Analysis
-
max time kernel
155s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-03-2024 04:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
240110-pf835afbdr.exe
Resource
win7-20240221-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
240110-pf835afbdr.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
240110-pf835afbdr.exe
-
Size
3.2MB
-
MD5
6d44f8f3c1608e5958b40f9c6d7b6718
-
SHA1
9203ad3b6ffb7732591ef560965566555bce9d82
-
SHA256
a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455
-
SHA512
656eb44b563705e1045b6a881b4f8a462ecf3bb8b2421cb18dfa21421629f7af92fe4b72736edfe3fea2ea13bef84f5faab5a78b8ef2b4f656a9055d0c4a22bd
-
SSDEEP
98304:wgwRevguPPFpugyxQkvA51nFbk+kUwWlGroD+1f:wgtv7ov5vqbk++AGkD+1f
Malware Config
Signatures
-
Detects Mimic ransomware 6 IoCs
resource yara_rule behavioral2/files/0x0008000000023269-37.dat family_mimic behavioral2/files/0x0005000000022d26-65.dat family_mimic behavioral2/files/0x0005000000022d26-66.dat family_mimic behavioral2/files/0x0005000000022d26-94.dat family_mimic behavioral2/files/0x0005000000022d26-90.dat family_mimic behavioral2/files/0x0005000000022d26-91.dat family_mimic -
Mimic
Ransomware family was first exploited in the wild in 2022.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" YOURDATA.exe -
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 6 IoCs
resource yara_rule behavioral2/files/0x0008000000023269-37.dat INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/files/0x0005000000022d26-65.dat INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/files/0x0005000000022d26-66.dat INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/files/0x0005000000022d26-94.dat INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/files/0x0005000000022d26-90.dat INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral2/files/0x0005000000022d26-91.dat INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
Detects command variations typically used by ransomware 6 IoCs
resource yara_rule behavioral2/files/0x0008000000023269-37.dat INDICATOR_SUSPICIOUS_GENRansomware behavioral2/files/0x0005000000022d26-65.dat INDICATOR_SUSPICIOUS_GENRansomware behavioral2/files/0x0005000000022d26-66.dat INDICATOR_SUSPICIOUS_GENRansomware behavioral2/files/0x0005000000022d26-94.dat INDICATOR_SUSPICIOUS_GENRansomware behavioral2/files/0x0005000000022d26-90.dat INDICATOR_SUSPICIOUS_GENRansomware behavioral2/files/0x0005000000022d26-91.dat INDICATOR_SUSPICIOUS_GENRansomware -
Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware 6 IoCs
resource yara_rule behavioral2/files/0x0008000000023269-37.dat INDICATOR_SUSPICIOUS_USNDeleteJournal behavioral2/files/0x0005000000022d26-65.dat INDICATOR_SUSPICIOUS_USNDeleteJournal behavioral2/files/0x0005000000022d26-66.dat INDICATOR_SUSPICIOUS_USNDeleteJournal behavioral2/files/0x0005000000022d26-94.dat INDICATOR_SUSPICIOUS_USNDeleteJournal behavioral2/files/0x0005000000022d26-90.dat INDICATOR_SUSPICIOUS_USNDeleteJournal behavioral2/files/0x0005000000022d26-91.dat INDICATOR_SUSPICIOUS_USNDeleteJournal -
Detects executables containing commands for clearing Windows Event Logs 6 IoCs
resource yara_rule behavioral2/files/0x0008000000023269-37.dat INDICATOR_SUSPICIOUS_ClearWinLogs behavioral2/files/0x0005000000022d26-65.dat INDICATOR_SUSPICIOUS_ClearWinLogs behavioral2/files/0x0005000000022d26-66.dat INDICATOR_SUSPICIOUS_ClearWinLogs behavioral2/files/0x0005000000022d26-94.dat INDICATOR_SUSPICIOUS_ClearWinLogs behavioral2/files/0x0005000000022d26-90.dat INDICATOR_SUSPICIOUS_ClearWinLogs behavioral2/files/0x0005000000022d26-91.dat INDICATOR_SUSPICIOUS_ClearWinLogs -
