Analysis
-
max time kernel
18s -
max time network
21s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
22-03-2024 14:51
Static task
static1
Behavioral task
behavioral1
Sample
230323-gnlc2afg8y.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
230323-gnlc2afg8y.exe
Resource
win10v2004-20240226-en
General
-
Target
230323-gnlc2afg8y.exe
-
Size
148KB
-
MD5
6ed3e3327246cc457d22bb92bd3bba8b
-
SHA1
1329a6af26f16bb371782ff404d526eec1af9d22
-
SHA256
72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503
-
SHA512
f6c5428adffc10294204e0b068510d91fced02bbe02158a21294ebd5baf249aff0264021cbf7b2b9b37533b1db4daa09113abaa84435f4aa7660849f9b9257f7
-
SSDEEP
3072:gqMedjZ064qkGda5bFxs0ZUfBpfF6Mq6qUbHlVexC6exvLsBB16UVsh8iSd:+A0rAda5bFxvYptdHl4xV+Efuh
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4zwqwajf.ncq\\[email protected]" [email protected] -
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware 4 IoCs
resource yara_rule behavioral2/files/0x000a0000000231f4-21.dat INDICATOR_SUSPICIOUS_USNDeleteJournal behavioral2/memory/4140-23-0x0000000002460000-0x00000000024C8000-memory.dmp INDICATOR_SUSPICIOUS_USNDeleteJournal behavioral2/memory/4140-31-0x0000000002460000-0x00000000024C8000-memory.dmp INDICATOR_SUSPICIOUS_USNDeleteJournal behavioral2/memory/4140-80-0x0000000002460000-0x00000000024C8000-memory.dmp INDICATOR_SUSPICIOUS_USNDeleteJournal -
Detects executables packed with ConfuserEx Mod 3 IoCs
resource yara_rule behavioral2/memory/2696-0-0x000001FA00290000-0x000001FA002BC000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral2/memory/2696-1-0x000001FA01E10000-0x000001FA01E26000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral2/memory/2696-5-0x000001FA1A6E0000-0x000001FA1A718000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx -
UPX dump on OEP (original entry point) 7 IoCs
resource yara_rule behavioral2/files/0x0007000000023200-41.dat UPX behavioral2/memory/1296-47-0x0000000000400000-0x0000000000438000-memory.dmp UPX behavioral2/memory/1296-49-0x0000000000400000-0x0000000000438000-memory.dmp UPX behavioral2/memory/1296-51-0x0000000000400000-0x0000000000438000-memory.dmp UPX behavioral2/memory/1296-52-0x0000000000400000-0x0000000000438000-memory.dmp UPX behavioral2/memory/1296-139-0x0000000000400000-0x0000000000438000-memory.dmp UPX behavioral2/memory/4152-285-0x0000000000400000-0x00000000005DE000-memory.dmp UPX -
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral2/files/0x0009000000023206-86.dat mimikatz -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" [email protected] Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" [email protected] -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 3888 netsh.exe 5020 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation 230323-gnlc2afg8y.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe [email protected] -
Executes dropped EXE 14 IoCs
pid Process 3728 [email protected] 1296 [email protected] 4864 [email protected] 2008 44BA.tmp 5100 [email protected] 1896 Fantom.exe 4848 [email protected] 4192 [email protected] 4152 [email protected] 4472 [email protected] 3740 [email protected] 2552 dgMkgUsI.exe 4232 LWIAwkoQ.exe 5020 [email protected] -
Loads dropped DLL 1 IoCs
pid Process 4140 rundll32.exe -
resource yara_rule behavioral2/files/0x0007000000023200-41.dat upx behavioral2/memory/1296-47-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1296-49-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1296-51-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1296-52-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1296-139-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1896-140-0x0000000002020000-0x0000000002030000-memory.dmp upx behavioral2/memory/4152-285-0x0000000000400000-0x00000000005DE000-memory.dmp upx -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dgMkgUsI.exe = "C:\\Users\\Admin\\feoMIMQI\\dgMkgUsI.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LWIAwkoQ.exe = "C:\\ProgramData\\XEwMIsIY\\LWIAwkoQ.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LWIAwkoQ.exe = "C:\\ProgramData\\XEwMIsIY\\LWIAwkoQ.exe" LWIAwkoQ.