Overview
overview
10Static
static
331318ee805...3f.exe
windows7-x64
1031318ee805...3f.exe
windows10-2004-x64
10$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3403-3.htm
windows7-x64
1403-3.htm
windows10-2004-x64
1HelpButton.dll
windows7-x64
3HelpButton.dll
windows10-2004-x64
3Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12-05-2024 02:30
Static task
static1
Behavioral task
behavioral1
Sample
31318ee80570c7168708575f032ac63f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
31318ee80570c7168708575f032ac63f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
403-3.htm
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
403-3.htm
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
HelpButton.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
HelpButton.dll
Resource
win10v2004-20240426-en
General
-
Target
31318ee80570c7168708575f032ac63f.exe
-
Size
257KB
-
MD5
31318ee80570c7168708575f032ac63f
-
SHA1
82a8589abd62b469c4ec3c454434a75a63f8b2c6
-
SHA256
849b68c42ca9935f63aea47b02a730b64d0dcb9897e589fee3f64175bc592d84
-
SHA512
bd0e851945ad1b2fd726976e5f03f4fad934f598cb8d936c59922afeb8e2cb575dc1a20a008bede70db26f4d6a91eb73d822539c59da7f5975e4244bc65440bc
-
SSDEEP
6144:ewHysO+dCW3EWXJ44UMa6ZhZoXtMQJCIEFTcdGwJ:VO+EW3TXiNMlSXOQJpAcIwJ
Malware Config
Extracted
C:\Users\Admin\Downloads\# DECRYPT MY FILES #.txt
http://52uo5k3t73ypjije.7156et.bid/C044-2930-536C-005C-93C3
http://52uo5k3t73ypjije.8kcfnk.bid/C044-2930-536C-005C-93C3
http://52uo5k3t73ypjije.csv7o6.bid/C044-2930-536C-005C-93C3
http://52uo5k3t73ypjije.jal9lk.bid/C044-2930-536C-005C-93C3
http://52uo5k3t73ypjije.onion.to/C044-2930-536C-005C-93C3
http://52uo5k3t73ypjije.onion/C044-2930-536C-005C-93C3
Extracted
C:\Users\Admin\Downloads\# DECRYPT MY FILES #.html
Signatures
-
Cerber 2 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
Processes:
31318ee80570c7168708575f032ac63f.exeTSTheme.exedescription ioc process Mutant opened shell.{0CB58E3A-4515-A5AD-2ECC-9037963119C9} 31318ee80570c7168708575f032ac63f.exe Mutant created shell.{0CB58E3A-4515-A5AD-2ECC-9037963119C9} TSTheme.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
31318ee80570c7168708575f032ac63f.exeTSTheme.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 31318ee80570c7168708575f032ac63f.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" TSTheme.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1768 bcdedit.exe 1968 bcdedit.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
31318ee80570c7168708575f032ac63f.exeTSTheme.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{13610826-3503-134D-4C2C-C16FE04D06AA}\\TSTheme.exe\"" 31318ee80570c7168708575f032ac63f.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{13610826-3503-134D-4C2C-C16FE04D06AA}\\TSTheme.exe\"" TSTheme.exe -
Contacts a large (514) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2460 cmd.exe -
Drops startup file 1 IoCs
Processes:
31318ee80570c7168708575f032ac63f.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\TSTheme.lnk 31318ee80570c7168708575f032ac63f.exe -
Executes dropped EXE 2 IoCs
Processes:
TSTheme.exeTSTheme.exepid process 2388 TSTheme.exe 1600 TSTheme.exe -
Loads dropped DLL 5 IoCs
Processes:
31318ee80570c7168708575f032ac63f.exe31318ee80570c7168708575f032ac63f.exeTSTheme.exepid process 1612 31318ee80570c7168708575f032ac63f.exe 1612 31318ee80570c7168708575f032ac63f.exe 2576 31318ee80570c7168708575f032ac63f.exe 2388 TSTheme.exe 2388 TSTheme.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