Renames multiple (585) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbeng50.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbguard.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqbcoreservice.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbserver.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msftesql.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocssd.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\python.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineElevatedCfg.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineElevatedCfg.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CoreSync.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpython.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAgui.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbirdconfig.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServerView.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xfssvccon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SimplyConnectionManager.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sql.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsa_service.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msexchangeadtopology.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-opt.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xfssvccon.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msftesql-exchange.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchApp.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutodeskDesktopApp.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\axlbridge.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\benetns.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fdhost.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oracle.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msftesql-exchange.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CoreSync.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fdlauncher.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-opt.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbirdconfig.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_x64.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vxmon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsDtSrvr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpython.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgrN.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineSettings.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlbrowser.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msexchangeis.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outlook.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\encsvc.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbguard.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocomm.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine_x86.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsnapvss.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\beserver.exe YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocautoupds.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon64.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msexchangesa.exe YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe YOURDATA.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 240110-pf835afbdr.exe -
Executes dropped EXE 9 IoCs
pid Process 2176 7za.exe 212 7za.exe 4020 3usdaa.exe 4316 YOURDATA.exe 404 DC.exe 2176 YOURDATA.exe 3944 YOURDATA.exe 4636 YOURDATA.exe 4584 Everything.exe -
Loads dropped DLL 5 IoCs
pid Process 4020 3usdaa.exe 4316 YOURDATA.exe 2176 YOURDATA.exe 3944 YOURDATA.exe 4636 YOURDATA.exe -
Modifies system executable filetype association 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 3usdaa.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\exefile\shell\open\command 3usdaa.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\exefile\shell\open 3usdaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" 3usdaa.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\exefile\shell\open\command YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 3usdaa.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\exefile\shell 3usdaa.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YOURDATA = "\"C:\\Users\\Admin\\AppData\\Local\\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\\YOURDATA.exe\" " 3usdaa.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" YOURDATA.