mimic | a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455

Analysis

max time kernel
148s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

240110-pf835afbdr.exe
Size

3.2MB
MD5

6d44f8f3c1608e5958b40f9c6d7b6718
SHA1

9203ad3b6ffb7732591ef560965566555bce9d82
SHA256

a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455
SHA512

656eb44b563705e1045b6a881b4f8a462ecf3bb8b2421cb18dfa21421629f7af92fe4b72736edfe3fea2ea13bef84f5faab5a78b8ef2b4f656a9055d0c4a22bd
SSDEEP

98304:wgwRevguPPFpugyxQkvA51nFbk+kUwWlGroD+1f:wgtv7ov5vqbk++AGkD+1f

Score

10^/10

mimic evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Detects Mimic ransomware 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015c2d-29.dat	family_mimic
behavioral1/files/0x0009000000015c2d-31.dat	family_mimic

Mimic
Ransomware family was first exploited in the wild in 2022.
ransomware mimic

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3"	DC.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	YOURDATA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	YOURDATA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	YOURDATA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	YOURDATA.exe

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015c2d-29.dat	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/files/0x0009000000015c2d-31.dat	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Detects command variations typically used by ransomware 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015c2d-29.dat	INDICATOR_SUSPICIOUS_GENRansomware
behavioral1/files/0x0009000000015c2d-31.dat	INDICATOR_SUSPICIOUS_GENRansomware

Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015c2d-29.dat	INDICATOR_SUSPICIOUS_USNDeleteJournal
behavioral1/files/0x0009000000015c2d-31.dat	INDICATOR_SUSPICIOUS_USNDeleteJournal

Detects executables containing commands for clearing Windows Event Logs 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015c2d-29.dat	INDICATOR_SUSPICIOUS_ClearWinLogs
behavioral1/files/0x0009000000015c2d-31.dat	INDICATOR_SUSPICIOUS_ClearWinLogs

Renames multiple (3968) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\benetns.exe	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Creative Cloud.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\httpd.exe	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qbupdate.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAgui.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_w32.exe	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsa_service.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\benetns.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld.exe	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocssd.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpython.exe	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchApp.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbeng50.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fdhost.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\java.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VeeamDeploymentSvc.exe	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iisadmin.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutodeskDesktopApp.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer.exe	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer_Service.exe	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServerView.exe	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SimplyConnectionManager.exe	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ssms.exe	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbirdconfig.exe	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\encsvc.exe	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbguard.exe	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsDtSrvr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pvlsvr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bedbh.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopqos.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchProtocolHost.exe	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopservice.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-nt.exe	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine.exe	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServer.exe	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\beserver.exe	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW32.exe	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine_x86.exe	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlagent.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iisadmin.exe	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW64.exe	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xfssvccon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msftesql-exchange.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\httpd.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isqlplussvc.exe	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocssd.exe	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\node.exe	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbserver.exe	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\python.exe	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlbrowser.exe	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tomcat6.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isqlplussvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopqos.exe	YOURDATA.exe

Deletes itself 1 IoCs

pid	Process
2060	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2560	7za.exe
2496	7za.exe
2804	3usdaa.exe
2928	YOURDATA.exe
2796	DC.exe
2096	YOURDATA.exe
1728	YOURDATA.exe
2428	YOURDATA.exe
484	Everything.exe

Loads dropped DLL 19 IoCs

pid	Process
2304	240110-pf835afbdr.exe
2304	240110-pf835afbdr.exe
2304	240110-pf835afbdr.exe
2804	3usdaa.exe
2804	3usdaa.exe
2928	YOURDATA.exe
2724	cmd.exe
2096	YOURDATA.exe
1728	YOURDATA.exe
2428	YOURDATA.exe
2928	YOURDATA.exe
2928	YOURDATA.exe
2928	YOURDATA.exe
2928	YOURDATA.exe
2928	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe

