ef99a1844cbf354868a70cdcc2584ec94ffceafc4ffcd3a6b5563fa1d632844e

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
Size

74KB
MD5

85110da3605b25aaaa7533e2bdbdc6fb
SHA1

8eb6f6e0e50d1d6e496e1c3498d500e00c47b8ae
SHA256

6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac
SHA512

f49ddeb9c0ad79f5979b299fbb231f225c0e6c149633c1d1cdfe0f4d94ce2cf28ee65e17c020624dadb036c20270d343f5f869da3d01b535181e7e7aafae0312
SSDEEP

1536:naDpA+SIN1RWDmGN7NuoH4T+p9yF+KUFP4VuBs7hu7HU0QU9v:1lHNZuoHnyQKrVhWHLQU

Score

9^/10

persistence ransomware

Malware Config

Signatures

Renames multiple (1985) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 2 IoCs

Processes:

6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jcJejgZS.lnk	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jcJejgZS.lnk	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jcJejgZS = "C:\\Users\\Admin\\AppData\\Local\\PeerDistRepub\\VePwBuDE.exe"	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe

Drops file in Program Files directory 64 IoCs

Processes:

6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\meta-index	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jvisualvm.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\InstallerMainShell.tlb	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado26.tlb	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\INFO.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion.thmx	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\accessibility.properties	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngom.md	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\EUROTOOL.XLAM	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\INFO.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_it.properties	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART15.BDR	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File created	C:\Program Files\7-Zip\Lang\INFO.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado20.tlb	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\INFO.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\webkit.md	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\asm.md	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART1.BDR	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveNoDrop32x32.gif	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-80.png	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\FileSystemMetadata.xml	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\gstreamer.md	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\tools.jar	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado27.tlb	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Java\jre-1.8\README.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+NewSQLServerConnection.odc	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART6.BDR	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe

pid	process
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe

description	pid	process
Token: SeRestorePrivilege	1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
Token: SeBackupPrivilege	1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
Token: SeSecurityPrivilege	1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
Token: SeDebugPrivilege	1228	6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe

C:\Users\Admin\AppData\Local\Temp\6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe
"C:\Users\Admin\AppData\Local\Temp\6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties!@#$%^&-()_+.1C

Filesize
5KB

MD5
bf1169e49d7ce0a4ce0ac34f3cfb3209

SHA1
bee7931ed28e5689ed1f0c94d73059a1653c801e

SHA256
29640b8b1b98c1597d3968db559d75612fc3446105ad5273f70fcdd67fe6ba27

SHA512
bede3abbd7c8e32f1eebac57dee312b5b78119984187ce09dc3a2769f1af5bdd7f0d65682e8b13cdc05f8cbb1a350091b8dc3c6fccf57d27e9308e9c43db6af3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\INFO.txt

Filesize
176B

MD5
0e9097cdaf73b5053a84416311a398a6

SHA1
193c87f698f1b3e7bbb596def0951f3049720068

SHA256
04d6c1fb3bb657babb6947b58ff11a315e852839b1a4bf737648eef7a1990188

SHA512
a5b369b977be1f74739bf52bda7578886d4ccf5f11eee4a4560842ff80bb7358b5cca29f73d25bf7bb802ac6c64dd78e16c6bcf814375514b8f23cfaff132f94

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USStmp.jtx

Filesize
3.0MB

MD5
e4da6b8f3cc3f5e1304a7185a08a2e70

SHA1
4002cb1a8124e9f8521b306798d68b4fab4e4b7b

SHA256
2d1e1772e002f286c92bb30576d712f968ef86faa49989a399aa1b6b9643bc0d

SHA512
c396a917f4db584ca0a4b0ed0bc8356359549112b09048ce07933c1efc87d3d204de6e18e03ac063896407718783a0cb9901b1ed675d65d3ffff6f5f5ce03f96

Download Submit
C:\Users\Admin\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\Settings\settings.dat

