Analysis
-
max time kernel
590s -
max time network
601s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10-01-2024 13:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe
Resource
win7-20231215-en
windows7-x64
30 signatures
600 seconds
Behavioral task
behavioral2
Sample
a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
27 signatures
600 seconds
General
-
Target
a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe
-
Size
3.2MB
-
MD5
6d44f8f3c1608e5958b40f9c6d7b6718
-
SHA1
9203ad3b6ffb7732591ef560965566555bce9d82
-
SHA256
a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455
-
SHA512
656eb44b563705e1045b6a881b4f8a462ecf3bb8b2421cb18dfa21421629f7af92fe4b72736edfe3fea2ea13bef84f5faab5a78b8ef2b4f656a9055d0c4a22bd
-
SSDEEP
98304:wgwRevguPPFpugyxQkvA51nFbk+kUwWlGroD+1f:wgtv7ov5vqbk++AGkD+1f
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" YOURDATA.exe -
Clears Windows event logs 1 TTPs 3 IoCs
pid Process 3328 wevtutil.exe 1828 wevtutil.exe 532 wevtutil.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 5736 bcdedit.exe 1592 bcdedit.exe -
Renames multiple (4481) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 3128 wbadmin.exe -
pid Process 4752 wbadmin.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbsnmp.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\httpd.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW32.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAgui.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbeng50.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbserver.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VeeamDeploymentSvc.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sql.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlmangr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outlook.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsDtSrvr.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopservice.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocssd.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservr.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlwriter.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchApp.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBIDPService.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBIDPService.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_w32.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsnapvss.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\encsvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\httpd.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_x64.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\axlbridge.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EnterpriseClient.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbguard.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgr.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlmangr.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchApp.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agntsvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msftesql.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopqos.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineSettings.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqbcoreservice.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbirdconfig.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServerView.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\raw_agent_svc.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\beserver.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW32.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsa_service.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iisadmin.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocautoupds.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oracle.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\python.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqbcoreservice.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sql.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon64.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer_Service.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutodeskDesktopApp.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bengien.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbguard.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocssd.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW64.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe YOURDATA.exe -
Executes dropped EXE 12 IoCs
pid Process 4620 7za.exe 4268 7za.exe 1984 powercfg.exe 4532 YOURDATA.exe 1188 DC.exe 4420 YOURDATA.exe 4492 YOURDATA.exe 1252 YOURDATA.exe 3036 Everything.exe 4724 Everything.exe 5940 xdel.exe 5960 xdel.exe -
Loads dropped DLL 5 IoCs
pid Process 1984 powercfg.exe 4532 YOURDATA.exe 4420 YOURDATA.exe 4492 YOURDATA.exe 1252 YOURDATA.exe -
