Overview
overview
10Static
static
7samples3.zip
windows7-x64
1samples3.zip
windows10-2004-x64
105cf6eee9b...b3.exe
windows7-x64
105cf6eee9b...b3.exe
windows10-2004-x64
10d332c0478...a7.exe
windows7-x64
90d332c0478...a7.exe
windows10-2004-x64
90fd8500fde...1e.exe
windows7-x64
10fd8500fde...1e.exe
windows10-2004-x64
111edf9436a...ed.pdf
windows7-x64
111edf9436a...ed.pdf
windows10-2004-x64
119a640415b...5c.exe
windows7-x64
1019a640415b...5c.exe
windows10-2004-x64
1033aa57b04b...cb.exe
windows7-x64
633aa57b04b...cb.exe
windows10-2004-x64
63643464a22...19.exe
windows7-x64
33643464a22...19.exe
windows10-2004-x64
337e2f97755...26.exe
windows7-x64
137e2f97755...26.exe
windows10-2004-x64
154cd11236f...ff.exe
windows7-x64
654cd11236f...ff.exe
windows10-2004-x64
655bc661ad4...8c.exe
windows7-x64
955bc661ad4...8c.exe
windows10-2004-x64
7603d665f09...68.exe
windows7-x64
1603d665f09...68.exe
windows10-2004-x64
16ea27a0861...7e.exe
windows7-x64
16ea27a0861...7e.exe
windows10-2004-x64
373af283fcb...0c.exe
windows7-x64
873af283fcb...0c.exe
windows10-2004-x64
87e41197b74...67.exe
windows7-x64
97e41197b74...67.exe
windows10-2004-x64
9a878fed055...99.exe
windows7-x64
3a878fed055...99.exe
windows10-2004-x64
3Analysis
-
max time kernel
89s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01-01-2024 15:27
Behavioral task
behavioral1
Sample
samples3.zip
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
samples3.zip
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
05cf6eee9b0b2c049cec8ce775de0636ade55f23a51dc833170f09445719abb3.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
05cf6eee9b0b2c049cec8ce775de0636ade55f23a51dc833170f09445719abb3.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
0fd8500fdef116abae01a1dcfed2db9784bbcb753488710aa1048f2aa0fd111e.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
0fd8500fdef116abae01a1dcfed2db9784bbcb753488710aa1048f2aa0fd111e.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
11edf9436a9205c88c2a815cf6ebfb0a7a42eb150a2649766b3bb30350ee35ed.pdf
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
11edf9436a9205c88c2a815cf6ebfb0a7a42eb150a2649766b3bb30350ee35ed.pdf
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
19a640415bb2bbc2f2624c204f6c5771b908b6c54b88976eb0daa76a29af255c.exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
19a640415bb2bbc2f2624c204f6c5771b908b6c54b88976eb0daa76a29af255c.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
33aa57b04bbdcf9617ed334dda4aee9502be652771899c75937f0e1223c7e2cb.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
33aa57b04bbdcf9617ed334dda4aee9502be652771899c75937f0e1223c7e2cb.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
3643464a225aa2ad5c9c9657d4fd05b943fdd9c04ca36b9d3610a04332909d19.exe
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
3643464a225aa2ad5c9c9657d4fd05b943fdd9c04ca36b9d3610a04332909d19.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
37e2f977559a58cb33f7128ad7699a5c4f7c0013d8d83b1eda93a59ae35ba526.exe
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
37e2f977559a58cb33f7128ad7699a5c4f7c0013d8d83b1eda93a59ae35ba526.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral19
Sample
54cd11236fdc2a40b505598541f64e8a6bd9ea84552b6d5946777badf8a2b7ff.exe
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
54cd11236fdc2a40b505598541f64e8a6bd9ea84552b6d5946777badf8a2b7ff.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
55bc661ad4439400fc434fd6bab66f598c7272854f0453b451e31b84265eff8c.exe
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
55bc661ad4439400fc434fd6bab66f598c7272854f0453b451e31b84265eff8c.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
603d665f09a9a199a4b5b9f8d1841a07ae9c525f275fc54c7cb15953d73ff568.exe
Resource
win7-20231129-en
Behavioral task
behavioral24
Sample
603d665f09a9a199a4b5b9f8d1841a07ae9c525f275fc54c7cb15953d73ff568.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
6ea27a08617ed35f8340fcc9eda5ccd7316eed9b192e3a7efd4cd5e1b8a4fc7e.exe
Resource
win7-20231129-en
Behavioral task
behavioral26
Sample
6ea27a08617ed35f8340fcc9eda5ccd7316eed9b192e3a7efd4cd5e1b8a4fc7e.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
73af283fcb06a9ea35ea6ad24b62b302459594f4b09dbba2d74001bf90ab020c.exe
Resource
win7-20231215-en
Behavioral task
behavioral28
Sample
73af283fcb06a9ea35ea6ad24b62b302459594f4b09dbba2d74001bf90ab020c.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
7e41197b74e2dcc6c0563d4b71a4ad16293909889ce4f1c5ab214bdd59088667.exe
Resource
win7-20231215-en
Behavioral task
behavioral30
Sample
7e41197b74e2dcc6c0563d4b71a4ad16293909889ce4f1c5ab214bdd59088667.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral31
Sample
a878fed05519b4e0898e26a79cc646c0bb7b9e380c94f06baecc750f0ab97b99.exe
Resource
win7-20231215-en
Behavioral task
behavioral32
Sample
a878fed05519b4e0898e26a79cc646c0bb7b9e380c94f06baecc750f0ab97b99.exe
Resource
win10v2004-20231222-en
General
-
Target
0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe
