Analysis
-
max time kernel
127s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
12-04-2024 17:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231129-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
940KB
-
MD5
6e45b98d4ffb2d2b229f395272e35f99
-
SHA1
d8492fa2ca7ad3f1bd081ff43aa326fc65fc4311
-
SHA256
758600c927adb10386bfad3863e5fd950edf6340214628e5ea9260ddb994ac86
-
SHA512
ab71b249dbc676e72a9e27074c6b043af30bf4ceb2d157062879982273336dc1cbf6604e730bc343f9c71353cf171998f6d116f78ed4fa08bcc3d01dd17838ce
-
SSDEEP
24576:sBe5pdi9+vEJzbFHahHGP9S648nOUdP0P:3ezZahHL1PUy
Malware Config
Extracted
Path
C:\Users\Admin\Contacts\HOW TO BACK FILES.txt
Family
targetcompany
Ransom Note
Hello
Your data has been stolen and encrypted
We will delete the stolen data and help with the recovery of encrypted files after payment has been made
Do not try to change or restore files yourself, this will break them
We provide free decryption for any 3 files up to 3MB in size on our website
How to contact with us:
1) Download and install TOR browser by this link: https://www.torproject.org/download/
2) If TOR blocked in your country and you can't access to the link then use any VPN software
3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
4) Copy your private ID in the input field. Your Private key: 47BEED8F3F5946AB99CE7D63
5) You will see chat, payment information and we can make free test decryption here
Our blog of leaked companies:
wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
If you are unable to contact us through the site, then you can email us: [email protected]
Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.
�
Emails
URLs
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Signatures
-
Detect ZGRat V1 34 IoCs
resource yara_rule behavioral2/memory/5108-3-0x000001B4EE9C0000-0x000001B4EEC16000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-4-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-5-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-7-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-9-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-11-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-13-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-15-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-17-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-19-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-21-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-23-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-25-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-27-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-29-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-31-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-33-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-35-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-37-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-39-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-41-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-43-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-45-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-47-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-49-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-51-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-53-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-55-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-57-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-59-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-61-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-63-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-65-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 behavioral2/memory/5108-67-0x000001B4EE9C0000-0x000001B4EEC10000-memory.dmp family_zgrat_v1 -
TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1724 bcdedit.exe 1192 bcdedit.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation tmp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ydxhjxwf = "C:\\Users\\Admin\\AppData\\Roaming\\Ydxhjxwf.exe" tmp.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: tmp.exe File opened (read-only) \??\S: tmp.exe File opened (read-only) \??\Z: tmp.exe File opened (read-only) \??\E: tmp.exe File opened (read-only) \??\B: tmp.exe File opened (read-only) \??\H: tmp.exe File opened (read-only) \??\J: tmp.exe File opened (read-only) \??\K: tmp.exe File opened (read-only) \??\Q: tmp.exe File opened (read-only) \??\T: tmp.exe File opened (read-only) \??\G: tmp.exe File opened (read-only) \??\I: tmp.exe File opened (read-only) \??\N: tmp.exe File opened (read-only) \??\O: tmp.exe File opened (read-only) \??\P: tmp.exe File opened (read-only) \??\X: tmp.exe File opened (read-only) \??\Y: tmp.exe File opened (read-only) \??\D: tmp.exe File opened (read-only) \??\M: tmp.exe File opened (read-only) \??\U: tmp.exe File opened (read-only) \??\V: tmp.exe File opened (read-only) \??\W: tmp.exe File opened (read-only) \??\A: tmp.exe File opened (read-only) \??\L: tmp.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5108 set thread context of 4420 5108 tmp.exe 91 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\root\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\Java\jdk-1.8\legal\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\VideoLAN\VLC\locale\de\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\de-de\HOW TO BACK FILES.txt tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\he-IL\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Fonts\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\HOW TO BACK FILES.txt tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\HOW TO BACK FILES.txt tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\it-it\HOW TO BACK FILES.txt tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\HOW TO BACK FILES.txt tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Speech\en-US\HOW TO BACK FILES.txt tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fi-fi\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\es-es\HOW TO BACK FILES.txt tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hu-hu\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\Microsoft Office\root\fre\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\VideoLAN\VLC\locale\ms\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-us\View3d\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\Json\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxMetadata\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\HOW TO BACK FILES.txt tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sv-se\HOW TO BACK FILES.txt tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\tr-tr\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\it-it\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\HOW TO BACK FILES.txt tmp.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\images\HOW TO BACK FILES.txt tmp.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Microsoft.Support.SDK\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Content\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\VideoLAN\VLC\locale\ro\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\HOW TO BACK FILES.txt tmp.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\HOW TO BACK FILES.txt tmp.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\reader\HOW TO BACK FILES.txt tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-il\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\HOW TO BACK FILES.txt tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-fr\HOW TO BACK FILES.txt tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\HOW TO BACK FILES.txt tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pt-br\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\HOW TO BACK FILES.txt tmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\he-il\HOW TO BACK FILES.txt tmp.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\HOW TO BACK FILES.txt tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4420 tmp.exe 4420 tmp.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5108 tmp.exe Token: SeDebugPrivilege 5108 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeDebugPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe Token: SeTakeOwnershipPrivilege 4420 tmp.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 5108 wrote to memory of 4420 5108 tmp.exe 91 PID 5108 wrote to memory of 4420 5108 tmp.exe 91 PID 5108 wrote to memory of 4420 5108 tmp.exe 91 PID 5108 wrote to memory of 4420 5108 tmp.exe 91 PID 5108 wrote to memory of 4420 5108 tmp.exe 91 PID 5108 wrote to memory of 4420 5108 tmp.exe 91 PID 5108 wrote to memory of 4420 5108 tmp.exe 91 PID 5108 wrote to memory of 4420 5108 tmp.exe 91 PID 5108 wrote to memory of 4420 5108 tmp.exe 91 PID 5108 wrote to memory of 4420 5108 tmp.exe 91 PID 4420 wrote to memory of 2524 4420 tmp.exe 92 PID 4420 wrote to memory of 2524 4420 tmp.exe 92 PID 4420 wrote to memory of 3272 4420 tmp.exe 94 PID 4420 wrote to memory of 3272 4420 tmp.exe 94 PID 2524 wrote to memory of 1724 2524 cmd.exe 97 PID 2524 wrote to memory of 1724 2524 cmd.exe 97 PID 3272 wrote to memory of 1192 3272 cmd.exe 96 PID 3272 wrote to memory of 1192 3272 cmd.exe 96 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4420 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1724
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:1192
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD517d337be835d2f6717acd1f9f4fcd6a6
SHA1340bf47c5cd9aef6888cba1432c6636e76b89095
SHA256c4c2e5e1824ff4d24dba80e0b77af1321883fc9d4679013b41216b56ee333bdd
SHA5125c9e6871c7d279a573bf7947c43bcf67a1a8f2c11dcf3a3b1dbfd7fb3472ac5da154f9d1b1cae6d21018dfda1d53d617e396348436794979d5d3640a279520ba
-
Filesize
1KB
MD5a7eb9b7f19ae1e0e99645bc2f1583c30
SHA1e37b2c6b7c46f12e5a4c6c0a8a0c9b3e8eb08a4b
SHA256547128d1a2d04981a2418a89ba996372c0537a499c90fd9db2cbc17a16fe46bc
SHA5126bc66747516cd0580ef19b0a1c8a568b143a7db115fd81897c6c9b6dc53c549fd28fdf429b5610bd35af5f4d7ff9fc23496c634a32380b2410abee362e5c91b3