Modifies system executable filetype association 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\exefile\shell\open powercfg.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command powercfg.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\exefile\shell\open\command powercfg.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" powercfg.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\exefile\shell\open\command YOURDATA.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" powercfg.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\exefile\shell powercfg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YOURDATA = "\"C:\\Users\\Admin\\AppData\\Local\\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\\YOURDATA.exe\" " powercfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YOURDATA.exe = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\----Read-Me-----.txt\"" YOURDATA.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" YOURDATA.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: Everything.exe File opened (read-only) \??\M: Everything.exe File opened (read-only) \??\U: Everything.exe File opened (read-only) \??\H: Everything.exe File opened (read-only) \??\J: Everything.exe File opened (read-only) \??\N: Everything.exe File opened (read-only) \??\G: Everything.exe File opened (read-only) \??\O: Everything.exe File opened (read-only) \??\T: Everything.exe File opened (read-only) \??\K: Everything.exe File opened (read-only) \??\L: Everything.exe File opened (read-only) \??\N: Everything.exe File opened (read-only) \??\Q: Everything.exe File opened (read-only) \??\V: Everything.exe File opened (read-only) \??\I: Everything.exe File opened (read-only) \??\P: Everything.exe File opened (read-only) \??\A: Everything.exe File opened (read-only) \??\M: Everything.exe File opened (read-only) \??\O: Everything.exe File opened (read-only) \??\Y: Everything.exe File opened (read-only) \??\E: Everything.exe File opened (read-only) \??\Y: Everything.exe File opened (read-only) \??\Z: Everything.exe File opened (read-only) \??\B: Everything.exe File opened (read-only) \??\E: Everything.exe File opened (read-only) \??\Q: Everything.exe File opened (read-only) \??\W: Everything.exe File opened (read-only) \??\H: Everything.exe File opened (read-only) \??\X: Everything.exe File opened (read-only) \??\G: Everything.exe File opened (read-only) \??\S: Everything.exe File opened (read-only) \??\U: Everything.exe File opened (read-only) \??\A: Everything.exe File opened (read-only) \??\J: Everything.exe File opened (read-only) \??\P: Everything.exe File opened (read-only) \??\X: Everything.exe File opened (read-only) \??\T: Everything.exe File opened (read-only) \??\I: Everything.exe File opened (read-only) \??\K: Everything.exe File opened (read-only) \??\R: Everything.exe File opened (read-only) \??\S: Everything.exe File opened (read-only) \??\W: Everything.exe File opened (read-only) \??\L: Everything.exe File opened (read-only) \??\R: Everything.exe File opened (read-only) \??\V: Everything.exe File opened (read-only) \??\Z: Everything.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Office 2007 - [email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_fr_135x40.svg.getmydata@list.ru.3000USDAA YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms.getmydata@list.ru.3000USDAA YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.getmydata@list.ru.3000USDAA YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms.getmydata@list.ru.3000USDAA YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.getmydata@list.ru.3000USDAA YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle [email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png.getmydata@list.ru.3000USDAA YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Common Files\System\msadc\[email protected] YOURDATA.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluNoInternetConnection_120x80.svg.getmydata@list.ru.3000USDAA YOURDATA.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.getmydata@list.ru.3000USDAA YOURDATA.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\[email protected] YOURDATA.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Modifies registry class 19 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" powercfg.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\----Read-Me-----.txt\"" YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Classes\.3000USDAA YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command powercfg.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\exefile\shell\open powercfg.exe Key created \REGISTRY\MACHINE\Software\Classes\mimicfile\shell\open\command YOURDATA.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" powercfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.3000USDAA\ = "mimicfile" YOURDATA.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\exefile\shell\open\command powercfg.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\exefile powercfg.