Analysis
-
max time kernel
114s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-03-2024 01:57
Static task
static1
Behavioral task
behavioral1
Sample
4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe
Resource
win10v2004-20240226-en
General
-
Target
4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe
-
Size
371KB
-
MD5
7e926b091935b2cf296d76500ce90ddb
-
SHA1
71776753b7129a668f97702b507c0393f31d57d9
-
SHA256
4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34
-
SHA512
4213a9532e0495504020c3a12c6e31a910fc3d6f8a1aea1dc77a1692aa0d118e19fc254bb54885f83cf6e96a068948d3d91e59bd3fe0bd02b5663b399ddb1cf6
-
SSDEEP
6144:I097gaDpav2JwnXJfE7CxJw1CB3y6tGeKI50WbIZ:JgaDQv2OZfE7S0Cty+trI
Malware Config
Extracted
C:\$Recycle.Bin\HOW TO BACK FILES.txt
targetcompany
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Signatures
-
TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2632 bcdedit.exe 3624 bcdedit.exe -
Renames multiple (3600) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened (read-only) \??\J: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened (read-only) \??\N: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened (read-only) \??\A: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened (read-only) \??\I: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened (read-only) \??\K: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened (read-only) \??\M: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened (read-only) \??\Q: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened (read-only) \??\R: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened (read-only) \??\T: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened (read-only) \??\X: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened (read-only) \??\G: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened (read-only) \??\P: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened (read-only) \??\S: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened (read-only) \??\E: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened (read-only) \??\B: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened (read-only) \??\L: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened (read-only) \??\O: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened (read-only) \??\U: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened (read-only) \??\V: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened (read-only) \??\W: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened (read-only) \??\Y: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened (read-only) \??\D: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened (read-only) \??\Z: 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 api.ipify.org -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteWideTile.scale-400.png 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-unplated.png 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\he-il\HOW TO BACK FILES.txt 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\HOW TO BACK FILES.txt 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\HOW TO BACK FILES.txt 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File created C:\Program Files\VideoLAN\VLC\locale\lg\HOW TO BACK FILES.txt 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\HOW TO BACK FILES.txt 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-32_altform-unplated.png 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSplashLogo.scale-200.png 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\HOW TO BACK FILES.txt 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\HOW TO BACK FILES.txt 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\HOW TO BACK FILES.txt 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\HOW TO BACK FILES.txt 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\Sticker.mp4 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg5.jpg 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\HOW TO BACK FILES.txt 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sq-AL\HOW TO BACK FILES.txt 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\uk-ua\HOW TO BACK FILES.txt 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngom.md 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsym.ttf 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-100_contrast-white.png 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\typing\bubble\black.gif 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\170.png 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView-Dark.scale-100.png 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40.png 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\BOLDSTRI.ELM 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\logo.scale-200_contrast-black.png 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\currency.data 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\resources.pri 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-16_altform-lightunplated.png 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\HOW TO BACK FILES.txt 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-unplated_contrast-white.png 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\HOW TO BACK FILES.txt 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\HOW TO BACK FILES.txt 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\10.jpg 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoFrameExtractor\UserControls\RangeSelector.xbf 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\HOW TO BACK FILES.txt 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\HOW TO BACK FILES.txt 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-250.png 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-150_contrast-white.png 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-40.png 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-125_contrast-black.png 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\HOW TO BACK FILES.txt 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSmallTile.scale-200.png 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-black_scale-200.png 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File created C:\Program Files\VideoLAN\VLC\locale\id\HOW TO BACK FILES.txt 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO BACK FILES.txt 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-48_altform-lightunplated.png 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\HOW TO BACK FILES.txt 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\HOW TO BACK FILES.txt 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-125_contrast-black.png 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeDebugPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe Token: SeTakeOwnershipPrivilege 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 536 wrote to memory of 3812 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe 89 PID 536 wrote to memory of 3812 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe 89 PID 536 wrote to memory of 3128 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe 91 PID 536 wrote to memory of 3128 536 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe 91 PID 3812 wrote to memory of 2632 3812 cmd.exe 93 PID 3812 wrote to memory of 2632 3812 cmd.exe 93 PID 3128 wrote to memory of 3624 3128 cmd.exe 96 PID 3128 wrote to memory of 3624 3128 cmd.exe 96 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" 4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe"C:\Users\Admin\AppData\Local\Temp\4a74aa6b5fbac25a977d2078f054d72b707aa54caa386dc90795c7983c848a34.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:536 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:3624
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD593d5e5454c62cd52495a3fe6338ae9fa
SHA1c14794f3028721c1d6ee40e55b81911a5a033863
SHA25615a9d828a93eaf4dc706fba0c97b05e7297132cbf8ebd76c7b0751f92c864f55
SHA51248cb0bce2c77649ec46d99d41080e1d76479adabc3252c8db3e542b1c9c4f34f996c1b4a53ffa73039f8b5b5994d96f3a1916f69f5760f458724dead290bf674