-
Size
92KB
-
MD5
6c482e3d0fdc8af0182d543371ca5176
-
SHA1
e4de59423b77477cc593b7f31d08252107444524
-
SHA256
0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7
-
SHA512
ed217f7c2a0b0ca7716c0c04dc369598371d997590437f70ce68147276ef0cc8e3539306abcd5d16266dc5d4a6b984eab9e8fc5348dc2f6607ddea3eed4e0411
-
SSDEEP
1536:ReybNDac/BiUkGgxjDUsFFtZjSrHOUTS6r17Y4HbmxwRwW:lNDgUm5Fi6Uu6r17p7zV
Malware Config
Signatures
-
Renames multiple (11772) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
Processes:
LBEA:exepid process 1200 LBEA:exe -
Executes dropped EXE 3 IoCs
Processes:
LBEA:exe9iA.execJ3VCt6:exepid process 1200 LBEA:exe 4120 9iA.exe 5056 cJ3VCt6:exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\62Kl2A72 = "C:\\Users\\Admin\\AppData\\Local\\W0h\\V37.exe" 0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
cJ3VCt6:exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI cJ3VCt6:exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini cJ3VCt6:exe -
Drops file in Program Files directory 64 IoCs
Processes:
cJ3VCt6:exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll.locked cJ3VCt6:exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\OriginLetter.Dotx.readme_txt cJ3VCt6:exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grid.Grouping.Base.dll.readme_txt cJ3VCt6:exe File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.readme_txt cJ3VCt6:exe File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\TEMPSITC.TTF.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailWideTile.scale-400.png cJ3VCt6:exe File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\en\Microsoft.PowerShell.PSReadline.Resources.dll.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_wob.png cJ3VCt6:exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\de-DE\PackageManagementDscUtilities.strings.psd1.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms cJ3VCt6:exe File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART5.BDR.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-140.png.locked cJ3VCt6:exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN026.XML.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Microsoft.AnalysisServices.AzureClient.dll.locked cJ3VCt6:exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-96_altform-unplated.png cJ3VCt6:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] cJ3VCt6:exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-2x.png.readme_txt cJ3VCt6:exe File created C:\Program Files\7-Zip\Lang\mng2.txt.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.exe.sig.locked cJ3VCt6:exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll cJ3VCt6:exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms cJ3VCt6:exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms.locked cJ3VCt6:exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\beta.identity_helper.exe.manifest.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-pl.xrm-ms.locked cJ3VCt6:exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\PREVIEW.GIF.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Undo.png cJ3VCt6:exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-400.png cJ3VCt6:exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ja_135x40.svg.readme_txt cJ3VCt6:exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\ui-strings.js.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\ui-strings.js.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\canary.identity_helper.exe.manifest.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\j2gss.dll cJ3VCt6:exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.readme_txt cJ3VCt6:exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\tmtransactions_xl.dll.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-32_altform-unplated_contrast-white.png cJ3VCt6:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\ui-strings.js cJ3VCt6:exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Globalization.Calendars.dll.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe cJ3VCt6:exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png.locked cJ3VCt6:exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png.locked cJ3VCt6:exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grid.Grouping.Windows.dll.locked cJ3VCt6:exe File created C:\Program Files\Microsoft Office\root\vreg\office.x-none.msi.16.x-none.vreg.dat.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxSignature.p7x cJ3VCt6:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\ui-strings.js.locked cJ3VCt6:exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sw.pak.readme_txt cJ3VCt6:exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-ms.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ppd.xrm-ms cJ3VCt6:exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEINTL.DLL.readme_txt cJ3VCt6:exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\PREVIEW.GIF.