3526c74a22a6a7ff285bddc4a055d22e443bd2d9ceb47aa7bc20240256084787

Analysis

max time kernel
1565s
max time network
1567s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Generic_Ransom_1.exe
Size

1.8MB
MD5

84b51ee1b45d26e08c525d9c87a4945a
SHA1

04d9559bb0ed6e964b05d1583a7410eca837f1cf
SHA256

debfd1fb34df5c7047c3c8837cdda27b59e6044934447a8bb6878344847b74d8
SHA512

d3a4c07119ce03d1199ed2e6fb98b1504c171fe1d8ce1d71c33e2f2562ad0149e4fd5018ae837d9500761ad3d73f30c48d8c44d72438b048c8fd5f914d3549c9
SSDEEP

24576:sVLOUsdmcKn0RVIC0GN9eyS7QPkIIgmWmQL3taRHLM36T22CKRJqNE4u6FOcnDs7:stJ6F7PN3taRHwe3clnBowQg7K

Score

8^/10

persistence

Malware Config

Signatures

Registers new Print Monitor 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

spoolsv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor	spoolsv.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Generic_Ransom_1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Generic_Ransom_1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Generic_Ransom_1.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Generic_Ransom_1.exe

description	ioc	process
File opened (read-only)	\??\L:	Generic_Ransom_1.exe
File opened (read-only)	\??\T:	Generic_Ransom_1.exe
File opened (read-only)	\??\V:	Generic_Ransom_1.exe
File opened (read-only)	\??\S:	Generic_Ransom_1.exe
File opened (read-only)	\??\Y:	Generic_Ransom_1.exe
File opened (read-only)	\??\Z:	Generic_Ransom_1.exe
File opened (read-only)	\??\G:	Generic_Ransom_1.exe
File opened (read-only)	\??\I:	Generic_Ransom_1.exe
File opened (read-only)	\??\O:	Generic_Ransom_1.exe
File opened (read-only)	\??\R:	Generic_Ransom_1.exe
File opened (read-only)	\??\Q:	Generic_Ransom_1.exe
File opened (read-only)	\??\W:	Generic_Ransom_1.exe
File opened (read-only)	\??\X:	Generic_Ransom_1.exe
File opened (read-only)	\??\E:	Generic_Ransom_1.exe
File opened (read-only)	\??\M:	Generic_Ransom_1.exe
File opened (read-only)	\??\N:	Generic_Ransom_1.exe
File opened (read-only)	\??\P:	Generic_Ransom_1.exe
File opened (read-only)	\??\H:	Generic_Ransom_1.exe
File opened (read-only)	\??\J:	Generic_Ransom_1.exe
File opened (read-only)	\??\K:	Generic_Ransom_1.exe
File opened (read-only)	\??\U:	Generic_Ransom_1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

Generic_Ransom_1.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBIOSDate Generic_Ransom_1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBIOSDate	Generic_Ransom_1.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0612FF81-EB77-11EE-AAE3-46DB0C2B2B48} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc2330000000002000000000010660000000100002000000004f5cabc05668882da720c7f03580a7146558998abaa3b3f6a007d5c3db8f176000000000e80000000020000200000002ba0211c69cf4f5d0bd50635ff3070eaa15e9c6e07d811d9a796c6868eca5eee90000000d9c2731cd6962f1eee0b8f8458a4f938700194620eb6ebd811e148c87ff4ec9c44249fa27ad7343aa3b2eb43f30d0f11b10921e8f4bedc80e91a8335a132243e29a9a11c49d6b48e24188ae68b8c4e83c8a4d930231dca51ce4aab2f6369114bcced29755a242a6f534e4afcb05fffd1a68a45b55a1b4b974698d83979050155c01b31ef82332326ed6267bae50b1fe5400000003671e7bcce7e8fc3f19fb6c2d0e3bc2f68c7d4f06b4e6c0c84a84c6b8fd8486ab0011a5d326a90097294c7163f0d1eae0be602dd0296d8aba386f50a5917f342	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 801807f4837fda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417622561"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000aa933822c1d73096a16dc566181bf6c5d2cd8d102750a453fc5488f34bb8b5b8000000000e8000000002000020000000b235b1f7a48de95e5bde4e8aa67d73bb77c2104b400dc911b80d82aeebd1ba3420000000f2c51036e0a80408bb16910b2b2951a05717cf4449c6fbc60213b4f4c4d6763e40000000ebe7816799f26d5242e3b15400955f7e3a5ac46ad18460c2ce750463f922948f44588ff9812857344a12823a66e361abbad9644bcc063d3ec37ad2aca0425d12	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Modifies data under HKEY_USERS 14 IoCs

