9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Size

147KB
MD5

e2345db4f8ebb6ed5e78f14e6b57384c
SHA1

e5f299b1d4f2d5d0837d4b8229074c266ba62f14
SHA256

9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b
SHA512

3baa786b6472dd4a267ca06e045e918e5bba0e10c08adb77ccc5444d6ff694525659685f6a8abc10e5eb99e1b0cc2d0b6faa584f6cb404190b88c509be9a2a41
SSDEEP

3072:O6glyuxE4GsUPnliByocWepteMq6UJhlQ8fH/H:O6gDBGpvEByocWe+b6Ul/f

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (8023) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

401C.tmp

pid	Process
2852	401C.tmp

Executes dropped EXE 1 IoCs

Processes:

401C.tmp

pid	Process
2852	401C.tmp

Loads dropped DLL 1 IoCs

Processes:

9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe

pid	Process
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\rkOLwOtuy.bmp"	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\rkOLwOtuy.bmp"	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe401C.tmp

pid	Process
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2852	401C.tmp

Drops file in Program Files directory 64 IoCs

Processes:

9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\SETUP.XML.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\rkOLwOtuy.README.txt	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\vlc.mo.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.properties.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Los_Angeles.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\DRUMROLL.WAV.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR51F.GIF.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue.css.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143745.GIF	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01701_.WMF.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\skin.catalog	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\rkOLwOtuy.README.txt	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_zh_4.4.0.v20140623020002.jar.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\calendar.css	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7EN.LEX.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBWZINT.REST.IDX_DLL	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Executive.xml.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02082_.GIF	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECURE.CFG.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_COL.HXC.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00200_.WMF	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kathmandu.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hovd	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cuiaba.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-PT.pak	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02261_.WMF.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Efate	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00578_.WMF	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\rkOLwOtuy.README.txt	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_ja.jar	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImagesMask.bmp	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\SLATE.ELM	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Filters.xml	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14692_.GIF.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Newsprint.eftx	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\AXIS.INF	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SPANISH.LNG	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME09.CSS	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00152_.WMF	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\rkOLwOtuy.README.txt	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Lisbon.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Cocos.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay.css	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_hyperlink.gif.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\mpvis.dll.mui	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\library.js	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DissolveAnother.png	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00439_.WMF	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\ICE.ELM.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\WallpaperStyle = "10"	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe

Modifies registry class 5 IoCs

Processes:

9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rkOLwOtuy\ = "rkOLwOtuy"	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rkOLwOtuy\DefaultIcon	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rkOLwOtuy	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rkOLwOtuy\DefaultIcon\ = "C:\\ProgramData\\rkOLwOtuy.ico"	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe

pid	Process
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

401C.tmp

pid	Process
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp
2852	401C.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeDebugPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: 36	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeImpersonatePrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeIncBasePriorityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeIncreaseQuotaPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: 33	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeManageVolumePrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeProfSingleProcessPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeRestorePrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSystemProfilePrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeTakeOwnershipPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeShutdownPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeDebugPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeBackupPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
Token: SeSecurityPrivilege	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe401C.tmp

description	pid	Process	procid_target
PID 2240 wrote to memory of 2852	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe	32
PID 2240 wrote to memory of 2852	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe	32
PID 2240 wrote to memory of 2852	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe	32
PID 2240 wrote to memory of 2852	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe	32
PID 2240 wrote to memory of 2852	2240	9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe	32
PID 2852 wrote to memory of 1932	2852	401C.tmp	33
PID 2852 wrote to memory of 1932	2852	401C.tmp	33
PID 2852 wrote to memory of 1932	2852	401C.tmp	33
PID 2852 wrote to memory of 1932	2852	401C.tmp	33

C:\Users\Admin\AppData\Local\Temp\9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe
"C:\Users\Admin\AppData\Local\Temp\9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\ProgramData\401C.tmp
  "C:\ProgramData\401C.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\401C.tmp >> NUL
    3⤵
    PID:1932

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x148
1⤵
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini

Filesize
129B

MD5
0362002e4de251c5787ae709d5b2c12e

SHA1
d26aabe2bea4581bdd43865af6f7fa868b4dd004

SHA256
2072ae14996295b9d7cd80f0ae66116f350e726ed12cb5cd9f5be92185b118d1

SHA512
cc6a4b06e1e90308403b3a1d757647b9efa12a124909bb953d87d04fa0d512f0b1f1e9ed9951a00465064f2c118f856e0619101b26263f5b2176d15f6c4c30c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
147KB

MD5
a56cade6f4262677c559981e50eabae4

SHA1
b2f41a8d6e3f8540ec1ea28901d25d4f933823cb

SHA256
a873e9b739f0f2c741d985a4675651e64e023d774b81cd00db10e9aee3df2acf

SHA512
4f49f683c1914d5f6ce0bec16817351ced28715851077123a0f7b7e623dbed1b1f0a1480884367659255b8d6149d8a0dce487940d095b943e3079637f60eca7d

Download Submit
C:\rkOLwOtuy.README.txt

Filesize
1KB

MD5
12195084f7d45242aee98ce43164a8ed

SHA1
dc77f76589a9e6df6abc30954d52e35a5f1a2bdf

SHA256
9551659ef8e5c10038fac2ecfb0adbcf8997ecf7841084f71d1eb2380ee20d40

SHA512
5b841a70d5f4743a12a682dc567abee3b78038529d24c13fc8a58d9c5f853c66271579c05212d043fbf426383bad03d4e97377a6b7253390014a3c4b8894f259

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\DDDDDDDDDDD

Filesize
129B

MD5
9294866a4acf36e5648f79f4c5adf74c

SHA1
bac4be11cdb9de0ad139bd214d45573bf85a6c72

SHA256
732d4d7fdb1b76b76da67719a2929e1298f7d20312a0ce64e085f769dc971ed9

SHA512
ef05d0ddc16a59c6950e0e95d58d4b262ba29b07689d19efe6206668b1e9421afeedb5defbbea0c7955f8307c562719bca7600481da4d479f069a9be12cd3eaa

Download Submit
\ProgramData\401C.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/2240-0-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2852-11972-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2852-11974-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download