31318ee80570c7168708575f032ac63f.exeTSTheme.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\TSTheme = "\"C:\\Users\\Admin\\AppData\\Roaming\\{13610826-3503-134D-4C2C-C16FE04D06AA}\\TSTheme.exe\"" 31318ee80570c7168708575f032ac63f.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\TSTheme = "\"C:\\Users\\Admin\\AppData\\Roaming\\{13610826-3503-134D-4C2C-C16FE04D06AA}\\TSTheme.exe\"" 31318ee80570c7168708575f032ac63f.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\TSTheme = "\"C:\\Users\\Admin\\AppData\\Roaming\\{13610826-3503-134D-4C2C-C16FE04D06AA}\\TSTheme.exe\"" TSTheme.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\TSTheme = "\"C:\\Users\\Admin\\AppData\\Roaming\\{13610826-3503-134D-4C2C-C16FE04D06AA}\\TSTheme.exe\"" TSTheme.exe -
Processes:
TSTheme.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TSTheme.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
TSTheme.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp872A.bmp" TSTheme.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
31318ee80570c7168708575f032ac63f.exeTSTheme.exedescription pid process target process PID 1612 set thread context of 2576 1612 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 2388 set thread context of 1600 2388 TSTheme.exe TSTheme.exe -
Drops file in Program Files directory 15 IoCs
Processes:
TSTheme.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.vbs TSTheme.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.url TSTheme.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote.ini TSTheme.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.html TSTheme.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE TSTheme.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE TSTheme.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.txt TSTheme.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.url TSTheme.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE TSTheme.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.vbs TSTheme.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.txt TSTheme.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE TSTheme.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml TSTheme.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.html TSTheme.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE TSTheme.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\TSTheme.exe nsis_installer_1 \Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\TSTheme.exe nsis_installer_2 -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2464 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2824 taskkill.exe 2908 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
31318ee80570c7168708575f032ac63f.exeTSTheme.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop 31318ee80570c7168708575f032ac63f.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{13610826-3503-134D-4C2C-C16FE04D06AA}\\TSTheme.exe\"" 31318ee80570c7168708575f032ac63f.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop TSTheme.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{13610826-3503-134D-4C2C-C16FE04D06AA}\\TSTheme.exe\"" TSTheme.exe -
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E1E63A41-1007-11EF-8706-CEEE273A2359} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
TSTheme.exepid process 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe 1600 TSTheme.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