Processes:

spoolsv.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne01:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne01:"	spoolsv.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Generic_Ransom_1.exe

pid process

1740 Generic_Ransom_1.exe
1740 Generic_Ransom_1.exe
1740 Generic_Ransom_1.exe
1740 Generic_Ransom_1.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

tcpsvcs.exe

pid process

2484 tcpsvcs.exe

pid	process
2484	tcpsvcs.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

spoolsv.exe

description	pid	process
Token: SeRestorePrivilege	3032	spoolsv.exe
Token: SeRestorePrivilege	3032	spoolsv.exe
Token: SeRestorePrivilege	3032	spoolsv.exe
Token: SeRestorePrivilege	3032	spoolsv.exe
Token: SeRestorePrivilege	3032	spoolsv.exe
Token: SeRestorePrivilege	3032	spoolsv.exe
Token: SeRestorePrivilege	3032	spoolsv.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2120 iexplore.exe

pid	process
2120	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

Generic_Ransom_1.exeiexplore.exeIEXPLORE.EXE

pid	process
1740	Generic_Ransom_1.exe
1740	Generic_Ransom_1.exe
2120	iexplore.exe
2120	iexplore.exe
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

Generic_Ransom_1.execmd.exenet.execmd.exenet.exeiexplore.exe

description	pid	process	target process
PID 1740 wrote to memory of 2540	1740	Generic_Ransom_1.exe	cmd.exe
PID 1740 wrote to memory of 2540	1740	Generic_Ransom_1.exe	cmd.exe
PID 1740 wrote to memory of 2540	1740	Generic_Ransom_1.exe	cmd.exe
PID 1740 wrote to memory of 2540	1740	Generic_Ransom_1.exe	cmd.exe
PID 2540 wrote to memory of 2392	2540	cmd.exe	net.exe
PID 2540 wrote to memory of 2392	2540	cmd.exe	net.exe
PID 2540 wrote to memory of 2392	2540	cmd.exe	net.exe
PID 2540 wrote to memory of 2392	2540	cmd.exe	net.exe
PID 2392 wrote to memory of 2800	2392	net.exe	net1.exe
PID 2392 wrote to memory of 2800	2392	net.exe	net1.exe
PID 2392 wrote to memory of 2800	2392	net.exe	net1.exe
PID 2392 wrote to memory of 2800	2392	net.exe	net1.exe
PID 1740 wrote to memory of 2484	1740	Generic_Ransom_1.exe	tcpsvcs.exe
PID 1740 wrote to memory of 2484	1740	Generic_Ransom_1.exe	tcpsvcs.exe
PID 1740 wrote to memory of 2484	1740	Generic_Ransom_1.exe	tcpsvcs.exe
PID 1740 wrote to memory of 2484	1740	Generic_Ransom_1.exe	tcpsvcs.exe
PID 1740 wrote to memory of 2484	1740	Generic_Ransom_1.exe	tcpsvcs.exe
PID 1740 wrote to memory of 2484	1740	Generic_Ransom_1.exe	tcpsvcs.exe
PID 1740 wrote to memory of 2484	1740	Generic_Ransom_1.exe	tcpsvcs.exe
PID 1740 wrote to memory of 2484	1740	Generic_Ransom_1.exe	tcpsvcs.exe
PID 1740 wrote to memory of 2484	1740	Generic_Ransom_1.exe	tcpsvcs.exe
PID 1740 wrote to memory of 2484	1740	Generic_Ransom_1.exe	tcpsvcs.exe
PID 1740 wrote to memory of 2484	1740	Generic_Ransom_1.exe	tcpsvcs.exe
PID 1740 wrote to memory of 2484	1740	Generic_Ransom_1.exe	tcpsvcs.exe
PID 1740 wrote to memory of 2484	1740	Generic_Ransom_1.exe	tcpsvcs.exe
PID 1740 wrote to memory of 312	1740	Generic_Ransom_1.exe	cmd.exe
PID 1740 wrote to memory of 312	1740	Generic_Ransom_1.exe	cmd.exe
PID 1740 wrote to memory of 312	1740	Generic_Ransom_1.exe	cmd.exe
PID 1740 wrote to memory of 312	1740	Generic_Ransom_1.exe	cmd.exe
PID 312 wrote to memory of 1884	312	cmd.exe	net.exe
PID 312 wrote to memory of 1884	312	cmd.exe	net.exe
PID 312 wrote to memory of 1884	312	cmd.exe	net.exe
PID 312 wrote to memory of 1884	312	cmd.exe	net.exe
PID 1884 wrote to memory of 2008	1884	net.exe	net1.exe
PID 1884 wrote to memory of 2008	1884	net.exe	net1.exe
PID 1884 wrote to memory of 2008	1884	net.exe	net1.exe
PID 1884 wrote to memory of 2008	1884	net.exe	net1.exe
PID 1740 wrote to memory of 2120	1740	Generic_Ransom_1.exe	iexplore.exe
PID 1740 wrote to memory of 2120	1740	Generic_Ransom_1.exe	iexplore.exe
PID 1740 wrote to memory of 2120	1740	Generic_Ransom_1.exe	iexplore.exe
PID 1740 wrote to memory of 2120	1740	Generic_Ransom_1.exe	iexplore.exe
PID 2120 wrote to memory of 2192	2120	iexplore.exe	IEXPLORE.EXE
PID 2120 wrote to memory of 2192	2120	iexplore.exe	IEXPLORE.EXE
PID 2120 wrote to memory of 2192	2120	iexplore.exe	IEXPLORE.EXE
PID 2120 wrote to memory of 2192	2120	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\Generic_Ransom_1.exe
"C:\Users\Admin\AppData\Local\Temp\Generic_Ransom_1.exe"
1⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net stop Spooler
2⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\net.exe
net stop Spooler
3⤵
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Spooler
4⤵
PID:2800