Modifies system executable filetype association 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*"	3usdaa.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	3usdaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	3usdaa.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\exefile\shell\open\command	3usdaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	YOURDATA.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\exefile\shell\open\command	YOURDATA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*"	YOURDATA.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\exefile\shell	3usdaa.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\exefile\shell\open	3usdaa.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	YOURDATA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	DC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YOURDATA = "\"C:\\Users\\Admin\\AppData\\Local\\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\\YOURDATA.exe\" "	3usdaa.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	YOURDATA.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	Everything.exe
File opened (read-only)	\??\N:	Everything.exe
File opened (read-only)	\??\P:	Everything.exe
File opened (read-only)	\??\S:	Everything.exe
File opened (read-only)	\??\T:	Everything.exe
File opened (read-only)	\??\U:	Everything.exe
File opened (read-only)	\??\V:	Everything.exe
File opened (read-only)	\??\W:	Everything.exe
File opened (read-only)	\??\A:	Everything.exe
File opened (read-only)	\??\G:	Everything.exe
File opened (read-only)	\??\L:	Everything.exe
File opened (read-only)	\??\M:	Everything.exe
File opened (read-only)	\??\O:	Everything.exe
File opened (read-only)	\??\Y:	Everything.exe
File opened (read-only)	\??\I:	Everything.exe
File opened (read-only)	\??\J:	Everything.exe
File opened (read-only)	\??\R:	Everything.exe
File opened (read-only)	\??\Z:	Everything.exe
File opened (read-only)	\??\E:	Everything.exe
File opened (read-only)	\??\H:	Everything.exe
File opened (read-only)	\??\K:	Everything.exe
File opened (read-only)	\??\Q:	Everything.exe
File opened (read-only)	\??\X:	Everything.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	DC.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	DC.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files (x86)\MSBuild\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png.getmydata@list.ru.3000USDAA	YOURDATA.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[email protected]	YOURDATA.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\[email protected]	YOURDATA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\exefile	3usdaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open	YOURDATA.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	3usdaa.exe
Key created	\REGISTRY\MACHINE\Software\Classes\mimicfile\shell\open\command	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile	YOURDATA.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\exefile\shell\open\command	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\----Read-Me-----.txt\""	YOURDATA.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\exefile\shell\open\command	3usdaa.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\exefile\shell	3usdaa.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	YOURDATA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*"	YOURDATA.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.3000USDAA	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.3000USDAA\ = "mimicfile"	YOURDATA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	3usdaa.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\exefile\shell\open	3usdaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*"	3usdaa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2796	DC.exe
