Analysis
-
max time kernel
1047s -
max time network
1044s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 14:25
Behavioral task
behavioral1
Sample
Obustro.exe
Resource
win7-20231129-en
General
-
Target
Obustro.exe
-
Size
82KB
-
MD5
b107fbdbd7e5a97172b3974216a78886
-
SHA1
410f9c227a901e2721fd4471e8a5069bd6af43da
-
SHA256
1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2
-
SHA512
b7485652c502a95a258d106166419dc3679e8a69906b7634dc440db9fa3db506a1c5597024fa0b275b556dbce55f51877bfef6d779817a0c83f51395bc734de6
-
SSDEEP
1536:qih380x1gfPT9dOjquahM8+bEm3leW9Q6au4aOaQDb4mPMUf:NhVgf5EFWZ+bEmVeOcu4aOaQDb4va
Malware Config
Extracted
xworm
19.ip.gl.ply.gg:45758
ads-enabled.gl.at.ply.gg:45758
-
Install_directory
%AppData%
-
install_file
detektivhuedblyat.exe
Signatures
-
Detect Xworm Payload 14 IoCs
Processes:
resource yara_rule behavioral1/memory/2372-1-0x00000000002E0000-0x00000000002FA000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe family_xworm behavioral1/memory/1872-37-0x00000000000B0000-0x00000000000CA000-memory.dmp family_xworm behavioral1/memory/2232-58-0x0000000000C00000-0x0000000000C1A000-memory.dmp family_xworm behavioral1/memory/1868-84-0x00000000001F0000-0x000000000020A000-memory.dmp family_xworm behavioral1/memory/2680-101-0x0000000000DA0000-0x0000000000DBA000-memory.dmp family_xworm behavioral1/memory/1612-104-0x00000000003B0000-0x00000000003CA000-memory.dmp family_xworm behavioral1/memory/1056-106-0x0000000000E60000-0x0000000000E7A000-memory.dmp family_xworm behavioral1/memory/2252-108-0x00000000010D0000-0x00000000010EA000-memory.dmp family_xworm behavioral1/memory/2644-110-0x00000000011C0000-0x00000000011DA000-memory.dmp family_xworm behavioral1/memory/1524-112-0x0000000000050000-0x000000000006A000-memory.dmp family_xworm behavioral1/memory/2628-114-0x0000000000130000-0x000000000014A000-memory.dmp family_xworm behavioral1/memory/2752-116-0x0000000000DC0000-0x0000000000DDA000-memory.dmp family_xworm behavioral1/memory/1632-120-0x0000000001360000-0x000000000137A000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2828 powershell.exe 2732 powershell.exe 2816 powershell.exe 2608 powershell.exe -
Drops startup file 2 IoCs
Processes:
Obustro.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\detektivhuedblyat.lnk Obustro.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\detektivhuedblyat.lnk Obustro.exe -
Executes dropped EXE 17 IoCs
Processes:
detektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exepid process 1872 detektivhuedblyat.exe 2232 detektivhuedblyat.exe 1868 detektivhuedblyat.exe 2680 detektivhuedblyat.exe 1612 detektivhuedblyat.exe 1056 detektivhuedblyat.exe 2252 detektivhuedblyat.exe 2644 detektivhuedblyat.exe 1524 detektivhuedblyat.exe 2628 detektivhuedblyat.exe 2752 detektivhuedblyat.exe 2152 detektivhuedblyat.exe 2672 detektivhuedblyat.exe 1632 detektivhuedblyat.exe 1844 detektivhuedblyat.exe 1836 detektivhuedblyat.exe 1776 detektivhuedblyat.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Obustro.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\detektivhuedblyat = "C:\\Users\\Admin\\AppData\\Roaming\\detektivhuedblyat.exe" Obustro.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2304 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeObustro.exepid process 2816 powershell.exe 2608 powershell.exe 2828 powershell.exe 2732 powershell.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe 2372 Obustro.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
taskmgr.exeObustro.exe7zFM.exepid process 2832 taskmgr.exe 2372 Obustro.exe 1848 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
Obustro.exepowershell.exepowershell.exepowershell.exepowershell.exedetektivhuedblyat.exedetektivhuedblyat.exetaskmgr.exedetektivhuedblyat.exeObustro.exe7zFM.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedescription pid process Token: SeDebugPrivilege 2372 Obustro.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 2608 powershell.exe Token: SeDebugPrivilege 2828 powershell.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 2372 Obustro.exe Token: SeDebugPrivilege 1872 detektivhuedblyat.exe Token: SeDebugPrivilege 2232 detektivhuedblyat.exe Token: SeDebugPrivilege 2832 taskmgr.exe Token: SeDebugPrivilege 1868 detektivhuedblyat.exe Token: SeDebugPrivilege 1508 Obustro.exe Token: SeRestorePrivilege 1848 7zFM.exe Token: 35 1848 7zFM.exe Token: SeSecurityPrivilege 1848 7zFM.exe Token: SeDebugPrivilege 2680 detektivhuedblyat.exe Token: SeDebugPrivilege 1612 detektivhuedblyat.exe Token: SeDebugPrivilege 1056 detektivhuedblyat.exe Token: SeDebugPrivilege 2252 detektivhuedblyat.exe Token: SeDebugPrivilege 2644 detektivhuedblyat.exe Token: SeDebugPrivilege 1524 detektivhuedblyat.exe Token: SeDebugPrivilege 2628 detektivhuedblyat.exe Token: SeDebugPrivilege 2752 detektivhuedblyat.exe Token: SeDebugPrivilege 2152 detektivhuedblyat.exe Token: SeDebugPrivilege 2672 detektivhuedblyat.exe Token: SeDebugPrivilege 1632 detektivhuedblyat.exe Token: SeDebugPrivilege 1844 detektivhuedblyat.exe Token: SeDebugPrivilege 1836 detektivhuedblyat.exe Token: SeDebugPrivilege 1776 detektivhuedblyat.exe -
Suspicious use of FindShellTrayWindow 62 IoCs
Processes:
taskmgr.exe7zFM.exepid process 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 1848 7zFM.exe 1848 7zFM.exe 1848 7zFM.exe -
Suspicious use of SendNotifyMessage 59 IoCs
Processes:
taskmgr.exepid process 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe 2832 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Obustro.exepid process 2372 Obustro.