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\exefile\shell powercfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command YOURDATA.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\exefile\shell\open\command YOURDATA.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell YOURDATA.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4996 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4492 YOURDATA.exe 4492 YOURDATA.exe 1252 YOURDATA.exe 1252 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4532 YOURDATA.exe 4848 powershell.exe 4848 powershell.exe 3828 powershell.exe 3828 powershell.exe 1148 powershell.exe 1148 powershell.exe 1148 powershell.exe 4848 powershell.exe 3828 powershell.exe 4492 YOURDATA.exe 4492 YOURDATA.exe 4492 YOURDATA.exe 4492 YOURDATA.exe 4492 YOURDATA.exe 4492 YOURDATA.exe 4492 YOURDATA.exe 4492 YOURDATA.exe 4492 YOURDATA.exe 4492 YOURDATA.exe 4492 YOURDATA.exe 4492 YOURDATA.exe 4492 YOURDATA.exe 4492 YOURDATA.exe 4492 YOURDATA.exe 4492 YOURDATA.exe 4492 YOURDATA.exe 4492 YOURDATA.exe 4492 YOURDATA.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 4620 7za.exe Token: 35 4620 7za.exe Token: SeRestorePrivilege 4268 7za.exe Token: 35 4268 7za.exe Token: SeSecurityPrivilege 4268 7za.exe Token: SeSecurityPrivilege 4268 7za.exe Token: SeIncreaseQuotaPrivilege 1984 powercfg.exe Token: SeSecurityPrivilege 1984 powercfg.exe Token: SeTakeOwnershipPrivilege 1984 powercfg.exe Token: SeLoadDriverPrivilege 1984 powercfg.exe Token: SeSystemProfilePrivilege 1984 powercfg.exe Token: SeSystemtimePrivilege 1984 powercfg.exe Token: SeProfSingleProcessPrivilege 1984 powercfg.exe Token: SeIncBasePriorityPrivilege 1984 powercfg.exe Token: SeCreatePagefilePrivilege 1984 powercfg.exe Token: SeBackupPrivilege 1984 powercfg.exe Token: SeRestorePrivilege 1984 powercfg.exe Token: SeShutdownPrivilege 1984 powercfg.exe Token: SeDebugPrivilege 1984 powercfg.exe Token: SeSystemEnvironmentPrivilege 1984 powercfg.exe Token: SeChangeNotifyPrivilege 1984 powercfg.exe Token: SeRemoteShutdownPrivilege 1984 powercfg.exe Token: SeUndockPrivilege 1984 powercfg.exe Token: SeManageVolumePrivilege 1984 powercfg.exe Token: SeImpersonatePrivilege 1984 powercfg.exe Token: SeCreateGlobalPrivilege 1984 powercfg.exe Token: 33 1984 powercfg.exe Token: 34 1984 powercfg.exe Token: 35 1984 powercfg.exe Token: 36 1984 powercfg.exe Token: SeIncreaseQuotaPrivilege 4532 YOURDATA.exe Token: SeSecurityPrivilege 4532 YOURDATA.exe Token: SeTakeOwnershipPrivilege 4532 YOURDATA.exe Token: SeLoadDriverPrivilege 4532 YOURDATA.exe Token: SeSystemProfilePrivilege 4532 YOURDATA.exe Token: SeSystemtimePrivilege 4532 YOURDATA.exe Token: SeProfSingleProcessPrivilege 4532 YOURDATA.exe Token: SeIncBasePriorityPrivilege 4532 YOURDATA.exe Token: SeCreatePagefilePrivilege 4532 YOURDATA.exe Token: SeBackupPrivilege 4532 YOURDATA.exe Token: SeRestorePrivilege 4532 YOURDATA.exe Token: SeShutdownPrivilege 4532 YOURDATA.exe Token: SeDebugPrivilege 4532 YOURDATA.exe Token: SeSystemEnvironmentPrivilege 4532 YOURDATA.exe Token: SeChangeNotifyPrivilege 4532 YOURDATA.exe Token: SeRemoteShutdownPrivilege 4532 YOURDATA.exe Token: SeUndockPrivilege 4532 YOURDATA.exe Token: SeManageVolumePrivilege 4532 YOURDATA.exe Token: SeImpersonatePrivilege 4532 YOURDATA.exe Token: SeCreateGlobalPrivilege 4532 YOURDATA.exe Token: 33 4532 YOURDATA.exe Token: 34 4532 YOURDATA.exe Token: 35 4532 YOURDATA.exe Token: 36 4532 YOURDATA.exe Token: SeIncreaseQuotaPrivilege 4420 YOURDATA.exe Token: SeIncreaseQuotaPrivilege 4492 YOURDATA.exe Token: SeSecurityPrivilege 4420 YOURDATA.exe Token: SeSecurityPrivilege 4492 YOURDATA.exe Token: SeTakeOwnershipPrivilege 4420 YOURDATA.exe Token: SeTakeOwnershipPrivilege 4492 YOURDATA.exe Token: SeLoadDriverPrivilege 4420 YOURDATA.exe Token: SeLoadDriverPrivilege 4492 YOURDATA.exe Token: SeSystemProfilePrivilege 4420 YOURDATA.exe Token: SeSystemProfilePrivilege 4492 YOURDATA.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3036 Everything.exe 4724 Everything.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4376 wrote to memory of 4620 4376 Process not Found 29 PID 4376 wrote to memory of 4620 4376 Process not Found 29 PID 4376 wrote to memory of 4620 4376 Process not Found 29 PID 4376 wrote to memory of 4268 4376 Process not Found 26 PID 4376 wrote to memory of 4268 4376 Process not Found 26 PID 4376 wrote to memory of 4268 4376 Process not Found 26 PID 4376 wrote to memory of 1984 4376 Process not Found 160 PID 4376 wrote to memory of 1984 4376 Process not Found 160 PID 4376 wrote to memory of 1984 4376 Process not Found 160 PID 1984 wrote to memory of 4532 1984 powercfg.exe 37 PID 1984 wrote to memory of 4532 1984 powercfg.exe 37 PID 1984 wrote to memory of 4532 1984 powercfg.exe 37 PID 4532 wrote to memory of 3004 4532 YOURDATA.exe 42 PID 4532 wrote to memory of 3004 4532 YOURDATA.exe 42 PID 4532 wrote to memory of 3004 4532 YOURDATA.exe 42 PID 3004 wrote to memory of 1188 3004 cmd.exe 41 PID 3004 wrote to memory of 1188 3004 cmd.exe 41 PID 3004 wrote to memory of 