2796	DC.exe
2796	DC.exe
2796	DC.exe
1728	YOURDATA.exe
2428	YOURDATA.exe
2928	YOURDATA.exe
2928	YOURDATA.exe
2928	YOURDATA.exe
2928	YOURDATA.exe
2928	YOURDATA.exe
2928	YOURDATA.exe
2928	YOURDATA.exe
2928	YOURDATA.exe
2928	YOURDATA.exe
2928	YOURDATA.exe
2928	YOURDATA.exe
2928	YOURDATA.exe
2928	YOURDATA.exe
2928	YOURDATA.exe
2928	YOURDATA.exe
2928	YOURDATA.exe
832	powershell.exe
2860	powershell.exe
912	powershell.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe
1728	YOURDATA.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2560	7za.exe
Token: 35	2560	7za.exe
Token: SeRestorePrivilege	2496	7za.exe
Token: 35	2496	7za.exe
Token: SeSecurityPrivilege	2496	7za.exe
Token: SeSecurityPrivilege	2496	7za.exe
Token: SeIncreaseQuotaPrivilege	2804	3usdaa.exe
Token: SeSecurityPrivilege	2804	3usdaa.exe
Token: SeTakeOwnershipPrivilege	2804	3usdaa.exe
Token: SeLoadDriverPrivilege	2804	3usdaa.exe
Token: SeSystemProfilePrivilege	2804	3usdaa.exe
Token: SeSystemtimePrivilege	2804	3usdaa.exe
Token: SeProfSingleProcessPrivilege	2804	3usdaa.exe
Token: SeIncBasePriorityPrivilege	2804	3usdaa.exe
Token: SeCreatePagefilePrivilege	2804	3usdaa.exe
Token: SeBackupPrivilege	2804	3usdaa.exe
Token: SeRestorePrivilege	2804	3usdaa.exe
Token: SeShutdownPrivilege	2804	3usdaa.exe
Token: SeDebugPrivilege	2804	3usdaa.exe
Token: SeSystemEnvironmentPrivilege	2804	3usdaa.exe
Token: SeChangeNotifyPrivilege	2804	3usdaa.exe
Token: SeRemoteShutdownPrivilege	2804	3usdaa.exe
Token: SeUndockPrivilege	2804	3usdaa.exe
Token: SeManageVolumePrivilege	2804	3usdaa.exe
Token: SeImpersonatePrivilege	2804	3usdaa.exe
Token: SeCreateGlobalPrivilege	2804	3usdaa.exe
Token: 33	2804	3usdaa.exe
Token: 34	2804	3usdaa.exe
Token: 35	2804	3usdaa.exe
Token: SeIncreaseQuotaPrivilege	2928	YOURDATA.exe
Token: SeSecurityPrivilege	2928	YOURDATA.exe
Token: SeTakeOwnershipPrivilege	2928	YOURDATA.exe
Token: SeLoadDriverPrivilege	2928	YOURDATA.exe
Token: SeSystemProfilePrivilege	2928	YOURDATA.exe
Token: SeSystemtimePrivilege	2928	YOURDATA.exe
Token: SeProfSingleProcessPrivilege	2928	YOURDATA.exe
Token: SeIncBasePriorityPrivilege	2928	YOURDATA.exe
Token: SeCreatePagefilePrivilege	2928	YOURDATA.exe
Token: SeBackupPrivilege	2928	YOURDATA.exe
Token: SeRestorePrivilege	2928	YOURDATA.exe
Token: SeShutdownPrivilege	2928	YOURDATA.exe
Token: SeDebugPrivilege	2928	YOURDATA.exe
Token: SeSystemEnvironmentPrivilege	2928	YOURDATA.exe
Token: SeChangeNotifyPrivilege	2928	YOURDATA.exe
Token: SeRemoteShutdownPrivilege	2928	YOURDATA.exe
Token: SeUndockPrivilege	2928	YOURDATA.exe
Token: SeManageVolumePrivilege	2928	YOURDATA.exe
Token: SeImpersonatePrivilege	2928	YOURDATA.exe
Token: SeCreateGlobalPrivilege	2928	YOURDATA.exe
Token: 33	2928	YOURDATA.exe
Token: 34	2928	YOURDATA.exe
Token: 35	2928	YOURDATA.exe
Token: SeDebugPrivilege	2796	DC.exe
Token: SeAssignPrimaryTokenPrivilege	2796	DC.exe
Token: SeIncreaseQuotaPrivilege	2796	DC.exe
Token: 0	2796	DC.exe
Token: SeIncreaseQuotaPrivilege	2096	YOURDATA.exe
Token: SeSecurityPrivilege	2096	YOURDATA.exe
Token: SeTakeOwnershipPrivilege	2096	YOURDATA.exe
Token: SeLoadDriverPrivilege	2096	YOURDATA.exe
Token: SeSystemProfilePrivilege	2096	YOURDATA.exe
Token: SeSystemtimePrivilege	2096	YOURDATA.exe
Token: SeProfSingleProcessPrivilege	2096	YOURDATA.exe
Token: SeIncBasePriorityPrivilege	2096	YOURDATA.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
