3498d500e00c47b8ae

SHA256
6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac

SHA512
f49ddeb9c0ad79f5979b299fbb231f225c0e6c149633c1d1cdfe0f4d94ce2cf28ee65e17c020624dadb036c20270d343f5f869da3d01b535181e7e7aafae0312

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jcJejgZS.lnk
Filesize
1KB

MD5
69b681095237cc70f926e343e62b1a13

SHA1
cb8b8bb4529ce31c3980361b2dcc5d7ca1c6fb0e

SHA256
625bac3fd560b8a45536937db7c18b86738119b86509db8abfac59c0eaa7e9be

SHA512
2a6299c09bcbc47bf684daaf0a905413ccdd03a4f9607173dc78701cc0a21d3418f2e6e2de71a03d416b39d00757ee5be063ec0fede1366bb8705df82984fab9

Download Submit
C:\Users\Admin\Desktop\CompareUnprotect.DVR!@#$%^&-()_+.1C
Filesize
392KB

MD5
2a09de51c0b5aa7580dce760c6259675

SHA1
9a32de3449a9ce0971c60f2983a773ef6a5a9bf5

SHA256
feb796e5af349aa3b6a0fb04c4659fead035cdc72bcd0b90070e87d6efc052d7

SHA512
f8f58a249932c88c8b1407bdbb950f38b7a5aa42f066df59d409e35814b0f3bd9241677c0e49f75b618dcf04abb99b657f12775189dc528a47189e2d26b3baf6

Download Submit
C:\Users\Admin\Desktop\InstallCompare.htm!@#$%^&-()_+.1C
Filesize
503KB

MD5
18be792e772ee6116c89269a044d95d3

SHA1
27573c8f02021f269c96113b5cc51f79e2003533

SHA256
c722dccdf412a32dbb2affd6b426c56a9009ec4775d0ee2418ddb42130518350

SHA512
78b10fc5694d2ff48e9d97a872cb4706f853b9ac02b9c9e60f0910647a0296e5f4f8a24c1eca5703971b7a434d341a6442c2855656cae4bdf1ee7e7e2178ef75

Download Submit
C:\Users\Admin\Desktop\UnpublishInvoke.xps!@#$%^&-()_+.1C
Filesize
429KB

MD5
51074145808fc6841f5da456b5e5cde9

SHA1
0137a57d3b93d19b87053003fc2fbb7a92d63189

SHA256
638491f04d404d37e7c55530e47f962f07d5b2b361f21f372d2abbb96e061f04

SHA512
281b6be7956730a8b01bcec1c7ba6fa24439aebbc8e81c920b825fe8434331254b469d0bd2d20076b31ab4313083d736c2bc2714a05156ee78794e04e7ead53f

Download Submit
memory/1228-2-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/1228-1-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download