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: Everything.exe File opened (read-only) \??\L: Everything.exe File opened (read-only) \??\Q: Everything.exe File opened (read-only) \??\W: Everything.exe File opened (read-only) \??\Z: Everything.exe File opened (read-only) \??\E: Everything.exe File opened (read-only) \??\G: Everything.exe File opened (read-only) \??\H: Everything.exe File opened (read-only) \??\I: Everything.exe File opened (read-only) \??\J: Everything.exe File opened (read-only) \??\O: Everything.exe File opened (read-only) \??\P: Everything.exe File opened (read-only) \??\R: Everything.exe File opened (read-only) \??\S: Everything.exe File opened (read-only) \??\T: Everything.exe File opened (read-only) \??\Y: Everything.exe File opened (read-only) \??\B: Everything.exe File opened (read-only) \??\K: Everything.exe File opened (read-only) \??\M: Everything.exe File opened (read-only) \??\N: Everything.exe File opened (read-only) \??\U: Everything.exe File opened (read-only) \??\V: Everything.exe File opened (read-only) \??\X: Everything.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Mozilla Firefox\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1036\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms.getmydata@list.ru.3000USDAA YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms.getmydata@list.ru.3000USDAA YOURDATA.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms.getmydata@list.ru.3000USDAA YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms.getmydata@list.ru.3000USDAA YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre-1.8\[email protected] YOURDATA.exe File opened for modification C:\Program Files\VideoLAN\VLC\VideoLAN [email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms.getmydata@list.ru.3000USDAA YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk-1.8\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre-1.8\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Mozilla Firefox\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms.getmydata@list.ru.3000USDAA YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\security\[email protected] YOURDATA.exe File opened for modification C:\Program Files\VideoLAN\VLC\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-pl.xrm-ms.getmydata@list.ru.3000USDAA YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms.getmydata@list.ru.3000USDAA YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Java\jdk-1.8\[email protected] YOURDATA.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ul-oob.xrm-ms.getmydata@list.ru.3000USDAA YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms.getmydata@list.ru.3000USDAA YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\[email protected] YOURDATA.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms.getmydata@list.ru.3000USDAA YOURDATA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 19 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\exefile 3usdaa.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Classes\mimicfile\shell\open\command YOURDATA.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\exefile\shell\open\command 3usdaa.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\exefile\shell 3usdaa.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\exefile\shell\open 3usdaa.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\exefile\shell\open\command YOURDATA.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 3usdaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" 3usdaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.3000USDAA\ = "mimicfile" YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 3usdaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open YOURDATA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\----Read-Me-----.txt\"" YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Classes\.3000USDAA YOURDATA.