484	Everything.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2560	2304	240110-pf835afbdr.exe	28
PID 2304 wrote to memory of 2560	2304	240110-pf835afbdr.exe	28
PID 2304 wrote to memory of 2560	2304	240110-pf835afbdr.exe	28
PID 2304 wrote to memory of 2560	2304	240110-pf835afbdr.exe	28
PID 2304 wrote to memory of 2496	2304	240110-pf835afbdr.exe	30
PID 2304 wrote to memory of 2496	2304	240110-pf835afbdr.exe	30
PID 2304 wrote to memory of 2496	2304	240110-pf835afbdr.exe	30
PID 2304 wrote to memory of 2496	2304	240110-pf835afbdr.exe	30
PID 2304 wrote to memory of 2804	2304	240110-pf835afbdr.exe	32
PID 2304 wrote to memory of 2804	2304	240110-pf835afbdr.exe	32
PID 2304 wrote to memory of 2804	2304	240110-pf835afbdr.exe	32
PID 2304 wrote to memory of 2804	2304	240110-pf835afbdr.exe	32
PID 2804 wrote to memory of 2928	2804	3usdaa.exe	33
PID 2804 wrote to memory of 2928	2804	3usdaa.exe	33
PID 2804 wrote to memory of 2928	2804	3usdaa.exe	33
PID 2804 wrote to memory of 2928	2804	3usdaa.exe	33
PID 2928 wrote to memory of 2724	2928	YOURDATA.exe	34
PID 2928 wrote to memory of 2724	2928	YOURDATA.exe	34
PID 2928 wrote to memory of 2724	2928	YOURDATA.exe	34
PID 2928 wrote to memory of 2724	2928	YOURDATA.exe	34
PID 2724 wrote to memory of 2796	2724	cmd.exe	36
PID 2724 wrote to memory of 2796	2724	cmd.exe	36
PID 2724 wrote to memory of 2796	2724	cmd.exe	36
PID 2724 wrote to memory of 2796	2724	cmd.exe	36
PID 2928 wrote to memory of 2096	2928	YOURDATA.exe	37
PID 2928 wrote to memory of 2096	2928	YOURDATA.exe	37
PID 2928 wrote to memory of 2096	2928	YOURDATA.exe	37
PID 2928 wrote to memory of 2096	2928	YOURDATA.exe	37
PID 2928 wrote to memory of 1728	2928	YOURDATA.exe	38
PID 2928 wrote to memory of 1728	2928	YOURDATA.exe	38
PID 2928 wrote to memory of 1728	2928	YOURDATA.exe	38
PID 2928 wrote to memory of 1728	2928	YOURDATA.exe	38
PID 2928 wrote to memory of 2428	2928	YOURDATA.exe	39
PID 2928 wrote to memory of 2428	2928	YOURDATA.exe	39
PID 2928 wrote to memory of 2428	2928	YOURDATA.exe	39
PID 2928 wrote to memory of 2428	2928	YOURDATA.exe	39
PID 2928 wrote to memory of 484	2928	YOURDATA.exe	41
PID 2928 wrote to memory of 484	2928	YOURDATA.exe	41
PID 2928 wrote to memory of 484	2928	YOURDATA.exe	41
PID 2928 wrote to memory of 484	2928	YOURDATA.exe	41
PID 2304 wrote to memory of 2060	2304	240110-pf835afbdr.exe	42
PID 2304 wrote to memory of 2060	2304	240110-pf835afbdr.exe	42
PID 2304 wrote to memory of 2060	2304	240110-pf835afbdr.exe	42
PID 2304 wrote to memory of 2060	2304	240110-pf835afbdr.exe	42
PID 2928 wrote to memory of 2212	2928	YOURDATA.exe	44
PID 2928 wrote to memory of 2212	2928	YOURDATA.exe	44
PID 2928 wrote to memory of 2212	2928	YOURDATA.exe	44
PID 2928 wrote to memory of 2212	2928	YOURDATA.exe	44
PID 2928 wrote to memory of 2868	2928	YOURDATA.exe	45
PID 2928 wrote to memory of 2868	2928	YOURDATA.exe	45
PID 2928 wrote to memory of 2868	2928	YOURDATA.exe	45
PID 2928 wrote to memory of 2868	2928	YOURDATA.exe	45
PID 2928 wrote to memory of 1340	2928	YOURDATA.exe	47
PID 2928 wrote to memory of 1340	2928	YOURDATA.exe	47
PID 2928 wrote to memory of 1340	2928	YOURDATA.exe	47
PID 2928 wrote to memory of 1340	2928	YOURDATA.exe	47
PID 2928 wrote to memory of 1800	2928	YOURDATA.exe	49
PID 2928 wrote to memory of 1800	2928	YOURDATA.exe	49
PID 2928 wrote to memory of 1800	2928	YOURDATA.exe	49
PID 2928 wrote to memory of 1800	2928	YOURDATA.exe	49
PID 2928 wrote to memory of 3040	2928	YOURDATA.exe	51
PID 2928 wrote to memory of 3040	2928	YOURDATA.exe	51
PID 2928 wrote to memory of 3040	2928	YOURDATA.exe	51
PID 2928 wrote to memory of 3040	2928	YOURDATA.exe	51