C:\Windows\SysWOW64\tcpsvcs.exe
"C:\Users\Admin\AppData\Local\Temp\Generic_Ransom_12.exe"
2⤵
- Suspicious behavior: MapViewOfSection
PID:2484

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net start Spooler
2⤵
- Suspicious use of WriteProcessMemory
PID:312

C:\Windows\SysWOW64\net.exe
net start Spooler
3⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start Spooler
4⤵
PID:2008

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://blog.sina.com.cn/lanyezi725
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2120 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2192

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:2652

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
- Registers new Print Monitor
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
9202d4d600d60c4b66fa8d13167675a7

SHA1
b2202cf76e2427e0245debab5c3eb0d7aaa9d768

SHA256
f8021fa1049c6d7e18d0b13223762bffba2d29a4f9d63765148c0c421e848f3f

SHA512
d3367aedd8d9b5a28651e6ca7c51899cde1377538a445d792451bec2073d099ad1177c4de77e288bc6600e44a8da557681cb1a6ddf799744ed0eeae6f880505b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
eb6b81a73c6b8e4ad0a3a724f2d6534c

SHA1
69b201121a9d17e30cd9b034449a3a8ef9cbf986

SHA256
85dcdb0ff95808cf3af7343db4eee32b91c2830917a9881bdec25d5c1970a527

SHA512
1447e5b192d4923c2dad62034ba7844a4be91a62b0db64335aa3040ef58e47a5fa08aca3cc9695bd73775e73640f98456e6199f892a9af2a786486d85d0c1b42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
9ced2a01227c9dfa69df93932d38d724

SHA1
f2cc39f698c7cc677d50719ae674d0516e3a5cdf

SHA256
e2f0ea3f3d03083b0476c654e018daea682febe4a1d07170c83f6afbef943145

SHA512
c338636e4c655abe0e2d9fc6f2115ccf2c3dedb2bb6fc5f952c01830133b3a7623fe3c03d09e8dbd2ee2e8bf2873dd929cb4cd6fb819b49481182d9b45d30894