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dgMkgUsI.exe = "C:\\Users\\Admin\\feoMIMQI\\dgMkgUsI.exe" dgMkgUsI.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4zwqwajf.ncq\\[email protected]" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe" [email protected] -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\a: [email protected] File opened (read-only) \??\r: [email protected] File opened (read-only) \??\w: [email protected] File opened (read-only) \??\j: [email protected] File opened (read-only) \??\q: [email protected] File opened (read-only) \??\s: [email protected] File opened (read-only) \??\t: [email protected] File opened (read-only) \??\v: [email protected] File opened (read-only) \??\x: [email protected] File opened (read-only) \??\u: [email protected] File opened (read-only) \??\b: [email protected] File opened (read-only) \??\e: [email protected] File opened (read-only) \??\i: [email protected] File opened (read-only) \??\m: [email protected] File opened (read-only) \??\n: [email protected] File opened (read-only) \??\p: [email protected] File opened (read-only) \??\z: [email protected] File opened (read-only) \??\g: [email protected] File opened (read-only) \??\h: [email protected] File opened (read-only) \??\k: [email protected] File opened (read-only) \??\l: [email protected] File opened (read-only) \??\o: [email protected] File opened (read-only) \??\y: [email protected] -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 13 raw.githubusercontent.com 15 raw.githubusercontent.com -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü.  îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû." [email protected] -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 [email protected] -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\share.svg.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner.gif.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right-pressed.gif.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeXMP.dll.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-default_32.svg.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_uinline_warning.svg.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_unshare_18.svg.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_psd.svg.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_delete_18.svg.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions2x.png.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-144x144-precomposed.png.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Res.dll.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\sendforcomments.svg.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluEmptyStateCCFiles_280x192.svg.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-up.png.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification \??\c:\program files (x86)\bitcoin [email protected] File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server [email protected] File opened for modification \??\c:\program files (x86)\microsoft\office [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons__retina_hiContrast_wob.png.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icucnv58.dll.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\AddIns.store.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt40.dll.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\chrome_elf.dll.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\d3dcompiler_43.dll.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvDX9.x3d.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\SearchEmail2x.png.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_audit_report_18.svg.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\plugin.X.manifest.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_highcontrast.png.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\en_GB.aff.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Compare_R_RHP.aapp.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_shared_multi_filetype.svg.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\vscroll-thumb.png.