System policy modification 1 TTPs 11 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	YOURDATA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection	YOURDATA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0"	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Policies\System	YOURDATA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	YOURDATA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	YOURDATA.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	YOURDATA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HidePowerOptions = "1"	YOURDATA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	YOURDATA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	YOURDATA.exe

C:\Users\Admin\AppData\Local\Temp\240110-pf835afbdr.exe
"C:\Users\Admin\AppData\Local\Temp\240110-pf835afbdr.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p58042791667523172 Everything64.dll
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3usdaa.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3usdaa.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe
    "C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe"
    3⤵
    - UAC bypass
    - Sets file execution options in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2928
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c DC.exe /D
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\DC.exe
        
        DC.exe /D
        5⤵
        Modifies security service
        Executes dropped EXE
        Windows security modification
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
  - - C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe
      "C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe" -e watch -pid 2928 -!
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2096
  - - C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe
      "C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe" -e ul1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:1728
  - - C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe
      "C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe" -e ul2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:2428
  - - C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\Everything.exe
      "C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\Everything.exe" -startup
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Suspicious use of SetWindowsHookEx
      PID:484
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -H off
      4⤵
      PID:2212
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
      4⤵
      PID:2868
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
      4⤵
      PID:1340
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
      4⤵
      PID:1800
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
      4⤵
      PID:3040
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
      4⤵
      PID:1080
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
      4⤵
      PID:896
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
      4⤵
      PID:1944
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
      4⤵
      PID:1548
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
      4⤵
      PID:2188
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
      4⤵
      PID:420
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
      4⤵
      PID:1084
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
      4⤵
      PID:1748
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
      4⤵
      PID:1488
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb61
      4⤵
      PID:1496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  - Deletes itself
  PID:2060

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\----Read-Me-----.txt

Filesize
846B

MD5
857f599e7684d7cd3ca414b6963cbb76

SHA1
e45ed07c4483acafc44a11ef28a0d30e8f05c4cb

SHA256
2c490f3fa7c7b1984196487d87c2821e1ca7f6043987d977fc7e9a66a5622e89

SHA512
b6b0d94c7b12bc089c3c9f3a4fef6d3157f57ada42be7b310bdd4104855d5562f93cd32b130c81742887f588ac8d5bc9e50fb5c7128d90db18731dca4468c363

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
206B

MD5
4ee202fa29574cc578fab4fd1cf1037a

SHA1
c70d6e5531ced02240435505b10bba5c34b7f16c

SHA256
845b9a407eca22fc148fce1fa63e0dda4d77b667a38d24944feee92be81fae86

SHA512
6e1e994d58d48c56728441d1de28eb758c166d113c799a44eccd7ccc493ba65c33e2fd70d19f8da5336b03a188baab84ca6ea0a06989ae83d15536db242060b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3usdaa.exe

Filesize
1.5MB

MD5
4ebe75a590bf27eaed6a7fc301b9893f

SHA1
8005397afc8bf9e2ff32e50656d981500d3570e2

SHA256
431b0e6f12e74a39f39c7004d6a94c730ca22d745502dc838dfe6727ab381280

SHA512
b8eded57b8c1fc0445670f7691cd82956f12f3ef8a5936d46a9d8622438567c7d32e015ddca38b1849a9c379f7fc43949adc731c40d216e4b11596b7923142f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3usdaa.exe

Filesize
2.9MB

MD5
a02157550bc9b491fd03cad394ccdfe7

SHA1
108b7428e779d5caa7854a1a4dfa5ca42f292f04

SHA256
a15d1311e02cffd67a0db25cb0d6b2ccd3fc457d0bd76d7d2a4a462bbad6356a

SHA512
bea12edb6be3921ed25b4b3210ff53f8224c35c3d789864fc86991db972e0a3066af9d5891814153a6091c9dad4deedf3f0879a4dd632e3398864c9f2b6d1022

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DC.exe

Filesize
802KB

MD5
ac34ba84a5054cd701efad5dd14645c9

SHA1
dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

SHA256
c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

SHA512
df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.exe

Filesize
1.7MB

MD5
c44487ce1827ce26ac4699432d15b42a

SHA1
8434080fad778057a50607364fee8b481f0feef8

SHA256
4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405

SHA512
a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.ini

Filesize
548B

MD5
742c2400f2de964d0cce4a8dabadd708

SHA1
c452d8d4c3a82af4bc57ca8a76e4407aaf90deca

SHA256
2fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01

SHA512
63a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything2.ini

Filesize
550B

MD5
51014c0c06acdd80f9ae4469e7d30a9e

SHA1
204e6a57c44242fad874377851b13099dfe60176

SHA256
89ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5

SHA512
79b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything32.dll

Filesize
84KB

MD5
3b03324537327811bbbaff4aafa4d75b

SHA1
1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7

SHA256
8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880

SHA512
ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything64.dll

Filesize
2.3MB

MD5
c576119a8bae4d63560ee48893aced8f

SHA1
7c46e928379715faa8ac3fb381264f86fcb17ef8

SHA256
69d9d97db25a2058c3ad1809356b8e61252e5884dc8122f1a942bf9afa5b1913

SHA512
93e1e7eb9d0fd6a6c7c8f2183345d2e17d68748ec0a6e2b1406a3fcf01843ea099680400438ba390001673b9d964bbd2be22f45e0b5bc48b71b1b057673f5d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xdel.exe