31318ee80570c7168708575f032ac63f.exetaskkill.exeTSTheme.exevssvc.exewmic.exedescription pid process Token: SeDebugPrivilege 2576 31318ee80570c7168708575f032ac63f.exe Token: SeDebugPrivilege 2824 taskkill.exe Token: SeDebugPrivilege 1600 TSTheme.exe Token: SeBackupPrivilege 2116 vssvc.exe Token: SeRestorePrivilege 2116 vssvc.exe Token: SeAuditPrivilege 2116 vssvc.exe Token: SeIncreaseQuotaPrivilege 1480 wmic.exe Token: SeSecurityPrivilege 1480 wmic.exe Token: SeTakeOwnershipPrivilege 1480 wmic.exe Token: SeLoadDriverPrivilege 1480 wmic.exe Token: SeSystemProfilePrivilege 1480 wmic.exe Token: SeSystemtimePrivilege 1480 wmic.exe Token: SeProfSingleProcessPrivilege 1480 wmic.exe Token: SeIncBasePriorityPrivilege 1480 wmic.exe Token: SeCreatePagefilePrivilege 1480 wmic.exe Token: SeBackupPrivilege 1480 wmic.exe Token: SeRestorePrivilege 1480 wmic.exe Token: SeShutdownPrivilege 1480 wmic.exe Token: SeDebugPrivilege 1480 wmic.exe Token: SeSystemEnvironmentPrivilege 1480 wmic.exe Token: SeRemoteShutdownPrivilege 1480 wmic.exe Token: SeUndockPrivilege 1480 wmic.exe Token: SeManageVolumePrivilege 1480 wmic.exe Token: 33 1480 wmic.exe Token: 34 1480 wmic.exe Token: 35 1480 wmic.exe Token: SeIncreaseQuotaPrivilege 1480 wmic.exe Token: SeSecurityPrivilege 1480 wmic.exe Token: SeTakeOwnershipPrivilege 1480 wmic.exe Token: SeLoadDriverPrivilege 1480 wmic.exe Token: SeSystemProfilePrivilege 1480 wmic.exe Token: SeSystemtimePrivilege 1480 wmic.exe Token: SeProfSingleProcessPrivilege 1480 wmic.exe Token: SeIncBasePriorityPrivilege 1480 wmic.exe Token: SeCreatePagefilePrivilege 1480 wmic.exe Token: SeBackupPrivilege 1480 wmic.exe Token: SeRestorePrivilege 1480 wmic.exe Token: SeShutdownPrivilege 1480 wmic.exe Token: SeDebugPrivilege 1480 wmic.exe Token: SeSystemEnvironmentPrivilege 1480 wmic.exe Token: SeRemoteShutdownPrivilege 1480 wmic.exe Token: SeUndockPrivilege 1480 wmic.exe Token: SeManageVolumePrivilege 1480 wmic.exe Token: 33 1480 wmic.exe Token: 34 1480 wmic.exe Token: 35 1480 wmic.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
iexplore.exepid process 2572 iexplore.exe 2572 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
31318ee80570c7168708575f032ac63f.exe31318ee80570c7168708575f032ac63f.execmd.exeTSTheme.exeTSTheme.exeiexplore.exedescription pid process target process PID 1612 wrote to memory of 2576 1612 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 1612 wrote to memory of 2576 1612 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 1612 wrote to memory of 2576 1612 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 1612 wrote to memory of 2576 1612 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 1612 wrote to memory of 2576 1612 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 1612 wrote to memory of 2576 1612 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 1612 wrote to memory of 2576 1612 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 1612 wrote to memory of 2576 1612 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 1612 wrote to memory of 2576 1612 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 1612 wrote to memory of 2576 1612 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 1612 wrote to memory of 2576 1612 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 2576 wrote to memory of 2388 2576 31318ee80570c7168708575f032ac63f.exe TSTheme.exe PID 2576 wrote to memory of 2388 2576 31318ee80570c7168708575f032ac63f.exe TSTheme.exe PID 2576 wrote to memory of 2388 2576 31318ee80570c7168708575f032ac63f.exe TSTheme.exe PID 2576 wrote to memory of 2388 2576 31318ee80570c7168708575f032ac63f.exe TSTheme.exe PID 2576 wrote to memory of 2460 2576 31318ee80570c7168708575f032ac63f.exe cmd.exe PID 2576 wrote to memory of 2460 2576 31318ee80570c7168708575f032ac63f.exe cmd.exe PID 2576 