Filesize
9KB

MD5
880f7614c5c66107863e3cdf40369d65

SHA1
3b392bbd30f48eb276604cbdee7227d808fb269e

SHA256
0bc7c919425ca139a670b3634f0f4872cfd5aaa6119ab64d6688a3a10f93b72c

SHA512
c7beccc58b7789eb3242ef79ddb0ea89259a831a40e2f5b65bb5f2df26691374dae3f3b9ffba252133dd0b369615c0f6deb9f1ae9439c8c6f276695029339938

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\Settings\settings.dat

Filesize
9KB

MD5
14bd569f984d18c0ad60fd70a25a2a01

SHA1
ceabd3649a64243e324c1ccd1d9e2023e918248e

SHA256
841c06cee9f2eaba778dad8f9021cc9c4fd4a1c336e184b2a8443bea22d21226

SHA512
5cdb622b06cce8aeb38bdebf60e08f2c3a008a59b3504e68a55f138fc63ae7d04eebd5a23bb25934b8fcfb463e3c78a06f58d00124955032d68fff2822e703c7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\Settings\settings.dat

Filesize
9KB

MD5
d58d13d8933220b03b0f2d8f8ab37d2b

SHA1
dd8bd52eec2a05c7fa767f1f79837e01f5acb42b

SHA256
564838488f4eb098208e4f058215e15beef8a9262cc19bdb532048d530efb39c

SHA512
f44f26d869cec5470c2411d04fd011e6d4414915f5f17b2069a19ddff4476e55f9c58f7e8cc9c885c2a7715289fe2b8dd4cb353436c61559b3453c4f3713d800

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_msotd_exe_15

Filesize
38KB

MD5
f96092cf846d4ae2e4eb9e7554447dea

SHA1
35a4df73053a888b318ddfd85c46b25971b47aeb

SHA256
94c5081de63160be8624944af74ecb789abdfac24f3c279825d532581571dda8

SHA512
8c75d3447c07228bbc2b720685f73a6b050f335190964b79c058193056071fadbfd475142262cecf88e0ef52a614c179481ce045d1cbb404f33245dbf555a20a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_powershell_exe

Filesize
38KB

MD5
1a37a069f752a9ef7bac79772a17a21b

SHA1
954ab0d00cb24204f120d19d2e72bce9a8f70444

SHA256
43b7b609dd8186a2aef263113d0169e38bd8e1845e4138e23ad32a2c7dd8c929

SHA512
4bba5a8b286e657bd5dd74352f716c6bdca696e382a38ddb930e99ad277ec61d1589022d55e3889f239785c027101ea1b376a0665a107aed40e7064dab3ef6e1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc

Filesize
38KB

MD5
cfc383741976ee5a75a34ee7a61304d8

SHA1
9ea8b66ea2dda12c12cbbae73567472aee801d26

SHA256
adcbf6284e28920e9566972012665bedc4c07a09929903dbfd139597305a96bb

SHA512
2df43bc27a9bee564b1b40f9d2c7fdf99d4e3e0dfb26128b2d0f559bb5365f5bdb262b32cb9876899fb714db137ece931f7e11eb448bbae2978233cc4f5be919

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_7-Zip_7zFM_exe

Filesize
38KB

MD5
250f57d0cfafe7c8a03aef7f2e140c02

SHA1
72d9fba2858f0fb5002318141a5ee14ac9052976

SHA256
ce1ad4d13384da00e790ffe6e852e5f9f7f176dd865fedba0bdbaa74bf47a197

SHA512
a0652f93faef00318ef046d9183fc7a78cb692c03a0d785d279132198807857e885e09a27c4a06486ebc8f2c732668b328964254b94c0bcb93aa096a34c0f43b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_NEWS_txt

Filesize
38KB

MD5
a8d614865cef3fc9e43a3684704686c2

SHA1
c840a7d901696664a62a13329ae9683b3453d1c6

SHA256
6b1f296034fa952c0d18888949c67be965f6d7774ac012f22a66e17c2b9c178a

SHA512
b18b264f308b4395cf8d0c283fca8588f79e5628635a60d963c360ab309b2e775420549d1d9817b7ffd7201d9f65abf19d12642415a56b2cff8bb3155e238336