Filesize
350KB

MD5
803df907d936e08fbbd06020c411be93

SHA1
4aa4b498ae037a2b0479659374a5c3af5f6b8d97

SHA256
e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c

SHA512
5b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5d3e30000d2231ef972ab68d5ee7b7cf

SHA1
5a2d2f3cd5efaebd4d4b3db2fe289fcec7dedd80

SHA256
7f0a47b6fab4fa2a62f0e94d08b2b26e0f28020560e53fe581730d599ef285b3

SHA512
33a3c606e5c951e56e00a5a147dada46e44a8382b37f301c31539e4259bbf0a1531866a5d3d0fdc3bc5d70454f60e89de084f12c9991835a39ef531940e48e46

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
233B

MD5
cd4326a6fd01cd3ca77cfd8d0f53821b

SHA1
a1030414d1f8e5d5a6e89d5a309921b8920856f9

SHA256
1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

SHA512
29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

Download Submit
C:\temp\MIMIC_LOG.txt

Filesize
31KB

MD5
ae2504ce50ac84c27fba4f02d62b5df0

SHA1
ad49c44824f4ea2ad6ab2f789d45c25c75339de4

SHA256
d089b50c46f986e5cd2f5d3e23b885beefcc896fb196045e7a175bda85bd33ef

SHA512
2dabb413b73d44d2f7eb10d2c91d1f1b55fe9f2853899a7dccef03592111a4624d6f43fbc2d55867f9dd8149aea8a4bb17b14f5e419b717f8928c394838be3b0

Download Submit
C:\temp\MIMIC_LOG.txt

Filesize
31KB

MD5
fc0a2b36dc01210249e0830f009b8859

SHA1
8206ceff65c9465ac95f428be480f8f3ef7c12e9

SHA256
30f56b3bd9c0c42719d4421e135f4195cb8a7b82adedb24b1fcbdb43eb1eb523

SHA512
4e78be65dc37f81c3b9fdb7d836a6bd6865cb256b9d87b5acb08cb66d68ece4ac726cf6cc48abe38d20505f17dfb084775fdab4af8d36784a0307cb6f1bf346a

Download Submit
C:\temp\session.tmp

Filesize
32B

MD5
06528beff445b389c4c08410e2262214

SHA1
4bae3ecd087f96e43e0ed6b502b5e792d1059190

SHA256
f3910d6a3eeb1d6998693983492085aebb350adba13dcb6d9758b375e753d7f4

SHA512
78056763b388a770a062ccb83fe0f80653f2557ea86d81cff0c11ff90784e6702771f74834a49be4274bad022fda75e8532d082199ef37180d697dcbac2e2ce8

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe

Filesize
772KB

MD5
b93eb0a48c91a53bda6a1a074a4b431e

SHA1
ac693a14c697b1a8ee80318e260e817b8ee2aa86

SHA256
ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142

SHA512
732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5

Download Submit
\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\Everything.exe

Filesize
1.1MB

MD5
bab35bf7d9e3f484fd02f39b834a3e71

SHA1
c6bc4d18ec8c5cd259cb585c4f8529d26efcea9f

SHA256
f08c1a04b9ced1ab1c84892203bdbcf95732581b7d94391fc78d9c9c1c2faff6

SHA512
498f70789a8669733b996141a925eed59528796ad01357ef62637370375ce412874b814434edbabe3ac1b4c5227b827e08d1d7e3d2f024e38988236f6dc7d32b

Download Submit
\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\Everything.exe

Filesize
128KB

MD5
4bf69a85fde4982ccf70c201fd1348ce

SHA1
11d1f6af867165c353a29fd109e327f77f661aa1

SHA256
7f4dd35607942c4a5afaa19e613b522f384ad0f24d5af1e5b24b09ea21994925

SHA512
5079c7b0fc42440d0aa98fcaabc4f1ca20e9ac6a4fba7aa15f19e1dabfd37bd4e82aff016217c9b326df080e8bb7e7faf82955a42e0ace103705e263f7e7d231

Download Submit
memory/832-143-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download
memory/832-142-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/832-139-0x000000001B380000-0x000000001B662000-memory.dmp

Filesize
2.9MB

Download
memory/832-140-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/832-146-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/832-141-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download
memory/832-151-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download
memory/832-152-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/912-154-0x00000000029AB000-0x0000000002A12000-memory.dmp

Filesize
412KB

Download
memory/912-150-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/912-144-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download
memory/912-147-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2860-153-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2860-155-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2860-145-0x000007FEF5260000-0x000007FEF5BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2860-148-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2860-1270-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2860-149-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download