wrote to memory of 2460 2576 31318ee80570c7168708575f032ac63f.exe cmd.exe PID 2576 wrote to memory of 2460 2576 31318ee80570c7168708575f032ac63f.exe cmd.exe PID 2460 wrote to memory of 2824 2460 cmd.exe taskkill.exe PID 2460 wrote to memory of 2824 2460 cmd.exe taskkill.exe PID 2460 wrote to memory of 2824 2460 cmd.exe taskkill.exe PID 2460 wrote to memory of 2824 2460 cmd.exe taskkill.exe PID 2460 wrote to memory of 1540 2460 cmd.exe PING.EXE PID 2460 wrote to memory of 1540 2460 cmd.exe PING.EXE PID 2460 wrote to memory of 1540 2460 cmd.exe PING.EXE PID 2460 wrote to memory of 1540 2460 cmd.exe PING.EXE PID 2388 wrote to memory of 1600 2388 TSTheme.exe TSTheme.exe PID 2388 wrote to memory of 1600 2388 TSTheme.exe TSTheme.exe PID 2388 wrote to memory of 1600 2388 TSTheme.exe TSTheme.exe PID 2388 wrote to memory of 1600 2388 TSTheme.exe TSTheme.exe PID 2388 wrote to memory of 1600 2388 TSTheme.exe TSTheme.exe PID 2388 wrote to memory of 1600 2388 TSTheme.exe TSTheme.exe PID 2388 wrote to memory of 1600 2388 TSTheme.exe TSTheme.exe PID 2388 wrote to memory of 1600 2388 TSTheme.exe TSTheme.exe PID 2388 wrote to memory of 1600 2388 TSTheme.exe TSTheme.exe PID 2388 wrote to memory of 1600 2388 TSTheme.exe TSTheme.exe PID 2388 wrote to memory of 1600 2388 TSTheme.exe TSTheme.exe PID 1600 wrote to memory of 2464 1600 TSTheme.exe vssadmin.exe PID 1600 wrote to memory of 2464 1600 TSTheme.exe vssadmin.exe PID 1600 wrote to memory of 2464 1600 TSTheme.exe vssadmin.exe PID 1600 wrote to memory of 2464 1600 TSTheme.exe vssadmin.exe PID 1600 wrote to memory of 1480 1600 TSTheme.exe wmic.exe PID 1600 wrote to memory of 1480 1600 TSTheme.exe wmic.exe PID 1600 wrote to memory of 1480 1600 TSTheme.exe wmic.exe PID 1600 wrote to memory of 1480 1600 TSTheme.exe wmic.exe PID 1600 wrote to memory of 1768 1600 TSTheme.exe bcdedit.exe PID 1600 wrote to memory of 1768 1600 TSTheme.exe bcdedit.exe PID 1600 wrote to memory of 1768 1600 TSTheme.exe bcdedit.exe PID 1600 wrote to memory of 1768 1600 TSTheme.exe bcdedit.exe PID 1600 wrote to memory of 1968 1600 TSTheme.exe bcdedit.exe PID 1600 wrote to memory of 1968 1600 TSTheme.exe bcdedit.exe PID 1600 wrote to memory of 1968 1600 TSTheme.exe bcdedit.exe PID 1600 wrote to memory of 1968 1600 TSTheme.exe bcdedit.exe PID 1600 wrote to memory of 2572 1600 TSTheme.exe iexplore.exe PID 1600 wrote to memory of 2572 1600 TSTheme.exe iexplore.exe PID 1600 wrote to memory of 2572 1600 TSTheme.exe iexplore.exe PID 1600 wrote to memory of 2572 1600 TSTheme.exe iexplore.exe PID 1600 wrote to memory of 1092 1600 TSTheme.exe NOTEPAD.EXE PID 1600 wrote to memory of 1092 1600 TSTheme.exe NOTEPAD.EXE PID 1600 wrote to memory of 1092 1600 TSTheme.exe NOTEPAD.EXE PID 1600 wrote to memory of 1092 1600 TSTheme.exe NOTEPAD.EXE PID 2572 wrote to memory of 3012 2572 iexplore.exe IEXPLORE.EXE PID 2572 wrote to memory of 3012 2572 iexplore.exe IEXPLORE.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f.exe"C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f.exe"C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f.exe"2⤵
- Cerber
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\TSTheme.exe"C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\TSTheme.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\TSTheme.exe"C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\TSTheme.exe"4⤵
- Cerber