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
2dfb937ebfef1954c282723e531db0b1

SHA1
a9e1128c9b61ac643c386e41513d60c0d862fc3e

SHA256
7c9bb88a9c248aedaa6f970d92bf189c45db25c7ab668b972be73df1b82ad915

SHA512
4601be3878bc1f2e6eca606a7730336f17b54db3549075dbda0d049bbaa5cfd6db6785a0689a255201ece9cdabe2bb3aebd03dc2df56f976bba82034a0b30580

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
d1dc56e7a8b9af1c2b85e5aaf6807feb

SHA1
3bb704b6214e868e394e98613918198365d85330

SHA256
1e0404692d62cb0da1eec1e220b5625bd87a7de3953ea46802cd5224dcfd6f68

SHA512
9088d3281bd20c28b907a28f7a7cc62d40691c90e1e5130ae1b99218a29be123e43b05a80eef773e4be4cc4d42ed0f4afa970a39d6e9b7a5e9433dfdb3159f32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
fa1c50a370ea2d838858fd12e6ccfb65

SHA1
e58dcb2c936ed92502ee3e8bf341371819200f2d

SHA256
5764afb87e799aabbc9cf32e466d88aafb33faa7f271352d7d4ac73bb65b61bf

SHA512
ae678d187abb74ddb9f7e1689622e433b682f11221a4a4e116fa1b8689247fec701ece3ce191bf206e769d0e7578edb4877958a9737cf385ccb7d6a1e435dd37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
9293b30a823a8bb3026d1f5a2ab86a55

SHA1
c48f44aabaf78b62282d63b3efe3bb0596d39ea0

SHA256
932a50ca30febeadfd745cf6365f2ec122cd051bf21f17302ff77b2a262d390b

SHA512
828b84e1e7e8eb1357229c766554e4189459fa27f5a8bfc57f3bdebcc0336813f82c55e719fe9a925cc103517ef56e569f04dbae702d3e53482cd18014918b1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
92140799463c3fa0e8fa079fd629a383

SHA1
fb943d60b117349c2ec8aaaa275bd7e7f0ed17b1

SHA256
e08ab024d330628768d09e79377a045ab54602f128bd6ac67ff3fd2001b20632

SHA512
600a86cd607e8a6f291510d02ef53d836ac2058ed4e139172d6d438de6d5c6a4e04ce9d4019f3e1293cec331ce47ed82c77fb7e8efc1fd925c3185b6ef7316c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
8ba33e2cf0c8b04a42d8324d0e438ae9

SHA1
a3d5d40017439d3d50a3791d6486af9e6f6f955d

SHA256
1f83032e52503afde247383e802d022e9699ba7d7545a2a613dcb819104b1d10

SHA512
faa85863690e8ffbaca6e33cb7ed0621f96c7b8ef105d3b6d7c3dcbbcc2b9022a24ab11694e0e5138ddda7c066f28e4a101384ff87771882f07f140564a3dde5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
8d94ed9d1b06d7d6e68478bd877137f4

SHA1
22d1ac0040c5f53ae5fba2b50652ab80ec933844

SHA256
2e9f6a58038c7cfd4af1462a2ccf9c35258892f0ec8372e619ffdcdadeac94c0

SHA512
060a4f816c04aefe83a0b14746b99455861a380d52a6ce156bfaf604679ea6076aa9ac95d829ca071ee5f0ccd6c2826802c601d9d94e281bd9943151157cd52a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
53d62fa7486a7aa886173b2e33034ccf

SHA1
36f32743d641973aefd1b02b213b48a2ff72bb26

SHA256
e5b1e1183124533acebb50f3570e1c0d62b8f5b0ca7ad9c1c77008c5a405aaab

SHA512
78a30e3214865f164e7d45cbf154c460c58f98313795efa1ed661235c7b84bf91b77185e8392193a5f0865bef17a1dfcf2fd241e1bf5a1bcb55f8f16a349e596