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_Full.aapp.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\form_responses.gif.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\rename.svg.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_checkbox_selected_18.svg.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions.png.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\next-arrow-hover.svg.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\svgCheckboxSelected.svg.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluEmptyFolder_160.svg.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter_18.svg.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\rna-main.js.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\README_en_US.txt.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_wob.png.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluNoSearchResults_180x160.svg.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\List.txt.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\base_uris.js.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_remove_18.svg.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nextarrow_default.svg.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F [email protected] -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\WINDOWS\Web [email protected] File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\44BA.tmp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 [email protected] Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString [email protected] -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4704 schtasks.exe 1204 schtasks.exe -
Kills process with taskkill 1 IoCs
pid Process 4252 taskkill.exe -
Modifies Control Panel 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\MenuShowDelay = "9999" [email protected] Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\sTimeFormat = "ÕÓÉ" [email protected] Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\WallpaperOriginX = "210" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\WallpaperOriginY = "187" [email protected] -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" [email protected] Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" [email protected] Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Main [email protected] -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" [email protected] -
Modifies registry class 1 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND [email protected] -
Modifies registry key 1 TTPs 3 IoCs
pid Process 3784 reg.exe 3628 reg.exe 3708 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 2696 230323-gnlc2afg8y.exe Token: SeShutdownPrivilege 4140 rundll32.exe Token: SeDebugPrivilege 4140 rundll32.exe Token: SeTcbPrivilege 4140 rundll32.exe Token: SeDebugPrivilege 4252 taskkill.exe Token: SeDebugPrivilege 2008 44BA.tmp Token: SeShutdownPrivilege 4864 [email protected] Token: SeCreatePagefilePrivilege 4864 [email protected] Token: SeDebugPrivilege 1896 Fantom.exe Token: SeDebugPrivilege 5100 [email protected] Token: SeSystemtimePrivilege 4192 [email protected] Token: SeShutdownPrivilege 4472 [email protected] -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2696 wrote to memory of 3728 2696 230323-gnlc2afg8y.exe 92 PID 2696 wrote to memory of 3728 2696 230323-gnlc2afg8y.exe 92 PID 2696 wrote to memory of 3728 2696 230323-gnlc2afg8y.exe 92 PID 3728 wrote to memory of 4140 3728 [email protected] 94 PID 3728 wrote to memory of 4140 3728 [email protected] 94 PID 3728 wrote to memory of 4140 3728 [email protected] 94 PID 4140 wrote to memory of 2796 4140 rundll32.exe 97 PID 4140 wrote to memory of 2796 4140 rundll32.exe 97 PID 4140 wrote to memory of 2796 4140 rundll32.exe 97 PID 2696 wrote to memory of 1296 2696 230323-gnlc2afg8y.exe 99 PID 2696 wrote to memory of 1296 2696 230323-gnlc2afg8y.exe 99 PID 2696 wrote to memory of 1296 2696 230323-gnlc2afg8y.exe 99 PID 2796 wrote to memory of 4028 2796 cmd.exe 100 PID 2796 wrote to memory of 4028 2796 cmd.exe 100 PID 2796 wrote to memory of 4028 2796 cmd.exe 