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2572 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2572 CREDAT:472065 /prefetch:26⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"5⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /f /im "TSTheme.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\TSTheme.exe" > NUL5⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im "TSTheme.exe"6⤵
- Kills process with taskkill
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.16⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /f /im "31318ee80570c7168708575f032ac63f.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f.exe" > NUL3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "31318ee80570c7168708575f032ac63f.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:275457 /prefetch:22⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4a41⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Indicator Removal
2File Deletion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E1E63A41-1007-11EF-8706-CEEE273A2359}.datFilesize
5KB
MD52ef305074a8594ba8e7c0a58efa44fbb
SHA1e723f4b8f1edb634a63e6809997608e8f6e8c019
SHA256870286a5a08ab86451540b281cd8edffd51c48d2eaa53045200c67a02d7cb933
SHA512b9a2066c424431ebc4d79d37b1f501e8d2e075731e54f8549b6447021f320ef58b6af43852c94f8b0a7b8904c4e6c2237883d60ee930a1d25fe4d861066b4ef5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\json[1].jsonFilesize
297B
MD5bd0c2d8e6b0fe0de4a3869c02ee43a85
SHA121d8cca90ea489f88c2953156e6c3dec6945388b
SHA2563a3e433f615f99529721ee766ad453b75d73fe213cb1ab74ccbb4c0e32dcd533
SHA512496b1285f1e78d50dd79b05fa2cbf4a0b655bb3e4515646be3a7c7cdf85d7db6ab35577aa1e294f3d515d707ca341652b5ae9d4b22197e4480226ef8440294b6
-
C:\Users\Admin\AppData\Roaming\403-3.htmFilesize
1KB
MD5c7df00e9e0609d4216bb7404dd9c12ee
SHA13aac5a61dc12fcf9fd23280d8fc6361ef734c524
SHA2569fa88627e300794f3f5f657aed1a58a447d4cd5ce6989d49d62dca9507c3d9de
SHA51287427aca49cf20aa8d36541f589940b23e42d60eda72965f75ebdbb8342a19198c8625b8d4f9c71b4444d14ca99816d314991ff1e870da3437cbc15453d8e47f
-
C:\Users\Admin\AppData\Roaming\ChiPollywog.9mWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\TSTheme.lnkFilesize
1KB
MD562c772b0d38cac8124056a274f47d633
SHA17f95cde29857c47d41c9b78135930871894b481d
SHA25614e537ce4ffa4296a5b9b5988d48a889d9ba1ff7c2ca77b91a503f5d930f83a8
SHA512c220aa620804418b57788d1d5328b45f49d9e71b02c4f9582b582be53dfdcb9ef7eb3c1d71869aab369e292549f7ff239de360aea3d992e28a099fd0c2428bcf
-
C:\Users\Admin\AppData\Roaming\Phenothiazine.aLpFilesize
4KB
MD54cd6691685530a80f97c5633b75a8d81
SHA1a2d8a60847c6a4c0df2e87ac5964b98806d3a2e7
SHA2561e8ea471a61594fbf877acc9c2cc26cccf2eb6bd1da7c7dd803a1b154d632c6c
SHA512d05c9d9c870c885cd7a964e669f775e5e4c9da99cd97cc1509f7e08af61fb13d97688f337fe5b9ac6c9c3c6cd14c95df4689b2715fdc531eac3d58133fbe2c48
-
C:\Users\Admin\AppData\Roaming\eclipse.plugin.provider.xmlFilesize
1KB
MD5478de1d80e0962427141f3c8ffff5459
SHA1b1d09acd8f530b8acfe2154f44b564c7da100f5f
SHA256718fc58aceefd2c43d6beb2953eb06ce949348d83b354291e37641afc128bb17
SHA512bc9a978b8fc11345605b7234a274ab9406fa2edefb237644b2340ba83ece49c0b2620418c35d700da508e76371941808c99024298a793d382efa9fba57a84560
-
C:\Users\Admin\AppData\Roaming\eclipse.plugin.provider.xmlFilesize
914B
MD572d925da1cf45aed93d045853a5281a8
SHA1354dc025c187395a741ff630aaf6ca9ddf2d0d47
SHA25619c79b8b4731e5a4f1bff40db16c6bae24fc7d299243a45ccd8998290247413d
SHA512685081bd6829d3f825f2b50febd0df1c0db602bc9ea68c425b9bcc07b59e3860b91fbe918f485ac650cfbc14ea08f00dd98ad287d013190af829813122572c68
-
C:\Users\Admin\Downloads\# DECRYPT MY FILES #.htmlFilesize
19KB
MD54257d3f28c026a0470bdda7bc5c7487a
SHA1f36af4d6244376fb0bc5ed64c373efdb90530ffa
SHA256ed62654a5aa8ed02cf3394a8d1c8933db5e10d2b37f8537eeedc0df1b7805b23