1188 3004 cmd.exe 41 PID 4532 wrote to memory of 4420 4532 YOURDATA.exe 48 PID 4532 wrote to memory of 4420 4532 YOURDATA.exe 48 PID 4532 wrote to memory of 4420 4532 YOURDATA.exe 48 PID 4532 wrote to memory of 4492 4532 YOURDATA.exe 47 PID 4532 wrote to memory of 4492 4532 YOURDATA.exe 47 PID 4532 wrote to memory of 4492 4532 YOURDATA.exe 47 PID 4532 wrote to memory of 1252 4532 YOURDATA.exe 46 PID 4532 wrote to memory of 1252 4532 YOURDATA.exe 46 PID 4532 wrote to memory of 1252 4532 YOURDATA.exe 46 PID 4532 wrote to memory of 3036 4532 YOURDATA.exe 114 PID 4532 wrote to memory of 3036 4532 YOURDATA.exe 114 PID 4532 wrote to memory of 3036 4532 YOURDATA.exe 114 PID 4376 wrote to memory of 3780 4376 Process not Found 116 PID 4376 wrote to memory of 3780 4376 Process not Found 116 PID 4376 wrote to memory of 3780 4376 Process not Found 116 PID 4532 wrote to memory of 64 4532 YOURDATA.exe 163 PID 4532 wrote to memory of 64 4532 YOURDATA.exe 163 PID 4532 wrote to memory of 2872 4532 YOURDATA.exe 162 PID 4532 wrote to memory of 2872 4532 YOURDATA.exe 162 PID 4532 wrote to memory of 400 4532 YOURDATA.exe 161 PID 4532 wrote to memory of 400 4532 YOURDATA.exe 161 PID 4532 wrote to memory of 1984 4532 YOURDATA.exe 160 PID 4532 wrote to memory of 1984 4532 YOURDATA.exe 160 PID 4532 wrote to memory of 3236 4532 YOURDATA.exe 159 PID 4532 wrote to memory of 3236 4532 YOURDATA.exe 159 PID 4532 wrote to memory of 552 4532 YOURDATA.exe 158 PID 4532 wrote to memory of 552 4532 YOURDATA.exe 158 PID 4532 wrote to memory of 1028 4532 YOURDATA.exe 156 PID 4532 wrote to memory of 1028 4532 YOURDATA.exe 156 PID 4532 wrote to memory of 448 4532 YOURDATA.exe 154 PID 4532 wrote to memory of 448 4532 YOURDATA.exe 154 PID 4532 wrote to memory of 5108 4532 YOURDATA.exe 172 PID 4532 wrote to memory of 5108 4532 YOURDATA.exe 172 PID 4532 wrote to memory of 4900 4532 YOURDATA.exe 148 PID 4532 wrote to memory of 4900 4532 YOURDATA.exe 148 PID 4532 wrote to memory of 2284 4532 YOURDATA.exe 147 PID 4532 wrote to memory of 2284 4532 YOURDATA.exe 147 PID 4532 wrote to memory of 5008 4532 YOURDATA.exe 146 PID 4532 wrote to memory of 5008 4532 YOURDATA.exe 146 PID 4532 wrote to memory of 4108 4532 YOURDATA.exe 143 PID 4532 wrote to memory of 4108 4532 YOURDATA.exe 143 PID 4532 wrote to memory of 592 4532 YOURDATA.exe 141 PID 4532 wrote to memory of 592 4532 YOURDATA.exe 141 PID 4532 wrote to memory of 2500 4532 YOURDATA.exe 140 PID 4532 wrote to memory of 2500 4532 YOURDATA.exe 140 PID 4532 wrote to memory of 4848 4532 YOURDATA.exe 137 -
System policy modification 1 TTPs 13 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HidePowerOptions = "1" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Policies\System YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = " " YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Your data on your system has been encrypted by us....\n\nWe want you to know that you will not get your data back with the usual data recovery methods...\n\nWe will restore your data for 3000 dollars.\n\nYou can send an e-mail with your reference code below\n\nWe Do Not Negotiate \nWe do not give discounts.\nThe price is very reasonable\n\n\n######################################################################\n\nIf you contact me to ask for a discount or to negotiate, I will increase the price I offer.\n\n######################################################################\n\nWhen you send us an e-mail, please send us your reference code below\n\n=> YOUR REFERENCE CODE <=\n\nIFdhW_2NvypWlyuPmOjffZqx03ya8bPJXA7Ry6-vtg8*[email protected]\n\n=> OUR E-MAIL ADDRESS <=\n\[email protected]\[email protected]\[email protected]" YOURDATA.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe"C:\Users\Admin\AppData\Local\Temp\a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe"1⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p58042791667523172 Everything64.dll2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3usdaa.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3usdaa.exe"2⤵PID:1984
-
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe"3⤵
- UAC bypass
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4532 -
C:\Windows\SysWOW64\cmd.execmd.exe /c DC.exe /D4⤵
- Suspicious use of WriteProcessMemory
PID:3004
-
-
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe" -e ul24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1252
-
-
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe" -e ul14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492
-
-
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe" -e watch -pid 4532 -!4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
-
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\Everything.exe"C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\Everything.exe" -startup4⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:3036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4848
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb614⤵PID:2500