100 PID 1296 wrote to memory of 4252 1296 [email protected] 101 PID 1296 wrote to memory of 4252 1296 [email protected] 101 PID 1296 wrote to memory of 4252 1296 [email protected] 101 PID 2696 wrote to memory of 4864 2696 230323-gnlc2afg8y.exe 104 PID 2696 wrote to memory of 4864 2696 230323-gnlc2afg8y.exe 104 PID 2696 wrote to memory of 4864 2696 230323-gnlc2afg8y.exe 104 PID 4864 wrote to memory of 3888 4864 [email protected] 106 PID 4864 wrote to memory of 3888 4864 [email protected] 106 PID 4864 wrote to memory of 3888 4864 [email protected] 106 PID 4864 wrote to memory of 5020 4864 [email protected] 108 PID 4864 wrote to memory of 5020 4864 [email protected] 108 PID 4864 wrote to memory of 5020 4864 [email protected] 108 PID 4140 wrote to memory of 4220 4140 rundll32.exe 110 PID 4140 wrote to memory of 4220 4140 rundll32.exe 110 PID 4140 wrote to memory of 4220 4140 rundll32.exe 110 PID 4140 wrote to memory of 636 4140 rundll32.exe 112 PID 4140 wrote to memory of 636 4140 rundll32.exe 112 PID 4140 wrote to memory of 636 4140 rundll32.exe 112 PID 4140 wrote to memory of 2008 4140 rundll32.exe 114 PID 4140 wrote to memory of 2008 4140 rundll32.exe 114 PID 4220 wrote to memory of 1204 4220 cmd.exe 116 PID 4220 wrote to memory of 1204 4220 cmd.exe 116 PID 4220 wrote to memory of 1204 4220 cmd.exe 116 PID 636 wrote to memory of 4704 636 cmd.exe 117 PID 636 wrote to memory of 4704 636 cmd.exe 117 PID 636 wrote to memory of 4704 636 cmd.exe 117 PID 2696 wrote to memory of 5100 2696 230323-gnlc2afg8y.exe 118 PID 2696 wrote to memory of 5100 2696 230323-gnlc2afg8y.exe 118 PID 2696 wrote to memory of 5100 2696 230323-gnlc2afg8y.exe 118 PID 2696 wrote to memory of 1896 2696 230323-gnlc2afg8y.exe 120 PID 2696 wrote to memory of 1896 2696 230323-gnlc2afg8y.exe 120 PID 2696 wrote to memory of 1896 2696 230323-gnlc2afg8y.exe 120 PID 2696 wrote to memory of 4848 2696 230323-gnlc2afg8y.exe 121 PID 2696 wrote to memory of 4848 2696 230323-gnlc2afg8y.exe 121 PID 2696 wrote to memory of 4848 2696 230323-gnlc2afg8y.exe 121 PID 2696 wrote to memory of 4192 2696 230323-gnlc2afg8y.exe 122 PID 2696 wrote to memory of 4192 2696 230323-gnlc2afg8y.exe 122 PID 2696 wrote to memory of 4192 2696 230323-gnlc2afg8y.exe 122 PID 2696 wrote to memory of 4152 2696 230323-gnlc2afg8y.exe 123 PID 2696 wrote to memory of 4152 2696 230323-gnlc2afg8y.exe 123 PID 2696 wrote to memory of 4152 2696 230323-gnlc2afg8y.exe 123 PID 2696 wrote to memory of 4472 2696 230323-gnlc2afg8y.exe 124 PID 2696 wrote to memory of 4472 2696 230323-gnlc2afg8y.exe 124 PID 2696 wrote to memory of 4472 2696 230323-gnlc2afg8y.exe 124 PID 2696 wrote to memory of 3740 2696 230323-gnlc2afg8y.exe 125 PID 2696 wrote to memory of 3740 2696 230323-gnlc2afg8y.exe 125 PID 2696 wrote to memory of 3740 2696 230323-gnlc2afg8y.exe 125 PID 3740 wrote to memory of 2552 3740 [email protected] 127 PID 3740 wrote to memory of 2552 3740 [email protected] 127 -
System policy modification 1 TTPs 37 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1" [email protected]
Processes
-
C:\Users\Admin\AppData\Local\Temp\230323-gnlc2afg8y.exe"C:\Users\Admin\AppData\Local\Temp\230323-gnlc2afg8y.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\on3m1ycz.0rd\[email protected]"C:\Users\Admin\AppData\Local\Temp\on3m1ycz.0rd\[email protected]"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal4⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal5⤵PID:4028
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 482776516 && exit"4⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 482776516 && exit"5⤵
- Creates scheduled task(s)
PID:1204
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 15:09:004⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 15:09:005⤵
- Creates scheduled task(s)
PID:4704
-
-
-
C:\Windows\44BA.tmp"C:\Windows\44BA.tmp" \\.\pipe\{03A0A3D1-9A61-443B-B207-59853C9638D5}4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\4zwqwajf.ncq\[email protected]"C:\Users\Admin\AppData\Local\Temp\4zwqwajf.ncq\[email protected]"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
-
-