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3944 YOURDATA.exe 3944 YOURDATA.exe 4636 YOURDATA.exe 4636 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 4316 YOURDATA.exe 2028 powershell.exe 2028 powershell.exe 2028 powershell.exe 4400 powershell.exe 4400 powershell.exe 4036 powershell.exe 4036 powershell.exe 4400 powershell.exe 4036 powershell.exe 3944 YOURDATA.exe 3944 YOURDATA.exe 3944 YOURDATA.exe 3944 YOURDATA.exe 3944 YOURDATA.exe 3944 YOURDATA.exe 3944 YOURDATA.exe 3944 YOURDATA.exe 3944 YOURDATA.exe 3944 YOURDATA.exe 3944 YOURDATA.exe 3944 YOURDATA.exe 3944 YOURDATA.exe 3944 YOURDATA.exe 3944 YOURDATA.exe 3944 YOURDATA.exe 3944 YOURDATA.exe 3944 YOURDATA.exe 3944 YOURDATA.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2176 7za.exe Token: 35 2176 7za.exe Token: SeRestorePrivilege 212 7za.exe Token: 35 212 7za.exe Token: SeSecurityPrivilege 212 7za.exe Token: SeSecurityPrivilege 212 7za.exe Token: SeIncreaseQuotaPrivilege 4020 3usdaa.exe Token: SeSecurityPrivilege 4020 3usdaa.exe Token: SeTakeOwnershipPrivilege 4020 3usdaa.exe Token: SeLoadDriverPrivilege 4020 3usdaa.exe Token: SeSystemProfilePrivilege 4020 3usdaa.exe Token: SeSystemtimePrivilege 4020 3usdaa.exe Token: SeProfSingleProcessPrivilege 4020 3usdaa.exe Token: SeIncBasePriorityPrivilege 4020 3usdaa.exe Token: SeCreatePagefilePrivilege 4020 3usdaa.exe Token: SeBackupPrivilege 4020 3usdaa.exe Token: SeRestorePrivilege 4020 3usdaa.exe Token: SeShutdownPrivilege 4020 3usdaa.exe Token: SeDebugPrivilege 4020 3usdaa.exe Token: SeSystemEnvironmentPrivilege 4020 3usdaa.exe Token: SeChangeNotifyPrivilege 4020 3usdaa.exe Token: SeRemoteShutdownPrivilege 4020 3usdaa.exe Token: SeUndockPrivilege 4020 3usdaa.exe Token: SeManageVolumePrivilege 4020 3usdaa.exe Token: SeImpersonatePrivilege 4020 3usdaa.exe Token: SeCreateGlobalPrivilege 4020 3usdaa.exe Token: 33 4020 3usdaa.exe Token: 34 4020 3usdaa.exe Token: 35 4020 3usdaa.exe Token: 36 4020 3usdaa.exe Token: SeIncreaseQuotaPrivilege 4316 YOURDATA.exe Token: SeSecurityPrivilege 4316 YOURDATA.exe Token: SeTakeOwnershipPrivilege 4316 YOURDATA.exe Token: SeLoadDriverPrivilege 4316 YOURDATA.exe Token: SeSystemProfilePrivilege 4316 YOURDATA.exe Token: SeSystemtimePrivilege 4316 YOURDATA.exe Token: SeProfSingleProcessPrivilege 4316 YOURDATA.exe Token: SeIncBasePriorityPrivilege 4316 YOURDATA.exe Token: SeCreatePagefilePrivilege 4316 YOURDATA.exe Token: SeBackupPrivilege 4316 YOURDATA.exe Token: SeRestorePrivilege 4316 YOURDATA.exe Token: SeShutdownPrivilege 4316 YOURDATA.exe Token: SeDebugPrivilege 4316 YOURDATA.exe Token: SeSystemEnvironmentPrivilege 4316 YOURDATA.exe Token: SeChangeNotifyPrivilege 4316 YOURDATA.exe Token: SeRemoteShutdownPrivilege 4316 YOURDATA.exe Token: SeUndockPrivilege 4316 YOURDATA.exe Token: SeManageVolumePrivilege 4316 YOURDATA.exe Token: SeImpersonatePrivilege 4316 YOURDATA.exe Token: SeCreateGlobalPrivilege 4316 YOURDATA.exe Token: 33 4316 YOURDATA.exe Token: 34 4316 YOURDATA.exe Token: 35 4316 YOURDATA.exe Token: 36 4316 YOURDATA.exe Token: SeIncreaseQuotaPrivilege 2176 YOURDATA.exe Token: SeIncreaseQuotaPrivilege 3944 YOURDATA.exe Token: SeSecurityPrivilege 2176 YOURDATA.exe Token: SeSecurityPrivilege 3944 YOURDATA.exe Token: SeTakeOwnershipPrivilege 2176 YOURDATA.exe Token: SeTakeOwnershipPrivilege 3944 YOURDATA.exe Token: SeLoadDriverPrivilege 2176 YOURDATA.exe Token: SeLoadDriverPrivilege 3944 YOURDATA.exe Token: SeSystemProfilePrivilege 2176 YOURDATA.exe Token: SeSystemProfilePrivilege 3944 YOURDATA.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4584 Everything.