84bebbe2cc14519a656dd6ee54e892191872f7122ebf53ef6b2349a5218c11e1

Resubmissions

18-07-2024 07:25

240718-h84wjs1hpb 10

18-07-2024 07:19

240718-h51pqa1gng 10

17-07-2024 20:55

240717-zqkhmaydmq 10

17-07-2024 19:21

240717-x2pwdaycjb 10

Analysis

max time kernel
180s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
18-07-2024 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bit Paymer.exe
Size

92KB
MD5

998246bd0e51f9582b998ca514317c33
SHA1

5a2d799ac4cca8954fc117c7fb3e868f93c6f009
SHA256

d693c33dd550529f3634e3c7e53d82df70c9d4fbd0c339dbc1849ada9e539ea2
SHA512

773d9838be9c09bd43a22aa1eada8f623f95739b21828712236a4a209c6d9266647ef43592d072d68399224965253c37f9ce9ef36e46e8191169c03ac7789130
SSDEEP

1536:tacFdjxs2TlWlpnXv91nhixG8/lA5jG8387SpK6jXOMVHoi5e+vRb:taqJC6lWlpnXv7nhixhlAU83VwMCifvR

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.readme_txt

Ransom Note

YOUR COMPANY HAS BEEN SUCCESSFULLY PENETRATED! All files are encrypted. We accept only bitcoins to share the decryption software for your network. Also, we have gathered all your private sensitive data.So if you decide not to pay anytime soon, we would share it with media's. It may harm your business reputation and the company's capitalization fell sharply. Do not try to do it with 3rd-parties programs, files might be damaged then. Decrypting of your files is only possible with the special decryption software. To receive your private key and the decryption software please follow the link (using tor2web service): https://qmnmrba4s4a3py6z.onion.to/order/43e4593a-5dc7-11e7-8803-00163e417ea3 If this address is not available, follow these steps: 1. Download and install Tor Browser: https://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://qmnmrba4s4a3py6z.onion/order/43e4593a-5dc7-11e7-8803-00163e417ea3 4. Follow the instructions on the site 5. This link is valid for 72 hours only. Afetr that period your local data would be lost completely. 6. Any questions: [email protected]

Emails

[email protected]

URLs

https://qmnmrba4s4a3py6z.onion.to/order/43e4593a-5dc7-11e7-8803-00163e417ea3

http://qmnmrba4s4a3py6z.onion/order/43e4593a-5dc7-11e7-8803-00163e417ea3

Signatures

Renames multiple (9455) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Bit Paymer.exe