C:\Users\Admin\AppData\Local\Temp\xkh0f1j5.yv0\[email protected]"C:\Users\Admin\AppData\Local\Temp\xkh0f1j5.yv0\[email protected]"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on3⤵
- Modifies Windows Firewall
PID:3888
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset3⤵
- Modifies Windows Firewall
PID:5020
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsogxkx0.uf1\[email protected]"C:\Users\Admin\AppData\Local\Temp\nsogxkx0.uf1\[email protected]"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
C:\Users\Admin\AppData\Local\Temp\y3ibplgc.ppx\Fantom.exe"C:\Users\Admin\AppData\Local\Temp\y3ibplgc.ppx\Fantom.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
C:\Users\Admin\AppData\Local\Temp\ltuatjb4.px0\[email protected]"C:\Users\Admin\AppData\Local\Temp\ltuatjb4.px0\[email protected]"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
PID:4848
-
-
C:\Users\Admin\AppData\Local\Temp\mqrsbokt.lmf\[email protected]"C:\Users\Admin\AppData\Local\Temp\mqrsbokt.lmf\[email protected]"2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4192
-
-
C:\Users\Admin\AppData\Local\Temp\inq1wxvh.rqy\[email protected]"C:\Users\Admin\AppData\Local\Temp\inq1wxvh.rqy\[email protected]"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4152
-
-
C:\Users\Admin\AppData\Local\Temp\2s3ptohg.bik\[email protected]"C:\Users\Admin\AppData\Local\Temp\2s3ptohg.bik\[email protected]"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:4472
-
-
C:\Users\Admin\AppData\Local\Temp\cx1fdrff.rfj\[email protected]"C:\Users\Admin\AppData\Local\Temp\cx1fdrff.rfj\[email protected]"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Users\Admin\feoMIMQI\dgMkgUsI.exe"C:\Users\Admin\feoMIMQI\dgMkgUsI.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2552
-
-
C:\ProgramData\XEwMIsIY\LWIAwkoQ.exe"C:\ProgramData\XEwMIsIY\LWIAwkoQ.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4232
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cx1fdrff.rfj\Endermanch@PolyRansom"3⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\cx1fdrff.rfj\[email protected]C:\Users\Admin\AppData\Local\Temp\cx1fdrff.rfj\Endermanch@PolyRansom4⤵
- Executes dropped EXE
PID:5020
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
PID:3628
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
PID:3784
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
PID:3708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIoQswMo.bat" "C:\Users\Admin\AppData\Local\Temp\cx1fdrff.rfj\[email protected]""3⤵PID:3492
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
7Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F
Filesize16B
MD5bb49bd8186549f8689085fbfa3393bb5
SHA158cb966418485862130e0bfed8242f575ab852b6
SHA256eb13a894b87080ade1d494dba75bd3505f54578a6c21f146c989240a8ad401c7
SHA51231acc677dc33dc6e7994ef690f28145471682d5b41ea61bb27d082a845c271f475d07a62ee94458596d34e01fe22e605d72854e30b95371a2d9dc4387bbf9b61
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F
Filesize720B
MD542c7e8b976cc6a8b5a7490bcb87ec8bf
SHA1ba45df0b6f1932a8635f302d3b1e940d20ab1961
SHA256446eee561a09049bfd41e27ef386e165a2b16065b3c28d04d6c5ed9a7aa3b252
SHA5120f2d8233b31c298db75bc0a07f438493b20cfb0272566a5e032e2288e7af62683476e8cb86540f1ab90adf6d9af83ae9d66202dcc8f1afbb467d1dd7c42cce53
-
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.67D2B1B89C2585D2EE67B417B476F92EA0D26D9FDAE7330325B07A2B54FBD49F
Filesize32KB
MD51f50c52264bb189ddc4e56d786d7d0ec
SHA1b4eab07a2909d297e8284841a2bc25763282646f
SHA2563c3daaf68dd6762837044fbef0b87fcf1dcd4efdc21a824d0fed17a3243b13df
SHA5127c4c7f271a9bc1f79128b4c69216b7190e9ac7a1ea4ef8b7abc4a4360319bd2c0177795bbffe372d0431f4a8e61d841088c3e2a2cd07bfaee9319b605a6f7173
-
Filesize
186KB
MD51d4ad9f9604a99c997884fd5ca17e511
SHA1776bf53860b5dcae53f4f611880e84b631296589
SHA256a9e23859e5c1a8a5c52b7d3fd2a1db6b3bb80d1e9e512083aebe9fafae41c5d3
SHA512ac15a75dd772ef86122d1d94d1407982e1538bec8eec4f65398d2b6bfd6eebf31802d2a9059c626dde34b35b8af99f0156e890eef83e7b8564064cafeaffb00f
-
C:\Users\Admin\AppData\Local\Temp\2s3ptohg.bik\[email protected]
Filesize225KB
MD5af2379cc4d607a45ac44d62135fb7015