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3872 wrote to memory of 2176 3872 240110-pf835afbdr.exe 98 PID 3872 wrote to memory of 2176 3872 240110-pf835afbdr.exe 98 PID 3872 wrote to memory of 2176 3872 240110-pf835afbdr.exe 98 PID 3872 wrote to memory of 212 3872 240110-pf835afbdr.exe 100 PID 3872 wrote to memory of 212 3872 240110-pf835afbdr.exe 100 PID 3872 wrote to memory of 212 3872 240110-pf835afbdr.exe 100 PID 3872 wrote to memory of 4020 3872 240110-pf835afbdr.exe 102 PID 3872 wrote to memory of 4020 3872 240110-pf835afbdr.exe 102 PID 3872 wrote to memory of 4020 3872 240110-pf835afbdr.exe 102 PID 4020 wrote to memory of 4316 4020 3usdaa.exe 104 PID 4020 wrote to memory of 4316 4020 3usdaa.exe 104 PID 4020 wrote to memory of 4316 4020 3usdaa.exe 104 PID 4316 wrote to memory of 4764 4316 YOURDATA.exe 106 PID 4316 wrote to memory of 4764 4316 YOURDATA.exe 106 PID 4316 wrote to memory of 4764 4316 YOURDATA.exe 106 PID 4764 wrote to memory of 404 4764 cmd.exe 108 PID 4764 wrote to memory of 404 4764 cmd.exe 108 PID 4764 wrote to memory of 404 4764 cmd.exe 108 PID 4316 wrote to memory of 2176 4316 YOURDATA.exe 109 PID 4316 wrote to memory of 2176 4316 YOURDATA.exe 109 PID 4316 wrote to memory of 2176 4316 YOURDATA.exe 109 PID 4316 wrote to memory of 3944 4316 YOURDATA.exe 110 PID 4316 wrote to memory of 3944 4316 YOURDATA.exe 110 PID 4316 wrote to memory of 3944 4316 YOURDATA.exe 110 PID 4316 wrote to memory of 4636 4316 YOURDATA.exe 111 PID 4316 wrote to memory of 4636 4316 YOURDATA.exe 111 PID 4316 wrote to memory of 4636 4316 YOURDATA.exe 111 PID 4316 wrote to memory of 4584 4316 YOURDATA.exe 113 PID 4316 wrote to memory of 4584 4316 YOURDATA.exe 113 PID 4316 wrote to memory of 4584 4316 YOURDATA.exe 113 PID 3872 wrote to memory of 4524 3872 240110-pf835afbdr.exe 115 PID 3872 wrote to memory of 4524 3872 240110-pf835afbdr.exe 115 PID 3872 wrote to memory of 4524 3872 240110-pf835afbdr.exe 115 PID 4316 wrote to memory of 3644 4316 YOURDATA.exe 132 PID 4316 wrote to memory of 3644 4316 YOURDATA.exe 132 PID 4316 wrote to memory of 2552 4316 YOURDATA.exe 133 PID 4316 wrote to memory of 2552 4316 YOURDATA.exe 133 PID 4316 wrote to memory of 3952 4316 YOURDATA.exe 135 PID 4316 wrote to memory of 3952 4316 YOURDATA.exe 135 PID 4316 wrote to memory of 1416 4316 YOURDATA.exe 137 PID 4316 wrote to memory of 1416 4316 YOURDATA.exe 137 PID 4316 wrote to memory of 208 4316 YOURDATA.exe 138 PID 4316 wrote to memory of 208 4316 YOURDATA.exe 138 PID 4316 wrote to memory of 3440 4316 YOURDATA.exe 139 PID 4316 wrote to memory of 3440 4316 YOURDATA.exe 139 PID 4316 wrote to memory of 3840 4316 YOURDATA.exe 140 PID 4316 wrote to memory of 3840 4316 YOURDATA.exe 140 PID 4316 wrote to memory of 3936 4316 YOURDATA.exe 141 PID 4316 wrote to memory of 3936 4316 YOURDATA.exe 141 PID 4316 wrote to memory of 4120 4316 YOURDATA.exe 143 PID 4316 wrote to memory of 4120 4316 YOURDATA.exe 143 PID 4316 wrote to memory of 4132 4316 YOURDATA.exe 144 PID 4316 wrote to memory of 4132 4316 YOURDATA.exe 144 PID 4316 wrote to memory of 4148 4316 YOURDATA.exe 145 PID 4316 wrote to memory of 4148 4316 YOURDATA.exe 145 PID 4316 wrote to memory of 4244 4316 YOURDATA.exe 146 PID 4316 wrote to memory of 4244 4316 YOURDATA.exe 146 PID 4316 wrote to memory of 4284 4316 YOURDATA.exe 147 PID 4316 wrote to memory of 4284 4316 YOURDATA.exe 147 PID 4316 wrote to memory of 4308 4316 YOURDATA.exe 148 PID 4316 wrote to memory of 4308 4316 YOURDATA.exe 148 PID 4316 wrote to memory of 1944 4316 YOURDATA.exe 149 PID 4316 wrote to memory of 1944 4316 YOURDATA.exe 149 PID 4316 wrote to memory of 4036 4316 YOURDATA.exe 159 -
System policy modification 1 TTPs 11 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HidePowerOptions = "1" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Policies\System YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" YOURDATA.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System YOURDATA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" YOURDATA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" YOURDATA.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\240110-pf835afbdr.exe"C:\Users\Admin\AppData\Local\Temp\240110-pf835afbdr.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p58042791667523172 Everything64.dll2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:212
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3usdaa.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3usdaa.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe"3⤵
- UAC bypass
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4316 -
C:\Windows\SysWOW64\cmd.execmd.exe /c DC.exe /D4⤵
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\DC.exeDC.exe /D5⤵
- Executes dropped EXE
PID:404
-
-
-
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe" -e watch -pid 4316 -!4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe" -e ul14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
-
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe"C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe" -e ul24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4636
-
-
C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\Everything.exe"C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\Everything.exe" -startup4⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:4584
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -H off4⤵PID:3644
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:2552
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:3952
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:1416
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:208
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:3440
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:3840
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:3936
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:4120
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:4132
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:4148
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:4244
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:4284
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c4⤵PID:4308
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb614⤵PID:1944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4400
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵PID:4524
-
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2920
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3864 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵PID:1676
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2996
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3272
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:928
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2572
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5572
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5592
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5800
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5820
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3292
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
846B
MD5d3cd58d3b417287a30aa918c89d2f756
SHA19401219f48d1ec8108b2412db9c81e5990375004
SHA2560a174039bd1cb58a6247a6a32831b522e3f48744feae7256d463a9eaf131b7bf
SHA512d2a8431f0e6276eb298dd6cec1791c52f13a50959a309c6516c7f64fbec5f2ea182e9cc9fc708b90e2394697bf4c3854079a7785e7aaec581f8da3c10cae330a
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
796B
MD548cd9af07050d0e15a2cad9020f25349
SHA10fc7c4f7fb225af5eb394ae3f213a95b05d6b7d3
SHA256d93525c39adbe44cb09c90c9fbbc26e363b53023e06f9ab710e7e05a6083a815
SHA512e88292d173f8bce529923a58cbd30e14f12cb35b9dfecb8b9e0ae817f5e48c0f5ca2712a1e8171d81f3c9385660cc9abe32664416de213dc8311104e6b9987a2
-
Filesize
206B
MD54ee202fa29574cc578fab4fd1cf1037a
SHA1c70d6e5531ced02240435505b10bba5c34b7f16c
SHA256845b9a407eca22fc148fce1fa63e0dda4d77b667a38d24944feee92be81fae86
SHA5126e1e994d58d48c56728441d1de28eb758c166d113c799a44eccd7ccc493ba65c33e2fd70d19f8da5336b03a188baab84ca6ea0a06989ae83d15536db242060b4
-
Filesize
2.9MB
MD5a02157550bc9b491fd03cad394ccdfe7
SHA1108b7428e779d5caa7854a1a4dfa5ca42f292f04
SHA256a15d1311e02cffd67a0db25cb0d6b2ccd3fc457d0bd76d7d2a4a462bbad6356a
SHA512bea12edb6be3921ed25b4b3210ff53f8224c35c3d789864fc86991db972e0a3066af9d5891814153a6091c9dad4deedf3f0879a4dd632e3398864c9f2b6d1022
-
Filesize
772KB
MD5b93eb0a48c91a53bda6a1a074a4b431e
SHA1ac693a14c697b1a8ee80318e260e817b8ee2aa86
SHA256ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142
SHA512732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5
-
Filesize
176KB
MD5a0ddbe0940e03753cfb5d1b191bab6c5