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Obustro.exetaskeng.exe7zFM.exedescription pid process target process PID 2372 wrote to memory of 2816 2372 Obustro.exe powershell.exe PID 2372 wrote to memory of 2816 2372 Obustro.exe powershell.exe PID 2372 wrote to memory of 2816 2372 Obustro.exe powershell.exe PID 2372 wrote to memory of 2608 2372 Obustro.exe powershell.exe PID 2372 wrote to memory of 2608 2372 Obustro.exe powershell.exe PID 2372 wrote to memory of 2608 2372 Obustro.exe powershell.exe PID 2372 wrote to memory of 2828 2372 Obustro.exe powershell.exe PID 2372 wrote to memory of 2828 2372 Obustro.exe powershell.exe PID 2372 wrote to memory of 2828 2372 Obustro.exe powershell.exe PID 2372 wrote to memory of 2732 2372 Obustro.exe powershell.exe PID 2372 wrote to memory of 2732 2372 Obustro.exe powershell.exe PID 2372 wrote to memory of 2732 2372 Obustro.exe powershell.exe PID 2372 wrote to memory of 2756 2372 Obustro.exe schtasks.exe PID 2372 wrote to memory of 2756 2372 Obustro.exe schtasks.exe PID 2372 wrote to memory of 2756 2372 Obustro.exe schtasks.exe PID 1676 wrote to memory of 1872 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 1872 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 1872 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 2232 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 2232 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 2232 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 1868 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 1868 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 1868 1676 taskeng.exe detektivhuedblyat.exe PID 1848 wrote to memory of 2304 1848 7zFM.exe NOTEPAD.EXE PID 1848 wrote to memory of 2304 1848 7zFM.exe NOTEPAD.EXE PID 1848 wrote to memory of 2304 1848 7zFM.exe NOTEPAD.EXE PID 1676 wrote to memory of 2680 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 2680 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 2680 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 1612 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 1612 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 1612 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 1056 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 1056 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 1056 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 2252 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 2252 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 2252 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 2644 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 2644 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 2644 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 1524 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 1524 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 1524 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 2628 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 2628 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 2628 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 2752 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 2752 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 2752 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 2152 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 2152 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 2152 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 2672 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 2672 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 2672 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 1632 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 1632 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 1632 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 1844 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 1844 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 1844 1676 taskeng.exe detektivhuedblyat.exe PID 1676 wrote to memory of 1836 1676 taskeng.exe detektivhuedblyat.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Obustro.exe"C:\Users\Admin\AppData\Local\Temp\Obustro.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Obustro.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Obustro.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'detektivhuedblyat.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "detektivhuedblyat" /tr "C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe"2⤵
- Creates scheduled task(s)
PID:2756
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {2DA570C6-BAC6-4F20-BA8C-40C4492ED7BA} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exeC:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1872
-
-
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exeC:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exeC:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exeC:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exeC:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exeC:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exeC:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exeC:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exeC:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exeC:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exeC:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exeC:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exeC:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exeC:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exeC:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exeC:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exeC:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2148
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2832
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2196
-
C:\Users\Admin\AppData\Local\Temp\Obustro.exe"C:\Users\Admin\AppData\Local\Temp\Obustro.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Obustro.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO837D19B9\version.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2304
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54230e1121100316a114c7aa4df304c71
SHA1e4c18efed44d30877b31e7763adc815e68feab49
SHA256bb01715aba0e2ea0f3dd325c92a36827eff8d6431754cafac54e51703f408283
SHA51242387317c908c07256390139dcc39d25786e6b305a3c1c50719133f3526c1deb78024a3a52ac731857f8a24a44952640dde1d063a3a7811e3f97e0ea3dc533ac
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5087b56ce4122f1b75a1c92689cdabcc6
SHA19ed5f2f135660b8abea8ccb78b14dce6e70e79ba
SHA256c1da1c32322504eee6650e34ea88fe878a9c4a301ed18ba523eb5630414e0665
SHA5125d94625eaa0bca4e08912e3f9f275d6464a20edfdd374730da7a6470662a7f1c56679c84ecf80723c33a885956e89cfc7cae0e810fa401120661e0ebe059eb46
-
Filesize
82KB
MD5b107fbdbd7e5a97172b3974216a78886
SHA1410f9c227a901e2721fd4471e8a5069bd6af43da
SHA2561ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2
SHA512b7485652c502a95a258d106166419dc3679e8a69906b7634dc440db9fa3db506a1c5597024fa0b275b556dbce55f51877bfef6d779817a0c83f51395bc734de6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e