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab486.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5B6.tmp
Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
memory/1740-24-0x0000000076C50000-0x0000000076C51000-memory.dmp

Filesize
4KB

Download
memory/1740-37-0x0000000077530000-0x0000000077531000-memory.dmp

Filesize
4KB

Download
memory/1740-13-0x0000000000660000-0x000000000066B000-memory.dmp

Filesize
44KB

Download
memory/1740-16-0x0000000077520000-0x0000000077521000-memory.dmp

Filesize
4KB

Download
memory/1740-17-0x0000000076CE0000-0x0000000076CE1000-memory.dmp

Filesize
4KB

Download
memory/1740-18-0x0000000076D10000-0x0000000076D11000-memory.dmp

Filesize
4KB

Download
memory/1740-19-0x0000000076D00000-0x0000000076D01000-memory.dmp

Filesize
4KB

Download
memory/1740-20-0x0000000076D50000-0x0000000076D51000-memory.dmp

Filesize
4KB

Download
memory/1740-21-0x0000000076D40000-0x0000000076D41000-memory.dmp

Filesize
4KB

Download
memory/1740-22-0x0000000076D70000-0x0000000076D71000-memory.dmp

Filesize
4KB

Download
memory/1740-23-0x0000000076CD0000-0x0000000076CD1000-memory.dmp

Filesize
4KB

Download
memory/1740-25-0x00000000034E0000-0x00000000035E1000-memory.dmp

Filesize
1.0MB

Download
memory/1740-14-0x0000000076C20000-0x0000000076C21000-memory.dmp

Filesize
4KB

Download
memory/1740-26-0x0000000076C40000-0x0000000076C41000-memory.dmp

Filesize
4KB

Download
memory/1740-28-0x0000000076CB0000-0x0000000076CB1000-memory.dmp

Filesize
4KB

Download
memory/1740-27-0x0000000076D80000-0x0000000076D81000-memory.dmp

Filesize
4KB

Download
memory/1740-29-0x0000000076CA0000-0x0000000076CA1000-memory.dmp

Filesize
4KB

Download
memory/1740-35-0x0000000077130000-0x0000000077131000-memory.dmp

Filesize
4KB

Download
memory/1740-34-0x0000000076BC0000-0x0000000076BC1000-memory.dmp

Filesize
4KB

Download
memory/1740-15-0x0000000076CC0000-0x0000000076CC1000-memory.dmp

Filesize
4KB

Download
memory/1740-36-0x0000000076CF0000-0x0000000076CF1000-memory.dmp

Filesize
4KB

Download
memory/1740-33-0x0000000076BE0000-0x0000000076BE1000-memory.dmp

Filesize
4KB

Download
memory/1740-32-0x0000000076BF0000-0x0000000076BF1000-memory.dmp

Filesize
4KB

Download
memory/1740-31-0x0000000076C00000-0x0000000076C01000-memory.dmp

Filesize
4KB

Download
memory/1740-30-0x0000000076C10000-0x0000000076C11000-memory.dmp

Filesize
4KB

Download
memory/1740-38-0x0000000076BD0000-0x0000000076BD1000-memory.dmp

Filesize
4KB

Download
memory/1740-39-0x0000000076C90000-0x0000000076C91000-memory.dmp

Filesize
4KB

Download
memory/1740-40-0x0000000076C80000-0x0000000076C81000-memory.dmp

Filesize
4KB

Download
memory/1740-42-0x0000000004D40000-0x0000000004D67000-memory.dmp

Filesize
156KB

Download
memory/1740-4-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1740-3-0x00000000034E0000-0x00000000035E1000-memory.dmp

Filesize
1.0MB

Download
memory/1740-2-0x00000000034E0000-0x00000000035E1000-memory.dmp

Filesize
1.0MB

Download
memory/1740-1-0x00000000034E0000-0x00000000035E1000-memory.dmp

Filesize
1.0MB

Download
memory/1740-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1740-41-0x0000000004BA0000-0x0000000004D3D000-memory.dmp

Filesize
1.6MB

Download
memory/1740-43-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/1740-44-0x0000000004FE0000-0x0000000005104000-memory.dmp