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_WindowsPowerShell_v1_0_powershell_exe

Filesize
38KB

MD5
7af5033bdeb240b70f0eda9b69ff9a03

SHA1
5f68abc62a06e096019089323627bde650879410

SHA256
f58ea200821b36c20b459d1d9e9cacff5ebc859dafc7ca9286777c4b4e1d1c9c

SHA512
e8630e0e175041b88ad98747cea37e81c632fc7fe2f36ada16bcb8b6764bf48adc017af0d980031f64d6c757daa9877907c7a26505eb73878e80188806ffc187

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fec781a2-b4f5-4e30-860d-9fb2744d0554}\0.0.filtertrie.intermediate.txt

Filesize
206KB

MD5
ab1514cbf429c1c6f5793b937258cf35

SHA1
e2a6aa049aaf068e216508caf1b735e0e15e4a08

SHA256
fc8976370e658731e4dfe8cefd7cddceff570792648b3f8f4eb63fdbe10cc8b0

SHA512
0f6c8d47ff086410bf913d2677994a034d7ef9272c7b16cedfd5aad727b56b8851158f4fd7163fa27145338fe0f85306772d3dd742f8c747d9418fe4341504a0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fec781a2-b4f5-4e30-860d-9fb2744d0554}\Settings.ft

Filesize
98KB

MD5
cb8e8eb76766688b8f39acd9acb1a655

SHA1
e0cacaf36c725276f0e8c1be322fa575a8ef9ce2

SHA256
7fc411f55f5dd9563b5c6999ee72f38c82f9d5a18d4f7616cf89b022a33dbdfd

SHA512
a723cfd65ce4a16188bd08ecb2762962f7c4db5170366564ace64799dcda25a30b0f275b2d7f9e4872f6095faba84207e472539a8906ee04e15b90b5ee213c29

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133471134637266675.txt

Filesize
79KB

MD5
93abad7a7702d89fa0b2f37685fc21d8

SHA1
902aac0bfaf7dd9589fcaf1fba1c8f52ce239821

SHA256
77475a7139ffeb8336dbae77d020cdf113846267b64d5f791d8930fbb22f2731

SHA512
47bdb7cdd1c0979743b712d7d2abb983a7a7f9f6b4db4441bcf562886796081e725ad595d9ae10fe513412274e28ec47a82852408f5c63964e7674ba4874671b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133471141905215248.txt

Filesize
65KB

MD5
e404d371472032abcc9ed6aa0cf45542

SHA1
9aac08a53dd8f895fa885ca972ab49223750adfb

SHA256
19514ba1ff4ebfac0d5fe8d2b8ec8774ce0d5c5d742f968eba256b2995306c28

SHA512
0818ec50c323cb0348ee850f771a2395edbbba1b5cb60d4aa6b2abee9d0c02409a4fe9e66afc51809bb7f3caabc7e5e35fdf76eeab63866b524d8b1ea30b63d9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133471156900973231.txt

Filesize
76KB

MD5
99eecb2549f89a5510317b04d72d1416

SHA1
38f34971625e121f39b5615c879cf1cff4781982

SHA256
ed635253bbd681a36260199dcb4d0c7e7c3b04db923929c763949ff6e001aa93

SHA512
d00d867756c92c53f18a379caf9a4243deabddfa8f3401490d9a517b10f673c1aea99f2a24263959b39f47078968c98f73d073c1b244b8c5537343d497e09882

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133485957313909422.txt

Filesize
76KB

MD5
4e8638696f7de01cd6853def4833f62a

SHA1
c5eda2eb198a399984dc3776e36965c58bba107a

SHA256
8365ad51241690b9d90120614719e15910175e93f4f2cc42abd9287ec8f92d84

SHA512
83f5edfd41c44be809379b8e882e19a14aeb6b7f1efd86d4edcd94e2bb1313a82e0fa24eacb307e6e9a0c49dbb5fa7158534c7f9832ee9b1ab115b4aaa372c1d

