Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2024, 01:07
Static task
static1
Behavioral task
behavioral1
Sample
2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe
Resource
win10v2004-20240226-en
General
-
Target
2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe
-
Size
376KB
-
MD5
120c6ddfc24274b6e2e3a1ba7dc519ab
-
SHA1
29936b1aa952a89905bf0f7b7053515fd72d8c5c
-
SHA256
2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8
-
SHA512
dd9b2fb6cd5f6f044daa80ef634078849032ebbdbd1d293bb7bcb0270aa8b7360c39addb0826c7a3ddc8714b559bf8828e8e506ac91bcb4702a72f4c8ec4850a
-
SSDEEP
6144:KFtgKBIxGS/bbWGGJK8PpzR1WpOJOQMeEBwhUg5bBDNPbsP/qrscpyj4CVKSkn:+tgKIxfbbezR1WpOJJMjihU030/qRMra
Malware Config
Extracted
\Device\HarddiskVolume1\HOW TO BACK FILES.txt
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Signatures
-
TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File opened (read-only) \??\U: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File opened (read-only) \??\W: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File opened (read-only) \??\E: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File opened (read-only) \??\H: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File opened (read-only) \??\M: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File opened (read-only) \??\R: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File opened (read-only) \??\S: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File opened (read-only) \??\T: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File opened (read-only) \??\A: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File opened (read-only) \??\K: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File opened (read-only) \??\O: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File opened (read-only) \??\P: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File opened (read-only) \??\V: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File opened (read-only) \??\X: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File opened (read-only) \??\B: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File opened (read-only) \??\J: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File opened (read-only) \??\I: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File opened (read-only) \??\L: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File opened (read-only) \??\N: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File opened (read-only) \??\Y: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File opened (read-only) \??\Z: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File opened (read-only) \??\D: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File opened (read-only) \??\G: 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 25 api.ipify.org -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\VideoLAN\VLC\locale\oc\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\VideoLAN\VLC\locale\ps\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxMetadata\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\id-ID\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ja-JP\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxMetadata\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Text\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ca-ES\View3d\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\Microsoft Office\root\Office16\AugLoop\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\VideoLAN\VLC\locale\lg\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\7-Zip\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\VideoLAN\VLC\locale\mai\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\VideoLAN\VLC\locale\or\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sl-SI\View3d\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\pages\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\Microsoft Office\root\Integration\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\Windows Security\BrowserCore\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\is-IS\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\VideoLAN\VLC\locale\nn\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\Windows Media Player\en-US\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\EnsoUI\HOW TO BACK FILES.txt 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4992 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeDebugPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe Token: SeTakeOwnershipPrivilege 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 956 wrote to memory of 1404 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe 93 PID 956 wrote to memory of 1404 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe 93 PID 956 wrote to memory of 1404 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe 93 PID 956 wrote to memory of 936 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe 94 PID 956 wrote to memory of 936 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe 94 PID 956 wrote to memory of 936 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe 94 PID 956 wrote to memory of 4992 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe 95 PID 956 wrote to memory of 4992 956 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe 95 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" 2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe"C:\Users\Admin\AppData\Local\Temp\2289706f678585059502a24283e0f55d56cf477524753c606f64825bba66fca8.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵PID:1404
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no2⤵PID:936
-
-
C:\Windows\system32\vssadmin.exe"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:4992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3760 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
910B
MD506ea8f7cca98741c3dac4c5413a2849c
SHA1618e4f8395e9e335d92df789a54119f990c2ebd9
SHA256a031453d6160ce19d412d69cf34c070b97079beab4c806752071d4a2a8b6b29d
SHA51291b89ce09c215fd27a1f45f0c17bc5516db043f3f2e8d69428327e7e09fb5d1c32bb6c0c49af048429ad08bacf74115b0065f32604db4056699841e44c99893b