SHA1044d09e415d684e786712ae5d8779ccafabcbbad
SHA2568b80da52bb7c607aa08520ba177a40176b1bbb81841dfe2447ba934357a2ca3b
SHA512ca60c7b018db2f0636a4137a6bb3a59d107897418239eea4eb70794a848bc40fd756058773c18ed3d80a95b96863380b8c24833e6ba6836285e2c8f26429c03f
-
Filesize
802KB
MD5ac34ba84a5054cd701efad5dd14645c9
SHA1dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b
SHA256c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e
SHA512df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a
-
Filesize
1.7MB
MD5c44487ce1827ce26ac4699432d15b42a
SHA18434080fad778057a50607364fee8b481f0feef8
SHA2564c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405
SHA512a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808
-
Filesize
548B
MD5742c2400f2de964d0cce4a8dabadd708
SHA1c452d8d4c3a82af4bc57ca8a76e4407aaf90deca
SHA2562fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01
SHA51263a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4
-
Filesize
550B
MD551014c0c06acdd80f9ae4469e7d30a9e
SHA1204e6a57c44242fad874377851b13099dfe60176
SHA25689ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5
SHA51279b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c
-
Filesize
84KB
MD53b03324537327811bbbaff4aafa4d75b
SHA11218bd8165a2e0ec56a88b5a8bb4b27e52b564e7
SHA2568cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880
SHA512ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62
-
Filesize
2.3MB
MD5c576119a8bae4d63560ee48893aced8f
SHA17c46e928379715faa8ac3fb381264f86fcb17ef8
SHA25669d9d97db25a2058c3ad1809356b8e61252e5884dc8122f1a942bf9afa5b1913
SHA51293e1e7eb9d0fd6a6c7c8f2183345d2e17d68748ec0a6e2b1406a3fcf01843ea099680400438ba390001673b9d964bbd2be22f45e0b5bc48b71b1b057673f5d56
-
Filesize
350KB
MD5803df907d936e08fbbd06020c411be93
SHA14aa4b498ae037a2b0479659374a5c3af5f6b8d97
SHA256e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c
SHA5125b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.8MB
MD5217d5331ba845e614108d52057db926d
SHA1693115e6b33aa239bd47957a702fc6cf9338d200
SHA256ebd33b530cc8a029f8055f7b863cea062dfa97b0adff71d4cd6512e2b0c3c83c
SHA512c2e37f4742b2f3a3d38de008fde8c91732853937fdcbe3f12aef50fc840bef4173aadfcce77127ca66f7b193fdb813fa0de46c5c2ff26c8aa63b33deb201cc5b
-
Filesize
2.0MB
MD58d9634abdd38211ceb7542e16f78ac8e
SHA1b82800be4e2b0f87d5f57b0c54f0b2968927a6f3
SHA2568a22e8e51de0dea45d3758bb84ee7383daa45b0037d167b1527e0a6fda653e08
SHA512e31b8fe4c21f419a5e18039cb7053831c481e9eec1a8eaffaec8e2dd6bab5a7ceeefa3dab66ed980e4268a0137e73d8334a5675e31c42d0781c6eeff93a36735
-
Filesize
1.4MB
MD530f8521265761e504b53e99744c78b4e
SHA1730e4f459cc7cf0dc8329174d9670f82a9a14269
SHA2564f43093a451e81e640cd639e383af97d94f4352d1fa56cbe27a5f19b7ff25cf8
SHA51258e40474129d9c6dd4a2c120b3f25584b204b787523e8e4b11ca225ace484d7869f3f44678642ac43dc0ceb0a804779adab358dba7baf6b97788106206996628
-
Filesize
384KB
MD552af0e1a8397476d6ca789f54a9dbdb5
SHA15a8e711886901e3e7ecc8e78353024eae3a7b6be
SHA256d2d26f94befb709307c7271139053fdd629b713c176851fab21b0df44ce1578d
SHA512fe104fc467c8642665395488f1db5a0f391bcab24581c6e596ce805d2e151bd8eb62027d65b0e9df5a60effdd3358c0c2f9d71b5b804e93377ca9953aaa594bf
-
Filesize
1.8MB
MD598968ff9ade09737a54900f491cd813b
SHA13869f806ecd499ac34921cf2d9a803dc51b554d1
SHA256820a9d8ce91446ee7d44199af07fb02f701a94dbda6ab5a0d115aef245e34a59
SHA51202f61ecca1492ef759ff220500c5c433afe4175df7121bb3d67f61b8cdc4869146c1e86395ab7a1381892b3935a10f4a5e7ca582f510e309540e429a72ce3628
-
Filesize
32B
MD59821b82cac585c48977f9b9b80aac5a2
SHA1080823e46d7d6a4f6c4a119e94c98c082efbce98
SHA2564e1aa6fea104c9d7317d55d8a3993754315a696d5e7de7693b9914b3093aeaca
SHA512bfbcd29b0eb14dbb4b03ee36d8fd5541228642dccdcc0748b68c90d008a576d40a8ec4e9ad154e2956a8a63737debc60542f7d87815bdc8d129ec852c8ce469d
-
Filesize
35KB
MD5f912e88099fdd6deb7c07b24c43d28ba
SHA10cb907a0642784156b25846e38dfec08bbe829ab
SHA2568fb6fd5c1acf65b2148c061ae2e6037fe211a2d3f260c51d91863d39b393b0c0
SHA51298414f75914a195eb9b7296d508268a3660a574ce194037d0fb99c81a3fc573069518007d7c61870af72a4c6f000995cde06145b27ce6f80dd0b2946dffbb382