hxxps://samples[.]vx-underground[.]org/Samples/Families/CryptoFortress/26F13C4AD8C1CCF81E80A556CF6DB0AF[.]7z

Analysis

max time kernel
120s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://samples.vx-underground.org/Samples/Families/CryptoFortress/26F13C4AD8C1CCF81E80A556CF6DB0AF.7z

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

26F13C4AD8C1CCF81E80A556CF6DB0AF.exe26F13C4AD8C1CCF81E80A556CF6DB0AF.exe

pid process

5656 26F13C4AD8C1CCF81E80A556CF6DB0AF.exe
5180 26F13C4AD8C1CCF81E80A556CF6DB0AF.exe

pid	process
5656	26F13C4AD8C1CCF81E80A556CF6DB0AF.exe
5180	26F13C4AD8C1CCF81E80A556CF6DB0AF.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ydkmunav = "C:\\Windows\\isopejom.exe"	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

26F13C4AD8C1CCF81E80A556CF6DB0AF.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	26F13C4AD8C1CCF81E80A556CF6DB0AF.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

26F13C4AD8C1CCF81E80A556CF6DB0AF.exe26F13C4AD8C1CCF81E80A556CF6DB0AF.exe

description	pid	process	target process
PID 5656 set thread context of 5180	5656	26F13C4AD8C1CCF81E80A556CF6DB0AF.exe	26F13C4AD8C1CCF81E80A556CF6DB0AF.exe
PID 5180 set thread context of 5400	5180	26F13C4AD8C1CCF81E80A556CF6DB0AF.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\isopejom.exe explorer.exe
File created C:\Windows\isopejom.exe explorer.exe

description	ioc	process
File opened for modification	C:\Windows\isopejom.exe	explorer.exe
File created	C:\Windows\isopejom.exe	explorer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

5276 vssadmin.exe

pid	process
5276	vssadmin.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133585106186842507"	chrome.exe

Modifies registry class 3 IoCs

Processes:

7zFM.exeOpenWith.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1364 chrome.exe
1364 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

5804 7zFM.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

1364 chrome.exe
1364 chrome.exe

pid	process
5804	7zFM.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

chrome.exe7zFM.exe7zFM.exevssvc.exe7zFM.exe

description	pid	process
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeRestorePrivilege	5804	7zFM.exe
Token: 35	5804	7zFM.exe
Token: SeSecurityPrivilege	5804	7zFM.exe
Token: SeSecurityPrivilege	5804	7zFM.exe
Token: SeRestorePrivilege	3608	7zFM.exe
Token: 35	3608	7zFM.exe
Token: SeBackupPrivilege	5332	vssvc.exe
Token: SeRestorePrivilege	5332	vssvc.exe
Token: SeAuditPrivilege	5332	vssvc.exe
Token: SeRestorePrivilege	4224	7zFM.exe
Token: 35	4224	7zFM.exe

Suspicious use of FindShellTrayWindow 40 IoCs

Processes:

chrome.exe7zFM.exe7zFM.exe7zFM.exe

pid	process
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
5804	7zFM.exe
5804	7zFM.exe
5804	7zFM.exe
5804	7zFM.exe
3608	7zFM.exe
4224	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

OpenWith.exe

pid process

6040 OpenWith.exe
6040 OpenWith.exe
6040 OpenWith.exe
6040 OpenWith.exe
6040 OpenWith.exe

pid	process
6040	OpenWith.exe
6040	OpenWith.exe
6040	OpenWith.exe
6040	OpenWith.exe
6040	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1364 wrote to memory of 5032	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 5032	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3980	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2788	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2788	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 2884	1364	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://samples.vx-underground.org/Samples/Families/CryptoFortress/26F13C4AD8C1CCF81E80A556CF6DB0AF.7z
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd91f9ab58,0x7ffd91f9ab68,0x7ffd91f9ab78
2⤵
PID:5032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1916,i,18358045287082192094,4226549496297559519,131072 /prefetch:2
2⤵
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1916,i,18358045287082192094,4226549496297559519,131072 /prefetch:8
2⤵
PID:2788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1916,i,18358045287082192094,4226549496297559519,131072 /prefetch:8
2⤵
PID:2884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1916,i,18358045287082192094,4226549496297559519,131072 /prefetch:1
2⤵
PID:3820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1916,i,18358045287082192094,4226549496297559519,131072 /prefetch:1
2⤵
PID:4452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 --field-trial-handle=1916,i,18358045287082192094,4226549496297559519,131072 /prefetch:8
2⤵
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1916,i,18358045287082192094,4226549496297559519,131072 /prefetch:8
2⤵
PID:4440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1916,i,18358045287082192094,4226549496297559519,131072 /prefetch:8
2⤵
PID:4232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 --field-trial-handle=1916,i,18358045287082192094,4226549496297559519,131072 /prefetch:8
2⤵
PID:1612

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2984

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5148

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\26F13C4AD8C1CCF81E80A556CF6DB0AF.7z"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5804

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6040

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\26F13C4AD8C1CCF81E80A556CF6DB0AF"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3608

C:\Users\Admin\Desktop\26F13C4AD8C1CCF81E80A556CF6DB0AF.exe
"C:\Users\Admin\Desktop\26F13C4AD8C1CCF81E80A556CF6DB0AF.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5656