Executes dropped EXE 3 IoCs

pid	Process
1768	Idw:exe
2488	eqxNBxP.exe
1972	Zn0T:exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bBvZsKBF = "C:\\Users\\Admin\\AppData\\Local\\30UEgx\\RrvSE.exe"	Bit Paymer.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	Zn0T:exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp	Zn0T:exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\RHP_icons_2x.png.readme_txt	Zn0T:exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_hover_2x.png	Zn0T:exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\ReachFramework.resources.dll.readme_txt	Zn0T:exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	Zn0T:exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-si\ui-strings.js	Zn0T:exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Microsoft.Office.Interop.Access.dao.dll.locked	Zn0T:exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClientSideProviders.resources.dll.readme_txt	Zn0T:exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.locked	Zn0T:exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\ui-strings.js.locked	Zn0T:exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ul-oob.xrm-ms.locked	Zn0T:exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms.readme_txt	Zn0T:exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	Zn0T:exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\onenotemui.msi.16.en-us.boot.tree.dat.readme_txt	Zn0T:exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\MSFT_PackageManagementSource.psm1	Zn0T:exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui	Zn0T:exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.readme_txt	Zn0T:exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png	Zn0T:exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-400.png	Zn0T:exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ja-jp\ui-strings.js.locked	Zn0T:exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\ui-strings.js.locked	Zn0T:exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.AccessControl.dll.locked	Zn0T:exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ul-oob.xrm-ms.readme_txt	Zn0T:exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\PREVIEW.GIF.locked	Zn0T:exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-fr_fr_2x.gif.readme_txt	Zn0T:exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-debug-l1-1-0.dll.locked	Zn0T:exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-synch-l1-2-0.dll	Zn0T:exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngcc.md	Zn0T:exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\graph.ico.readme_txt	Zn0T:exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\tr-tr\ui-strings.js.readme_txt	Zn0T:exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll.readme_txt	Zn0T:exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHSRN.DAT.locked	Zn0T:exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md.readme_txt	Zn0T:exe
File created	C:\Program Files\Java\jre-1.8\bin\sunmscapi.dll.readme_txt	Zn0T:exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\es-es\ui-strings.js.locked	Zn0T:exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\default_apps\external_extensions.json	Zn0T:exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\bg.pak.locked	Zn0T:exe
File created	C:\Program Files\Microsoft Office\root\vfs\System\mfcm140u.dll.readme_txt	Zn0T:exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\typing\bubble\white.gif	Zn0T:exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCacheMini.scale-125.png	Zn0T:exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-60_contrast-high.png	Zn0T:exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceModel.Web.dll	Zn0T:exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationUI.resources.dll.locked	Zn0T:exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-ms.locked	Zn0T:exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_altform-unplated_contrast-black.png	Zn0T:exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png.readme_txt	Zn0T:exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_de_135x40.svg.readme_txt	Zn0T:exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.locked	Zn0T:exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.readme_txt	Zn0T:exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf.readme_txt	Zn0T:exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms.readme_txt	Zn0T:exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\SharedUI.dll	Zn0T:exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NetworkInformation.dll	Zn0T:exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.dll.readme_txt	Zn0T:exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml.locked	Zn0T:exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML	Zn0T:exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-ms.locked	Zn0T:exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.locked	Zn0T:exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Formatters.dll.locked	Zn0T:exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.readme_txt	Zn0T:exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ja_135x40.svg	Zn0T:exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms.locked	Zn0T:exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.locked	Zn0T:exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-default_32.svg.locked	Zn0T:exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
4532	net.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Idw:exe	Bit Paymer.exe
File created	C:\Users\Admin\AppData\Local\Zn0T:exe	eqxNBxP.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4488	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4488	taskmgr.exe
Token: SeSystemProfilePrivilege	4488	taskmgr.exe
Token: SeCreateGlobalPrivilege	4488	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe
4488	taskmgr.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 4280	408	Bit Paymer.exe	86
PID 408 wrote to memory of 4280	408	Bit Paymer.exe	86
PID 408 wrote to memory of 4280	408	Bit Paymer.exe	86
PID 408 wrote to memory of 1768	408	Bit Paymer.exe	87
PID 408 wrote to memory of 1768	408	Bit Paymer.exe	87
PID 408 wrote to memory of 1768	408	Bit Paymer.exe	87
PID 4280 wrote to memory of 2488	4280	cmd.exe	90
PID 4280 wrote to memory of 2488	4280	cmd.exe	90
PID 4280 wrote to memory of 2488	4280	cmd.exe	90
PID 2488 wrote to memory of 1972	2488	eqxNBxP.exe	92
PID 2488 wrote to memory of 1972	2488	eqxNBxP.exe	92
PID 2488 wrote to memory of 1972	2488	eqxNBxP.exe	92
PID 1768 wrote to memory of 4532	1768	Idw:exe	103
PID 1768 wrote to memory of 4532	1768	Idw:exe	103
PID 1768 wrote to memory of 4532	1768	Idw:exe	103

C:\Users\Admin\AppData\Local\Temp\Bit Paymer.exe
"C:\Users\Admin\AppData\Local\Temp\Bit Paymer.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:408
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Aoq3\eqxNBxP.exe 2
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Users\Admin\AppData\Local\Aoq3\eqxNBxP.exe
    C:\Users\Admin\AppData\Local\Aoq3\eqxNBxP.exe 2
    3⤵
    - Executes dropped EXE
    - NTFS ADS
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Users\Admin\AppData\Local\Zn0T:exe
      C:\Users\Admin\AppData\Local\Zn0T:exe 3 C:\Users\Admin\AppData\Local\Aoq3\eqxNBxP.exe
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      Drops file in Program Files directory
      PID:1972
- C:\Users\Admin\AppData\Local\Idw:exe
  C:\Users\Admin\AppData\Local\Idw:exe 1 C:\Users\Admin\AppData\Local\Temp\Bit Paymer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\net.exe
    C:\Windows\system32\net.exe view
    3⤵
    - Discovers systems in the same network
    PID:4532

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4488

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Aoq3\eqxNBxP.exe

Filesize
92KB

MD5
998246bd0e51f9582b998ca514317c33

SHA1
5a2d799ac4cca8954fc117c7fb3e868f93c6f009

SHA256
d693c33dd550529f3634e3c7e53d82df70c9d4fbd0c339dbc1849ada9e539ea2

SHA512
773d9838be9c09bd43a22aa1eada8f623f95739b21828712236a4a209c6d9266647ef43592d072d68399224965253c37f9ce9ef36e46e8191169c03ac7789130

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt

Filesize
4B

MD5
76390d3429ba451f1e37daae6bc85b51

SHA1
c8e633f4a5ad8991f348fa8bf85dfec134e2c4dc

SHA256
31d694956ddcdb8b2d61ee7b91beb5af37ce0557b6ca44438d2c3ca9f96c56d9

SHA512
cff8a95d7efbabc3ac3c06b721166ac26254eadcbed6296bb17712be07c1b7245ab22fb9b558371b0a69e855451706180ef20ccb57f639cbe818c14d90bd3e54

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.readme_txt

Filesize
1KB

MD5
51fab08a170e3c398e696a5d36cde259

SHA1
b60d83b9db3831998bb5672e4a4a1610cf4e1cb1

SHA256
bab1199a9b43d11429c79f0b15c7e8c8d61ec612aca223aa66fd253eab11f1cb

SHA512
50b95e5bd31ab894e997773c374592bda8a0cf44f92c9b92aad8155928240c1a2d177f81bcdefe72d686413dd9494f8010f66f9e191b7a549fb99902c6f2c3d6

Download Submit
memory/408-0-0x00000000009B0000-0x00000000009B6000-memory.dmp

Filesize
24KB

Download
memory/408-11-0x0000000001000000-0x0000000001020000-memory.dmp

Filesize
128KB

Download
memory/408-1-0x0000000001000000-0x0000000001020000-memory.dmp

Filesize
128KB

Download
memory/1768-14-0x0000000000870000-0x0000000000876000-memory.dmp

Filesize
24KB

Download
memory/1768-5891-0x0000000001000000-0x0000000001020000-memory.dmp

Filesize
128KB

Download
memory/1972-5892-0x0000000001000000-0x0000000001020000-memory.dmp

Filesize
128KB

Download
memory/1972-26-0x0000000000670000-0x0000000000676000-memory.dmp

Filesize
24KB

Download
memory/2488-19-0x0000000000C10000-0x0000000000C16000-memory.dmp

Filesize
24KB

Download
memory/2488-23-0x0000000001000000-0x0000000001020000-memory.dmp

Filesize
128KB

Download
memory/4488-1344-0x000001C55F160000-0x000001C55F161000-memory.dmp

Filesize
4KB

Download
memory/4488-1354-0x000001C55F160000-0x000001C55F161000-memory.dmp

Filesize
4KB

Download
memory/4488-1355-0x000001C55F160000-0x000001C55F161000-memory.dmp

Filesize
4KB

Download
memory/4488-1353-0x000001C55F160000-0x000001C55F161000-memory.dmp

Filesize
4KB

Download
memory/4488-1352-0x000001C55F160000-0x000001C55F161000-memory.dmp

Filesize
4KB

Download
memory/4488-1351-0x000001C55F160000-0x000001C55F161000-memory.dmp

Filesize
4KB

Download
memory/4488-1350-0x000001C55F160000-0x000001C55F161000-memory.dmp

Filesize
4KB

Download
memory/4488-1349-0x000001C55F160000-0x000001C55F161000-memory.dmp

Filesize
4KB

Download
memory/4488-1343-0x000001C55F160000-0x000001C55F161000-memory.dmp

Filesize
4KB

Download
memory/4488-1345-0x000001C55F160000-0x000001C55F161000-memory.dmp

Filesize
4KB

Download