Download Submit
C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Settings\settings.dat

Filesize
9KB

MD5
743afbce73297430c8ca4d0132ce3302

SHA1
0f7633a5a1d5ec1c41d9351b72ad6ae71ef3d12e

SHA256
92287096dc2a09fa4dc00aa918471f4cfe84606278f18969beb1083cb2785264

SHA512
248f5058e75498e6a332bf7885d8fe8ca2f45ff02eac89ee5b0a330ad86eea7e347aeffb5f1ef72d67bc07d30d23c31df4eea32ea9c1030f905f6c25e2b4e756

Download Submit
C:\Users\Admin\AppData\Local\PeerDistRepub\VePwBuDE.exe

Filesize
74KB

MD5
85110da3605b25aaaa7533e2bdbdc6fb

SHA1
8eb6f6e0e50d1d6e496e1c3498d500e00c47b8ae

SHA256
6e2db44578ff2fdcab7938517973ed9bfd3532d7b29b7798ceb9f04ed079c1ac

SHA512
f49ddeb9c0ad79f5979b299fbb231f225c0e6c149633c1d1cdfe0f4d94ce2cf28ee65e17c020624dadb036c20270d343f5f869da3d01b535181e7e7aafae0312

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jcJejgZS.lnk

Filesize
1KB

MD5
69b681095237cc70f926e343e62b1a13

SHA1
cb8b8bb4529ce31c3980361b2dcc5d7ca1c6fb0e

SHA256
625bac3fd560b8a45536937db7c18b86738119b86509db8abfac59c0eaa7e9be

SHA512
2a6299c09bcbc47bf684daaf0a905413ccdd03a4f9607173dc78701cc0a21d3418f2e6e2de71a03d416b39d00757ee5be063ec0fede1366bb8705df82984fab9

Download Submit
C:\Users\Admin\Desktop\CompareUnprotect.DVR!@#$%^&-()_+.1C

Filesize
392KB

MD5
2a09de51c0b5aa7580dce760c6259675

SHA1
9a32de3449a9ce0971c60f2983a773ef6a5a9bf5

SHA256
feb796e5af349aa3b6a0fb04c4659fead035cdc72bcd0b90070e87d6efc052d7

SHA512
f8f58a249932c88c8b1407bdbb950f38b7a5aa42f066df59d409e35814b0f3bd9241677c0e49f75b618dcf04abb99b657f12775189dc528a47189e2d26b3baf6

Download Submit
C:\Users\Admin\Desktop\InstallCompare.htm!@#$%^&-()_+.1C

Filesize
503KB

MD5
18be792e772ee6116c89269a044d95d3

SHA1
27573c8f02021f269c96113b5cc51f79e2003533

SHA256
c722dccdf412a32dbb2affd6b426c56a9009ec4775d0ee2418ddb42130518350

SHA512
78b10fc5694d2ff48e9d97a872cb4706f853b9ac02b9c9e60f0910647a0296e5f4f8a24c1eca5703971b7a434d341a6442c2855656cae4bdf1ee7e7e2178ef75

Download Submit
C:\Users\Admin\Desktop\UnpublishInvoke.xps!@#$%^&-()_+.1C

Filesize
429KB

MD5
51074145808fc6841f5da456b5e5cde9

SHA1
0137a57d3b93d19b87053003fc2fbb7a92d63189

SHA256
638491f04d404d37e7c55530e47f962f07d5b2b361f21f372d2abbb96e061f04

SHA512
281b6be7956730a8b01bcec1c7ba6fa24439aebbc8e81c920b825fe8434331254b469d0bd2d20076b31ab4313083d736c2bc2714a05156ee78794e04e7ead53f

Download Submit
memory/1228-2-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/1228-1-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download