C:\Users\Admin\Desktop\26F13C4AD8C1CCF81E80A556CF6DB0AF.exe
"C:\Users\Admin\Desktop\26F13C4AD8C1CCF81E80A556CF6DB0AF.exe" ¬C:\Users\Admin\Desktop\26F13C4AD8C1CCF81E80A556CF6DB0AF.exe
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:5180

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:5400

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:5276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5332

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\26F13C4AD8C1CCF81E80A556CF6DB0AF.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4224

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\StartMeasure.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:5076

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\8c03928f60024e35b5f9dfd1b98e2a19 /t 4612 /p 5076
1⤵
PID:32

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\uwiryzenebaxoxoc\01000000
Filesize
446KB

MD5
fb64685de68331c847a7effc563b8c48

SHA1
7c8e8281d037fc91d7613ec85a34f8a6d42840e2

SHA256
d31f0e85d0cad4ed15fa7d34ec404c263f2783a94094e8133e6628231b3b1d09

SHA512
a48c220c5453224a5cda463a3a45f62ce001a2124dc2b382b35ee71be07c1c17d8d7db7700d488f1978a6cad36e4d3f802d880045610104dee0b6149d436938b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
8d1b1e0ce2c49e5cf187f0adb0c0fdee

SHA1
2cfb4c5c94e2f419b309b9d11f135c8791e11aea

SHA256
233486c2e9d52fe4839bd98cd49bf63918926d7dbd92e835bad4a38a36fec2cc

SHA512
c51b7d139236f1194a217ef250ed231c62828713288226468944fb1f425849f5609001a431adb01cdc721553c52b7a3e1bc83fba75084c4a3d471f274b096b24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
a91066b6dbbd1a22b173ccf7be3aed93

SHA1
40587bde36071ca5fc6c0a1a180ff30e50ae4c0c

SHA256
794b566fdfe517da8db1d4889ddfea4253edc44b25144024303c1581a0ee2dd9

SHA512
a9e325a4a0d908504d0a5aa64c4d6a1c267e8936b0f4d9167bef4dabdc9f25209096352a10d3f80719cd855a7d7ee61d3bdc8e0dc6782114fdd5815770e6d294

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
250KB

MD5
3a48a679c39e8d26a8f70008478730a8

SHA1
1258a10bee280900c36c5bacd2eb31ba1a67cd42

SHA256
bbbfc90779e2dcaae09893f49535c1edac5ce26f330b7add776deb1bd19f2d92

SHA512
a725e2c048cbc3276f1bb56ff0408fb4737781d15f8c592383124ac5b08acd45b9aa8150ed8e8180e279f3a34999fa9e32ff22242435b4a58dcdc2789476dd51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
250KB

MD5
175976f167e2e7b418a542f580150e90

SHA1
590989cdc97125ef3d0bde348e9c31447f4bb43d

SHA256
21cbee84ce1cdc744fd1618106a7e1300c31bbb43c2e37ac3e41fc833cce6c5e

SHA512
d60d54447ffa5f39f1252cbc5938111929f45865143ec0148052274ddb99a2e3beb8aded8dd0069339e32f756ecb1419dbbcc96e3ea745218bbb721e75b5e329

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECA6B6B97\26F13C4AD8C1CCF81E80A556CF6DB0AF
Filesize
446KB

MD5
26f13c4ad8c1ccf81e80a556cf6db0af

SHA1
c8518e3d8ad1687496c035ba4a5911d293240d0c

SHA256
f26ebe5f5c6524b8055b4523621c4bc6f92b9eb008120b63e55dec2212554ba5

SHA512
c02aa49b4cbbdfaaf1f34170101933c3f52ba8ddcba3203b10f88bd34863501543d1386e46a2e9ad2eee20b077cfc0cd3bf70b0e74769ffc236afc283c1bc887

Download Submit
C:\Users\Admin\Downloads\26F13C4AD8C1CCF81E80A556CF6DB0AF.7z.crdownload
Filesize
263KB

MD5
6400887139f7015ac3ea2756932d9b4e

SHA1
a97e311529a2b4326511e4abd0dad7a8d50b5cae

SHA256
007142531f029d86bbb3c8dfd2efe45f3f913c309b7432cc960551049afbb9eb

SHA512
9084a6b7297ee4e1174869edc5df5f4b94828a1e06bbcdcc6910ad8466e17e6721f06d2afcbdeee5a6213e1b19a956eade7504134bbd08c7050a17991eb9c8a7

Download Submit
\??\pipe\crashpad_1364_FJOBUOEYCIUUXYLB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5180-142-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5180-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5180-145-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5180-150-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5180-140-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5400-147-0x0000000000E00000-0x0000000000E3D000-memory.dmp

Filesize
244KB

Download
memory/5400-154-0x0000000000E00000-0x0000000000E3D000-memory.dmp

Filesize
244KB

Download
memory/5400-158-0x0000000000E00000-0x0000000000E3D000-memory.dmp

Filesize
244KB

Download
memory/5400-160-0x0000000000E00000-0x0000000000E3D000-memory.dmp

Filesize
244KB

Download
memory/5656-143-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download