SHA139b6d40906c7f7f080e6befa93324dddadcbd9fa
SHA25626b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
SHA51269899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99
-
C:\Users\Admin\AppData\Local\Temp\4zwqwajf.ncq\[email protected]
Filesize116KB
MD541789c704a0eecfdd0048b4b4193e752
SHA1fb1e8385691fa3293b7cbfb9b2656cf09f20e722
SHA256b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
SHA51276391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea
-
C:\Users\Admin\AppData\Local\Temp\cx1fdrff.rfj\[email protected]
Filesize220KB
MD53ed3fb296a477156bc51aba43d825fc0
SHA19caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA2561898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e
-
C:\Users\Admin\AppData\Local\Temp\inq1wxvh.rqy\[email protected]
Filesize1.4MB
MD563210f8f1dde6c40a7f3643ccf0ff313
SHA157edd72391d710d71bead504d44389d0462ccec9
SHA2562aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA51287a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
-
C:\Users\Admin\AppData\Local\Temp\ltuatjb4.px0\[email protected]
Filesize211KB
MD5b805db8f6a84475ef76b795b0d1ed6ae
SHA17711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA51262a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
-
C:\Users\Admin\AppData\Local\Temp\ltuatjb4.px0\[email protected]
Filesize128KB
MD53dc436bf6e5358d1e0be5bce3e2110e5
SHA15ff1e5176f85c06bb34c030f0b50298d5b735fe9
SHA2560a770767756c5f2fa8e7f03c24ea2576c4a515f4bad4c6841304f3ae96719901
SHA512cbbd9813030131b2cf8e568c15b58f6715c98a76cc7f19c55a926089ccef603b9062cee824c04c85916fefc2efde367f928295bef295da19cf3e259f6506de4e
-
C:\Users\Admin\AppData\Local\Temp\mqrsbokt.lmf\[email protected]
Filesize53KB
MD587ccd6f4ec0e6b706d65550f90b0e3c7
SHA1213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990
-
C:\Users\Admin\AppData\Local\Temp\nsogxkx0.uf1\[email protected]
Filesize484KB
MD50a7b70efba0aa93d4bc0857b87ac2fcb
SHA101a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA2564f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA5122033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14
-
C:\Users\Admin\AppData\Local\Temp\on3m1ycz.0rd\[email protected]
Filesize431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
C:\Users\Admin\AppData\Local\Temp\xkh0f1j5.yv0\[email protected]
Filesize313KB
MD5fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89
-
Filesize
261KB
MD57d80230df68ccba871815d68f016c282
SHA1e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA51264d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
-
Filesize
193KB
MD58b3a7827a574eb8028e796ea337fffb8
SHA14112bd1bb956df29b7314f784a48c47ff8a2cd5d
SHA25636e23e4195405a29d36eab82f5fffe5aff053a1cf16dff68bd0ab6746ddd0eee
SHA512d87ed2ca863cc34dd4019631908cc065bb22349407e9e68f1dd56c1e8f1fae73dbbcaac4bfef85bd151cdfceaa1f6d946681b9f0b2645bf3de31e1b5c692bf0a
-
Filesize
4B
MD5dc190f13c4e71349fff3025fa635f602
SHA1f1dac85e0f997bb10184e6f6490eaf14829fe574
SHA2564dab8ae7f85626bb568456614e3dfd38648b549e7eb70d89be1d05a7e7be01dc
SHA512404434d0f330a376e1003fd67add156cff53c27285150617d684346c2aab2e41e85caacfe1730e1b98db572825ee5614206626e8531fc6d41f09a5c0335aefb0
-
Filesize
4B
MD5ed7ceef7d9e9142201fc14b786d1216c
SHA10a0e293ed455f0c01d8127e3b7073b868758ff56
SHA256334f70e9b952f20d693cf8c5857a4994936988ae5e9cbf613e0e69a6e68079b7
SHA5126fa12d30b4fb34e2856f2f1ac6625e2e6af087b650cd7161bd540a208efcf5cdc07c169fd93bccb9ec37d94700a386a70fbebb0f8524fb06f3f1730e8df94ab0
-
Filesize
4B
MD5ddf643d0ac7369d926d06ca25d0f4dfa
SHA186d806a8a57fe64114ff2d573e815f642abb1cf9
SHA2565095f1528ccc47be1e17ea14b0126ffce2de55f5fbfd3ac4c74c8a81383da889
SHA5126f5add05100bf25afefa3e76140b000fcc85d55bfc02507ad98f83df2b5e375cb4e58140571e21c78c74ac79c2010ca979aac53787b9ad5c692a44f2518b3c23
-
Filesize
4B
MD5b2ce12d2246909faedd22eb62e0f7d3d
SHA1eea8940eae526e8bfe5eb2fa155c73f5eb860c06
SHA256d6c6d7da35af1879d2787d5c0d9566c6d267cea32e7bc8af4df19611173da3e2
SHA512d32b91ae99b1c6b7e2e4063e94aadc2ede9332d4e520f6d490f2be4f025f159cfe46f14e1f7bf35cd182942a969c0a9e23c369624c7ca1e106f65c680b1b3b47
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113