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c4⤵PID:592
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:4108
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:5008
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:2284
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:4900
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:5108
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:448
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:1028
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:552
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:3236
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:400
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:2872
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -H off4⤵PID:64
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin.exe delete catalog -quiet4⤵
- Deletes backup catalog
PID:4752
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin.exe DELETE SYSTEMSTATEBACKUP4⤵
- Deletes System State backups
- Drops file in Windows directory
PID:3128
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:5736
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1592
-
-
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\Everything.exe"C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\Everything.exe" -startup4⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:4724
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe "C:\Users\Admin\AppData\Local\----Read-Me-----.txt"4⤵PID:5832
-
-
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\xdel.exe"C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\xdel.exe" -accepteula -p 1 -c F:\4⤵
- Executes dropped EXE
PID:5960
-
-
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\xdel.exe"C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\xdel.exe" -accepteula -p 1 -c C:\4⤵
- Executes dropped EXE
PID:5940
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /d /c "ping 127.2 -n 5 & fsutil file setZeroData offset=0 length=20000000 "C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe" & cd /d "C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}" & Del /f /q /a *.exe *.ini *.dll *.bat *.db"4⤵PID:5576
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=20000000 "C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe"5⤵PID:2960
-
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application4⤵
- Clears Windows event logs
PID:3328
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system4⤵
- Clears Windows event logs
PID:1828
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security4⤵
- Clears Windows event logs
PID:532
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4620
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵PID:3780
-
-
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\DC.exeDC.exe /D1⤵
- Executes dropped EXE
PID:1188
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:316
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4984
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2304
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3968
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1176
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3172
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2388
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3040
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5136
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:5108
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3896
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:6040
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:5432
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:5124
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:5136
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4616
-
C:\Windows\SysWOW64\PING.EXEping 127.2 -n 51⤵
- Runs ping.exe
PID:4996
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4452
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5496
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
3File Deletion
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
846B
MD5b3cf8ba8a828ff88f26927a1471adb95
SHA17f94cc6a7bcb1ee78948c6af9b2fb56e0ca94581
SHA2568ab27c97d89eda105a145bdd1efb8f7f6b8736a3afeb2dc5a142e0e377810591
SHA5128b93880d3738db301e57a229b07dad04cabaae3cad457485977ffb0c0abaf45aae776bd6603e65638044dbca163871277b9be660859c63a5d32c71f9b9d34562
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
1KB
MD587dd60a6bd8b7d6c90230c57b86ab867
SHA167fdca992575b637cbebbbb5674cc16e93d9598f
SHA2568ef8079a07081d4ed4376f55b8b5d3ceebd896ec9d42c1fb3e441658a93bd8ae
SHA512906ad53219030c52728c96f6d94da4309e47ee3b78068ab34d8ad43945ff0fb96e502de717c5183c7db6162427e18a364ec0017dcfb12631834d381c20e990e1
-
Filesize
350KB
MD5803df907d936e08fbbd06020c411be93
SHA14aa4b498ae037a2b0479659374a5c3af5f6b8d97
SHA256e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c
SHA5125b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532