Filesize
1.1MB

Download
memory/1740-45-0x0000000005110000-0x00000000052D4000-memory.dmp

Filesize
1.8MB

Download
memory/1740-92-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2484-66-0x0000000077560000-0x0000000077561000-memory.dmp

Filesize
4KB

Download
memory/2484-103-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-75-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-74-0x0000000076CD0000-0x0000000076CD1000-memory.dmp

Filesize
4KB

Download
memory/2484-65-0x0000000076D70000-0x0000000076D71000-memory.dmp

Filesize
4KB

Download
memory/2484-76-0x0000000076CC0000-0x0000000076CC1000-memory.dmp

Filesize
4KB

Download
memory/2484-80-0x0000000076D30000-0x0000000076D31000-memory.dmp

Filesize
4KB

Download
memory/2484-83-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-82-0x0000000077080000-0x0000000077081000-memory.dmp

Filesize
4KB

Download
memory/2484-81-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-79-0x0000000076CB0000-0x0000000076CB1000-memory.dmp

Filesize
4KB

Download
memory/2484-84-0x0000000077530000-0x0000000077531000-memory.dmp

Filesize
4KB

Download
memory/2484-86-0x0000000076C90000-0x0000000076C91000-memory.dmp

Filesize
4KB

Download
memory/2484-85-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-88-0x0000000077000000-0x0000000077001000-memory.dmp

Filesize
4KB

Download
memory/2484-87-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-90-0x0000000077020000-0x0000000077021000-memory.dmp

Filesize
4KB

Download
memory/2484-89-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-91-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-94-0x0000000076D60000-0x0000000076D61000-memory.dmp

Filesize
4KB

Download
memory/2484-93-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-96-0x0000000076CA0000-0x0000000076CA1000-memory.dmp

Filesize
4KB

Download
memory/2484-95-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-97-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-98-0x0000000076D80000-0x0000000076D81000-memory.dmp

Filesize
4KB

Download
memory/2484-100-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-99-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-102-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-101-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-72-0x0000000076D50000-0x0000000076D51000-memory.dmp

Filesize
4KB

Download
memory/2484-104-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-105-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-106-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-107-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-108-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-109-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-110-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-111-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-112-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-222-0x0000000077130000-0x0000000077131000-memory.dmp

Filesize
4KB

Download
memory/2484-223-0x0000000076FF0000-0x0000000076FF1000-memory.dmp

Filesize
4KB

Download
memory/2484-226-0x0000000077510000-0x0000000077511000-memory.dmp

Filesize
4KB

Download
memory/2484-228-0x0000000077060000-0x0000000077061000-memory.dmp

Filesize
4KB

Download
memory/2484-67-0x0000000076D40000-0x0000000076D41000-memory.dmp

Filesize
4KB

Download
memory/2484-70-0x0000000076CF0000-0x0000000076CF1000-memory.dmp

Filesize
4KB

Download
memory/2484-68-0x0000000076D00000-0x0000000076D01000-memory.dmp

Filesize
4KB

Download
memory/2484-69-0x000000007EF70000-0x000000007EF76000-memory.dmp

Filesize
24KB

Download
memory/2484-56-0x0000000010000000-0x0000000010101000-memory.dmp

Filesize
1.0MB

Download
memory/2484-55-0x0000000010000000-0x0000000010101000-memory.dmp

Filesize
1.0MB

Download
memory/2484-54-0x0000000010000000-0x0000000010101000-memory.dmp

Filesize
1.0MB

Download
memory/2484-53-0x0000000010000000-0x0000000010101000-memory.dmp

Filesize
1.0MB

Download
memory/2484-48-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/2484-47-0x0000000010000000-0x0000000010101000-memory.dmp

Filesize
1.0MB

Download
memory/2484-230-0x0000000077050000-0x0000000077051000-memory.dmp

Filesize
4KB

Download
memory/2484-238-0x000000007DF00000-0x000000007DF04000-memory.dmp

Filesize
16KB

Download
memory/2484-240-0x000000007DEF0000-0x000000007DEF4000-memory.dmp

Filesize
16KB

Download
memory/2484-292-0x0000000010000000-0x0000000010101000-memory.dmp

Filesize
1.0MB

Download