1cdf0dcd13a46906d73588a4f2ef20637d25706ce90b53a7b6f1701c28cb3596

Resubmissions

26-03-2024 14:35

240326-ryecksfd5y 10

26-03-2024 14:27

240326-rse2xsfb8y 10

Analysis

max time kernel
38s
max time network
33s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
Size

314KB
MD5

f93ecc98e4c4659023b81397578201e3
SHA1

8c6ce5195b39239d219da8de3b4e757204f75f07
SHA256

9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a
SHA512

6835d190e85fa196e325d5b9e9833f88b22348b5e7dad7fe10aa2b065c66e61342cbf31fb8a4c1b5761a9f72b2f55d7eaeab9f8ee411ade6090327268a85a039
SSDEEP

6144:N/ox45SkZNudlSP7VeJCaYAbjJF7UjWDvtlP8A2KoGFn6NHCcWITEYlxHt9Nqw:NgScC03SPxSlYMF7UjWDvzPh2eFnDcWg

Score

10^/10

discovery evasion ransomware upx

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_READ_THI$_FILE_33QNII2_.txt

Ransom Note

CERBER RAN$OMWARE --- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! --- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: --- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/12EA-1E35-D050-0446-9493 Note! This page is available via "Tor Browser" only. --- Also you can use temporary addresses on your personal page without using "Tor Browser". --- 1. http://p27dokhpz2n7nvgr.1hpvzl.top/12EA-1E35-D050-0446-9493 2. http://p27dokhpz2n7nvgr.1pglcs.top/12EA-1E35-D050-0446-9493 3. http://p27dokhpz2n7nvgr.1cewld.top/12EA-1E35-D050-0446-9493 4. http://p27dokhpz2n7nvgr.1js3tl.top/12EA-1E35-D050-0446-9493 5. http://p27dokhpz2n7nvgr.1ajohk.top/12EA-1E35-D050-0446-9493 --- Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://p27dokhpz2n7nvgr.onion/12EA-1E35-D050-0446-9493

http://p27dokhpz2n7nvgr.1hpvzl.top/12EA-1E35-D050-0446-9493

http://p27dokhpz2n7nvgr.1pglcs.top/12EA-1E35-D050-0446-9493

http://p27dokhpz2n7nvgr.1cewld.top/12EA-1E35-D050-0446-9493

http://p27dokhpz2n7nvgr.1js3tl.top/12EA-1E35-D050-0446-9493

http://p27dokhpz2n7nvgr.1ajohk.top/12EA-1E35-D050-0446-9493

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

mshta.exe

flow pid process

2181 1016 mshta.exe
2184 1016 mshta.exe
Contacts a large (1091) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

2016 netsh.exe
404 netsh.exe

flow	pid	process
2181	1016	mshta.exe
2184	1016	mshta.exe

pid	process
2016	netsh.exe
404	netsh.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral20/memory/1720-0-0x0000000000CA0000-0x0000000000CD4000-memory.dmp	upx
behavioral20/memory/1720-3-0x0000000000CA0000-0x0000000000CD4000-memory.dmp	upx

Drops file in System32 directory 38 IoCs

Processes:

9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe

description	ioc	process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp4930.bmp"	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe

description	pid	process	target process
PID 1720 set thread context of 1924	1720	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe

Drops file in Program Files directory 20 IoCs

Processes:

9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe

description	ioc	process
File opened for modification	\??\c:\program files\	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\program files (x86)\onenote	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\program files (x86)\steam	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\program files (x86)\word	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\program files (x86)\excel	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\program files (x86)\office	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\program files (x86)\outlook	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\program files (x86)\the bat!	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\program files (x86)\	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe

Drops file in Windows directory 64 IoCs

Processes:

9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe

description	ioc	process
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\excel	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe

description pid process

Token: SeShutdownPrivilege 1924 9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

DllHost.exe

pid process

628 DllHost.exe
628 DllHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

description	pid	process
Token: SeShutdownPrivilege	1924	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe

pid	process
628	DllHost.exe
628	DllHost.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe