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fi-fi\ui-strings.js.readme_txt cJ3VCt6:exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\ui-strings.js.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms cJ3VCt6:exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\favicon.ico.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarLargeTile.scale-150.png cJ3VCt6:exe File created C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mo.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\Microsoft.PackageManagement.resources.dll.locked cJ3VCt6:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\organize.svg cJ3VCt6:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\plugin.js cJ3VCt6:exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist.readme_txt cJ3VCt6:exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.readme_txt cJ3VCt6:exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Discovers systems in the same network 1 TTPs 1 IoCs
-
Modifies registry class 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{75B5EEA5-2AB3-4E62-BD76-780A4AE5C499} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe -
NTFS ADS 2 IoCs
Processes:
9iA.exedescription ioc process File created C:\Users\Admin\AppData\Local\LBEA:exe File created C:\Users\Admin\AppData\Local\cJ3VCt6:exe 9iA.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
explorer.exedescription pid process Token: SeShutdownPrivilege 468 explorer.exe Token: SeCreatePagefilePrivilege 468 explorer.exe Token: SeShutdownPrivilege 468 explorer.exe Token: SeCreatePagefilePrivilege 468 explorer.exe Token: SeShutdownPrivilege 468 explorer.exe Token: SeCreatePagefilePrivilege 468 explorer.exe Token: SeShutdownPrivilege 468 explorer.exe Token: SeCreatePagefilePrivilege 468 explorer.exe Token: SeShutdownPrivilege 468 explorer.exe Token: SeCreatePagefilePrivilege 468 explorer.exe Token: SeShutdownPrivilege 468 explorer.exe Token: SeCreatePagefilePrivilege 468 explorer.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
explorer.exepid process 468 explorer.exe 468 explorer.exe 468 explorer.exe 468 explorer.exe 468 explorer.exe 468 explorer.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
explorer.exepid process 468 explorer.exe 468 explorer.exe 468 explorer.exe 468 explorer.exe 468 explorer.exe 468 explorer.exe 468 explorer.exe 468 explorer.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
cmd.exeLBEA:exe9iA.exedescription pid process target process PID 2752 wrote to memory of 4996 2752 cmd.exe PID 2752 wrote to memory of 4996 2752 cmd.exe PID 2752 wrote to memory of 4996 2752 cmd.exe PID 2752 wrote to memory of 1200 2752 LBEA:exe PID 2752 wrote to memory of 1200 2752 LBEA:exe PID 2752 wrote to memory of 1200 2752 LBEA:exe PID 4996 wrote to memory of 4120 4996 cmd.exe 9iA.exe PID 4996 wrote to memory of 4120 4996 cmd.exe 9iA.exe PID 4996 wrote to memory of 4120 4996 cmd.exe 9iA.exe PID 1200 wrote to memory of 4136 1200 LBEA:exe net.exe PID 1200 wrote to memory of 4136 1200 LBEA:exe net.exe PID 1200 wrote to memory of 4136 1200 LBEA:exe net.exe PID 4120 wrote to memory of 5056 4120 9iA.exe cJ3VCt6:exe PID 4120 wrote to memory of 5056 4120 9iA.exe cJ3VCt6:exe PID 4120 wrote to memory of 5056 4120 9iA.exe cJ3VCt6:exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe"C:\Users\Admin\AppData\Local\Temp\0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe"1⤵
- Adds Run key to start application
PID:2752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\lj0R\9iA.exe 22⤵
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Users\Admin\AppData\Local\lj0R\9iA.exeC:\Users\Admin\AppData\Local\lj0R\9iA.exe 23⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Users\Admin\AppData\Local\LBEA:exeC:\Users\Admin\AppData\Local\LBEA:exe 1 C:\Users\Admin\AppData\Local\Temp\0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200
-
C:\Users\Admin\AppData\Local\cJ3VCt6:exeC:\Users\Admin\AppData\Local\cJ3VCt6:exe 3 C:\Users\Admin\AppData\Local\lj0R\9iA.exe1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:5056
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe view1⤵
- Discovers systems in the same network
PID:4136
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1200-14-0x0000000000690000-0x0000000000696000-memory.dmpFilesize
24KB
-
memory/1200-897-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2752-1-0x0000000002180000-0x0000000002186000-memory.dmpFilesize
24KB
-
memory/2752-0-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2752-11-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4120-23-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4120-19-0x0000000000890000-0x0000000000896000-memory.dmpFilesize
24KB
-
memory/5056-26-0x0000000000540000-0x0000000000546000-memory.dmpFilesize
24KB
-
memory/5056-898-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/5056-6374-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/5056-49642-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/5056-58927-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB