Analysis
-
max time kernel
89s -
max time network
78s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
16-07-2024 06:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
839336eb8fb257995891f38bdae56ce0N.exe
Resource
win7-20240704-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
839336eb8fb257995891f38bdae56ce0N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
14 signatures
120 seconds
General
-
Target
839336eb8fb257995891f38bdae56ce0N.exe
-
Size
2.4MB
-
MD5
839336eb8fb257995891f38bdae56ce0
-
SHA1
878d55fc297dbc0f15f411f25aa52e05dec3c2ca
-
SHA256
b985d398226fae83bb98e84312766760c3ff61ad88ee968bd90996ff87fbae59
-
SHA512
cfb18c507fdf72d3edc222f963cb8aa21a767cd1ff589e890b00a5d7bb75a85a5647cec1cd4582859290b5b74bb586d3b835c346359f8470103e4a4f6e434a01
-
SSDEEP
49152:7wX3TmeMrpRRQSAmo6GjgHdbNKGb1fdmXA/7qsopQq3lCF:7wX3q3lsbbPjg9pH1fJzqso
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\HOW TO BACK FILES.txt
Family
targetcompany
Ransom Note
Hello
Your data has been stolen and encrypted
We will delete the stolen data and help with the recovery of encrypted files after payment has been made
Do not try to change or restore files yourself, this will break them
We provide free decryption for any 3 files up to 3MB in size on our website
How to contact with us:
1) Download and install TOR browser by this link: https://www.torproject.org/download/
2) If TOR blocked in your country and you can't access to the link then use any VPN software
3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
4) Copy your private ID in the input field. Your Private key: 02309E5D3AFFE8B46F3FD4EB
5) You will see chat, payment information and we can make free test decryption here
Our blog of leaked companies:
wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
If you are unable to contact us through the site, then you can email us: [email protected]
Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.�
Emails
URLs
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Signatures
-
TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1396 bcdedit.exe 2960 bcdedit.exe -
Renames multiple (7274) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bkdlzexmzgp = "C:\\Users\\Admin\\AppData\\Roaming\\Bkdlzexmzgp.exe" 839336eb8fb257995891f38bdae56ce0N.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: 839336eb8fb257995891f38bdae56ce0N.exe File opened (read-only) \??\N: 839336eb8fb257995891f38bdae56ce0N.exe File opened (read-only) \??\O: 839336eb8fb257995891f38bdae56ce0N.exe File opened (read-only) \??\V: 839336eb8fb257995891f38bdae56ce0N.exe File opened (read-only) \??\W: 839336eb8fb257995891f38bdae56ce0N.exe File opened (read-only) \??\X: 839336eb8fb257995891f38bdae56ce0N.exe File opened (read-only) \??\D: 839336eb8fb257995891f38bdae56ce0N.exe File opened (read-only) \??\I: 839336eb8fb257995891f38bdae56ce0N.exe File opened (read-only) \??\P: 839336eb8fb257995891f38bdae56ce0N.exe File opened (read-only) \??\R: 839336eb8fb257995891f38bdae56ce0N.exe File opened (read-only) \??\Y: 839336eb8fb257995891f38bdae56ce0N.exe File opened (read-only) \??\E: 839336eb8fb257995891f38bdae56ce0N.exe File opened (read-only) \??\M: 839336eb8fb257995891f38bdae56ce0N.exe File opened (read-only) \??\L: 839336eb8fb257995891f38bdae56ce0N.exe File opened (read-only) \??\Q: 839336eb8fb257995891f38bdae56ce0N.exe File opened (read-only) \??\S: 839336eb8fb257995891f38bdae56ce0N.exe File opened (read-only) \??\G: 839336eb8fb257995891f38bdae56ce0N.exe File opened (read-only) \??\K: 839336eb8fb257995891f38bdae56ce0N.exe File opened (read-only) \??\H: 839336eb8fb257995891f38bdae56ce0N.exe File opened (read-only) \??\T: 839336eb8fb257995891f38bdae56ce0N.exe File opened (read-only) \??\U: 839336eb8fb257995891f38bdae56ce0N.exe File opened (read-only) \??\Z: 839336eb8fb257995891f38bdae56ce0N.exe File opened (read-only) \??\A: 839336eb8fb257995891f38bdae56ce0N.exe File opened (read-only) \??\B: 839336eb8fb257995891f38bdae56ce0N.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2220 set thread context of 1524 2220 839336eb8fb257995891f38bdae56ce0N.exe 30 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\HOW TO BACK FILES.txt 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Saipan 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImagesMask.bmp 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN096.XML 839336eb8fb257995891f38bdae56ce0N.exe File created C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\HOW TO BACK FILES.txt 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\Java\jre7\lib\sound.properties 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\HOW TO BACK FILES.txt 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\HOW TO BACK FILES.txt 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00898_.WMF 839336eb8fb257995891f38bdae56ce0N.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\HOW TO BACK FILES.txt 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\es-ES\HOW TO BACK FILES.txt 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\HOW TO BACK FILES.txt 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105396.WMF 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7FR.LEX 839336eb8fb257995891f38bdae56ce0N.exe File created C:\Program Files\VideoLAN\VLC\lua\modules\HOW TO BACK FILES.txt 839336eb8fb257995891f38bdae56ce0N.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\HOW TO BACK FILES.txt 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_zh_TW.properties 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDEBARVERTBB.DPV 839336eb8fb257995891f38bdae56ce0N.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\HOW TO BACK FILES.txt 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-background.png 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Catamarca 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\XLINTL32.REST.IDX_DLL 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ne\HOW TO BACK FILES.txt 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\HOW TO BACK FILES.txt 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\Microsoft Games\More Games\es-ES\MoreGames.dll.mui 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309567.JPG 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750G.GIF 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21306_.GIF 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\HOW TO BACK FILES.txt 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-visual.jar 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CHECKBOX.JPG 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mscss7wre_fr.dub 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\Microsoft Games\More Games\de-DE\MoreGames.dll.mui 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00042_.WMF 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\fr-FR\Mahjong.exe.mui 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\bckgRes.dll.mui 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02094_.WMF 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\VIBE.WAV 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB11.BDR 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\HOW TO BACK FILES.txt 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Paris 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\Java\jre7\lib\management\HOW TO BACK FILES.txt 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_zh_4.4.0.v20140623020002.jar 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\ShvlRes.dll.mui 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00807_.WMF 839336eb8fb257995891f38bdae56ce0N.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\HOW TO BACK FILES.txt 839336eb8fb257995891f38bdae56ce0N.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\HOW TO BACK FILES.txt 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Port_of_Spain 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\ChkrRes.dll.mui 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152560.WMF 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281243.WMF 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14579_.GIF 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Tasks.accdt 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\HOW TO BACK FILES.txt 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Monrovia 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Response.gif 839336eb8fb257995891f38bdae56ce0N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\SPACER.GIF 839336eb8fb257995891f38bdae56ce0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1524 839336eb8fb257995891f38bdae56ce0N.exe 1524 839336eb8fb257995891f38bdae56ce0N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2220 839336eb8fb257995891f38bdae56ce0N.exe Token: SeDebugPrivilege 2220 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeDebugPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe Token: SeTakeOwnershipPrivilege 1524 839336eb8fb257995891f38bdae56ce0N.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2220 wrote to memory of 1524 2220 839336eb8fb257995891f38bdae56ce0N.exe 30 PID 2220 wrote to memory of 1524 2220 839336eb8fb257995891f38bdae56ce0N.exe 30 PID 2220 wrote to memory of 1524 2220 839336eb8fb257995891f38bdae56ce0N.exe 30 PID 2220 wrote to memory of 1524 2220 839336eb8fb257995891f38bdae56ce0N.exe 30 PID 2220 wrote to memory of 1524 2220 839336eb8fb257995891f38bdae56ce0N.exe 30 PID 2220 wrote to memory of 1524 2220 839336eb8fb257995891f38bdae56ce0N.exe 30 PID 2220 wrote to memory of 1524 2220 839336eb8fb257995891f38bdae56ce0N.exe 30 PID 2220 wrote to memory of 1524 2220 839336eb8fb257995891f38bdae56ce0N.exe 30 PID 2220 wrote to memory of 1524 2220 839336eb8fb257995891f38bdae56ce0N.exe 30 PID 2220 wrote to memory of 1524 2220 839336eb8fb257995891f38bdae56ce0N.exe 30 PID 2220 wrote to memory of 1524 2220 839336eb8fb257995891f38bdae56ce0N.exe 30 PID 2220 wrote to memory of 2848 2220 839336eb8fb257995891f38bdae56ce0N.exe 31 PID 2220 wrote to memory of 2848 2220 839336eb8fb257995891f38bdae56ce0N.exe 31 PID 2220 wrote to memory of 2848 2220 839336eb8fb257995891f38bdae56ce0N.exe 31 PID 1524 wrote to memory of 3004 1524 839336eb8fb257995891f38bdae56ce0N.exe 32 PID 1524 wrote to memory of 3004 1524 839336eb8fb257995891f38bdae56ce0N.exe 32 PID 1524 wrote to memory of 3004 1524 839336eb8fb257995891f38bdae56ce0N.exe 32 PID 1524 wrote to memory of 1272 1524 839336eb8fb257995891f38bdae56ce0N.exe 34 PID 1524 wrote to memory of 1272 1524 839336eb8fb257995891f38bdae56ce0N.exe 34 PID 1524 wrote to memory of 1272 1524 839336eb8fb257995891f38bdae56ce0N.exe 34 PID 3004 wrote to memory of 1396 3004 cmd.exe 36 PID 3004 wrote to memory of 1396 3004 cmd.exe 36 PID 3004 wrote to memory of 1396 3004 cmd.exe 36 PID 1272 wrote to memory of 2960 1272 cmd.exe 37 PID 1272 wrote to memory of 2960 1272 cmd.exe 37 PID 1272 wrote to memory of 2960 1272 cmd.exe 37 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" 839336eb8fb257995891f38bdae56ce0N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\839336eb8fb257995891f38bdae56ce0N.exe"C:\Users\Admin\AppData\Local\Temp\839336eb8fb257995891f38bdae56ce0N.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\839336eb8fb257995891f38bdae56ce0N.exe"C:\Users\Admin\AppData\Local\Temp\839336eb8fb257995891f38bdae56ce0N.exe"2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1524 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1396
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:2960
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2220 -s 6682⤵PID:2848
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e3ccdbe066eb017dff049c589b5a647a
SHA1068ff688af7dd5c23f9e54dd921f4d4fe6bb076e
SHA256f6a0a9ddd420f4f94faf9aac68693f56b91a425118fbed36fddf417ed07785dd
SHA512a6bbbfc56c3a51302cf60f77dd163a50e179e22b6c18fd6b28fa09e5c205a2cc36994af063005475f5e591fe97fe25c276c9352040e924750fc0dcbb38b0c2ec