description	pid	process	target process
PID 1720 wrote to memory of 2848	1720	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
PID 1720 wrote to memory of 2848	1720	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
PID 1720 wrote to memory of 2848	1720	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
PID 1720 wrote to memory of 2848	1720	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
PID 1720 wrote to memory of 1924	1720	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
PID 1720 wrote to memory of 1924	1720	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
PID 1720 wrote to memory of 1924	1720	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
PID 1720 wrote to memory of 1924	1720	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
PID 1720 wrote to memory of 1924	1720	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
PID 1720 wrote to memory of 1924	1720	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
PID 1720 wrote to memory of 1924	1720	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
PID 1720 wrote to memory of 1924	1720	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
PID 1720 wrote to memory of 1924	1720	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
PID 1720 wrote to memory of 1924	1720	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
PID 1720 wrote to memory of 1924	1720	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
PID 1924 wrote to memory of 2016	1924	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	netsh.exe
PID 1924 wrote to memory of 2016	1924	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	netsh.exe
PID 1924 wrote to memory of 2016	1924	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	netsh.exe
PID 1924 wrote to memory of 2016	1924	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	netsh.exe
PID 1924 wrote to memory of 404	1924	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	netsh.exe
PID 1924 wrote to memory of 404	1924	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	netsh.exe
PID 1924 wrote to memory of 404	1924	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	netsh.exe
PID 1924 wrote to memory of 404	1924	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	netsh.exe
PID 1924 wrote to memory of 1016	1924	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	mshta.exe
PID 1924 wrote to memory of 1016	1924	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	mshta.exe
PID 1924 wrote to memory of 1016	1924	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	mshta.exe
PID 1924 wrote to memory of 1016	1924	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	mshta.exe
PID 1924 wrote to memory of 876	1924	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	NOTEPAD.EXE
PID 1924 wrote to memory of 876	1924	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	NOTEPAD.EXE
PID 1924 wrote to memory of 876	1924	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	NOTEPAD.EXE
PID 1924 wrote to memory of 876	1924	9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
"C:\Users\Admin\AppData\Local\Temp\9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
C:\Users\Admin\AppData\Local\Temp\9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
2⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
C:\Users\Admin\AppData\Local\Temp\9a5a08d7a4579e11f59594fe053c8157c20ab74a7775a11a1aa6154a3eb6744a.exe
2⤵
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
3⤵
- Modifies Windows Firewall
PID:2016

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall reset
3⤵
- Modifies Windows Firewall
PID:404

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_READ_THI$_FILE_CWN7_.hta"
3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
PID:1016

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_READ_THI$_FILE_33QNII2_.txt
3⤵
PID:876

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:628

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:2520

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\_READ_THI$_FILE_33QNII2_.txt
Filesize
1KB

MD5
115ef07cc68d6ff4d144991709c92d76

SHA1
1267df1f384ed8a4fd970b0e24d1abef62fa6964

SHA256
af7e28007c1647432fd401c3f767b2f59ad1f5d5286bfea5f04a1236fa8445dc

SHA512
96dd3eea1ad347d37f86dd9808071147f5217872049ecded4154aa29c8977f989dc271afbb556ccc7030f8e99905daef40434cea0045d55083bec91e7969eccf

Download Submit
C:\Users\Admin\Desktop\_READ_THI$_FILE_CWN7_.hta
Filesize
75KB

MD5
62afa0aa1f2daf545964ad4446b881a3

SHA1
dfd44fed47ea0dba8330b20354ca23943c1d6122

SHA256
536389eb648d19de149d259403f8e076099bbf469b55329ad8b4d8eb218d5428

SHA512
2734138f301be72aff23228a0d10e138e550fb133af676a9144b9e3a613d8031a64667d5ac0dbcc707ee6f95d54973a1ddb9981b30cb478b1c3cf248fac47a5e

Download Submit
C:\Users\Admin\Desktop\_READ_THI$_FILE_WO2M8SKC_.jpeg
Filesize
150KB

MD5
4b8154d3f14a658e56762b117634540e

SHA1
af14b815a4e87170731267e9d454b4c09965ebca

SHA256
0992df0539b170c8a57bd280689a638eb0b5114f56f78068aad8f1e584ff74e2

SHA512
4006d0bf15495782bb69ff5cafe2d40fa2d1e135cac475013050a182491af042eaa942e5fd632d27cac317657a67dc69027d1bf347ee2c049313e38664991352

Download Submit
memory/628-110-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/628-88-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/628-87-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/1720-3-0x0000000000CA0000-0x0000000000CD4000-memory.dmp

Filesize
208KB

Download
memory/1720-2-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-0-0x0000000000CA0000-0x0000000000CD4000-memory.dmp

Filesize
208KB

Download
memory/1924-1-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1924-22-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1924-27-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1924-35-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1924-60-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1924-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1924-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1924-86-0x00000000004A0000-0x00000000004A2000-memory.dmp

Filesize
8KB

Download
memory/1924-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1924-7-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1924-6-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1924-109-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1924-5-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download