SHA512bab2d5b8d6830be46588d47822a290ef76a0129df3ffab469420c801aff099f33c95bffb304e6cace46db3fb27904a6a09da433ce00a8a902f04bc1b3d9384b3
-
C:\Users\Admin\Downloads\# DECRYPT MY FILES #.txtFilesize
10KB
MD5bfebe8b8222b853922ff29fa45964ba6
SHA12f1b0c18a642fe3e0176f5d803fd7ba1a5fc4a2c
SHA2567f309bbe3143aaa011f99aac4542c45efd2f15c50a4d33991ea718f6991ba37e
SHA512e21afb50e85442e87fc8a8f9ced6cec22213078a37797252b3add68dd0ebf64950f58d180c43c7a95f9929d1e12746d1ac85cda2a2931888b2373b694009db47
-
C:\Users\Admin\Downloads\# DECRYPT MY FILES #.urlFilesize
90B
MD5e92e19ac6dbebf8bda174cfd04475c7e
SHA18a7c97a206e572accc4e77104a39bac2fdbb3b33
SHA25662e35164155609c8605cc99e847ece324d1bc2e347584031683d8c5bba8d7c4b
SHA512a6b6f32a308e3893197556c94eab88c9c6946a5bf923bd1115386b0dc8ff4185f204f54014d1f3e4820ded7dc076ccfe9fa0c5a110e3064f9fd91b05a838dc2d
-
C:\Users\Admin\Downloads\# DECRYPT MY FILES #.vbsFilesize
252B
MD518d46f5d8ebd3c7d6df0c7a8fd1bd64d
SHA1aeb8407457434aabce2a4c2f95fe305c5303f929
SHA256ceb35b75d397b07c84dfab3a28189e9431bdf80ec99ab65f9ccf01986bd4a8e9
SHA51235fc759be0dee77eb9e39350873c24d9693cf6f370f171814e2ce6250ea814fea8a0887442ebae9077d6e9ff81ae7034faa0afcb080401a7d4ac384d2ba42d65
-
\Users\Admin\AppData\Local\Temp\nst9992.tmp\System.dllFilesize
11KB
MD56f5257c0b8c0ef4d440f4f4fce85fb1b
SHA1b6ac111dfb0d1fc75ad09c56bde7830232395785
SHA256b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
SHA512a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8
-
\Users\Admin\AppData\Roaming\HelpButton.dllFilesize
68KB
MD527a5e7b6a25949beeae9d66ee66759b4
SHA1c98d27eb5421cc0e12f1736d8cb6da952df25635
SHA256ca1469a748c0805bedaa6bbcf87cfea1772a004ce5fb1ef1e5f62998874d4851
SHA512426dd583044d651b790e006189d2ff42dcb883851dffa61cef2b4badaa43fde5a718e8ec4415ac928a39b81a6507ab54d2a1d0842bfbec4db89656478b610bea
-
\Users\Admin\AppData\Roaming\{13610826-3503-134D-4C2C-C16FE04D06AA}\TSTheme.exeFilesize
257KB
MD531318ee80570c7168708575f032ac63f
SHA182a8589abd62b469c4ec3c454434a75a63f8b2c6
SHA256849b68c42ca9935f63aea47b02a730b64d0dcb9897e589fee3f64175bc592d84
SHA512bd0e851945ad1b2fd726976e5f03f4fad934f598cb8d936c59922afeb8e2cb575dc1a20a008bede70db26f4d6a91eb73d822539c59da7f5975e4244bc65440bc
-
memory/1600-89-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1600-88-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1600-98-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1600-99-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1600-97-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1600-85-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1600-81-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1600-82-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1612-11-0x0000000000440000-0x0000000000452000-memory.dmpFilesize
72KB
-
memory/2388-64-0x0000000000530000-0x0000000000542000-memory.dmpFilesize
72KB
-
memory/2576-30-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2576-46-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2576-18-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2576-28-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2576-15-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2576-33-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2576-20-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2576-22-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2576-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2576-26-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2576-13-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2576-16-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB