Analysis
-
max time kernel
147s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2024 15:34
Static task
static1
Behavioral task
behavioral1
Sample
0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe
Resource
win10v2004-20240709-en
General
-
Target
0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe
-
Size
792KB
-
MD5
4e8dcbde14041ca343eea4ab3f0966c6
-
SHA1
ed696645eca467d84ea2fd5c7d03517f3762da93
-
SHA256
0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db
-
SHA512
fd31800fa8139f4cda7977b4bf4c298359e39d606f5db480063546765f9b4a1e3280abce985cb58fe8ae783479e0f006350e52e4bd6b8160a19ec2b3cb4f31bc
-
SSDEEP
24576:tocYLYjvFiJMEjiXyDxdY3l5bnZ/GZyN:2c5vsnjiXHbbZOwN
Malware Config
Extracted
djvu
http://fuyt.org/test1/get.php
-
extension
.kkia
-
offline_id
dYUDKE4rrBmSPsf8srHMsyP40jle9uyxDDCfdxt1
-
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-NdDG3HIUZp Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0425Jsfkjn
Signatures
-
Detected Djvu ransomware 16 IoCs
Processes:
resource yara_rule behavioral2/memory/384-50-0x00000000023E0000-0x00000000024FB000-memory.dmp family_djvu behavioral2/memory/4640-52-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4640-53-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4640-55-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4640-51-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4640-67-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3088-81-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3088-87-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3088-88-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3088-89-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3088-97-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3088-100-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3088-103-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3088-102-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3088-104-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3088-105-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\GTpwsO.exe aspack_v212_v242 -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
GTpwsO.exe0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exeGTpwsO.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation GTpwsO.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation GTpwsO.exe -
Executes dropped EXE 2 IoCs
Processes:
GTpwsO.exeGTpwsO.exepid process 4760 GTpwsO.exe 1020 GTpwsO.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0197d4f0-99cd-4f58-99b7-75b2de68df15\\0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe\" --AutoStart" 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 api.2ip.ua 15 api.2ip.ua 35 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
Processes:
0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exedescription pid process target process PID 384 set thread context of 4640 384 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe PID 1288 set thread context of 3088 1288 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe -
Drops file in Program Files directory 64 IoCs
Processes:
GTpwsO.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe GTpwsO.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe GTpwsO.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE GTpwsO.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe GTpwsO.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe GTpwsO.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe GTpwsO.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe GTpwsO.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE GTpwsO.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe GTpwsO.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe GTpwsO.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe GTpwsO.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe GTpwsO.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe GTpwsO.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE GTpwsO.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE GTpwsO.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe GTpwsO.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe GTpwsO.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe GTpwsO.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe GTpwsO.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe GTpwsO.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe GTpwsO.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe GTpwsO.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE GTpwsO.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe GTpwsO.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe GTpwsO.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe GTpwsO.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe GTpwsO.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe GTpwsO.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe GTpwsO.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe GTpwsO.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe GTpwsO.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe GTpwsO.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe GTpwsO.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe GTpwsO.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe GTpwsO.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe GTpwsO.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe GTpwsO.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe GTpwsO.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe GTpwsO.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe GTpwsO.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe GTpwsO.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe GTpwsO.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe GTpwsO.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\misc.exe GTpwsO.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe GTpwsO.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe GTpwsO.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe GTpwsO.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.exe GTpwsO.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe GTpwsO.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe GTpwsO.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe GTpwsO.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe GTpwsO.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe GTpwsO.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe GTpwsO.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE GTpwsO.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE GTpwsO.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE GTpwsO.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe GTpwsO.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe GTpwsO.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe GTpwsO.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe GTpwsO.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE GTpwsO.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe GTpwsO.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe GTpwsO.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
GTpwsO.exe0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.execmd.exe0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.execmd.exeicacls.exeGTpwsO.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GTpwsO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GTpwsO.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exepid process 4640 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 4640 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 3088 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 3088 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exeGTpwsO.exe0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exeGTpwsO.exedescription pid process target process PID 384 wrote to memory of 4760 384 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe GTpwsO.exe PID 384 wrote to memory of 4760 384 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe GTpwsO.exe PID 384 wrote to memory of 4760 384 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe GTpwsO.exe PID 4760 wrote to memory of 3476 4760 GTpwsO.exe cmd.exe PID 4760 wrote to memory of 3476 4760 GTpwsO.exe cmd.exe PID 4760 wrote to memory of 3476 4760 GTpwsO.exe cmd.exe PID 384 wrote to memory of 4640 384 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe PID 384 wrote to memory of 4640 384 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe PID 384 wrote to memory of 4640 384 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe PID 384 wrote to memory of 4640 384 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe PID 384 wrote to memory of 4640 384 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe PID 384 wrote to memory of 4640 384 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe PID 384 wrote to memory of 4640 384 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe PID 384 wrote to memory of 4640 384 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe PID 384 wrote to memory of 4640 384 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe PID 384 wrote to memory of 4640 384 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe PID 4640 wrote to memory of 748 4640 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe icacls.exe PID 4640 wrote to memory of 748 4640 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe icacls.exe PID 4640 wrote to memory of 748 4640 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe icacls.exe PID 4640 wrote to memory of 1288 4640 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe PID 4640 wrote to memory of 1288 4640 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe PID 4640 wrote to memory of 1288 4640 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe PID 1288 wrote to memory of 1020 1288 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe GTpwsO.exe PID 1288 wrote to memory of 1020 1288 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe GTpwsO.exe PID 1288 wrote to memory of 1020 1288 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe GTpwsO.exe PID 1020 wrote to memory of 5040 1020 GTpwsO.exe cmd.exe PID 1020 wrote to memory of 5040 1020 GTpwsO.exe cmd.exe PID 1020 wrote to memory of 5040 1020 GTpwsO.exe cmd.exe PID 1288 wrote to memory of 3088 1288 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe PID 1288 wrote to memory of 3088 1288 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe PID 1288 wrote to memory of 3088 1288 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe PID 1288 wrote to memory of 3088 1288 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe PID 1288 wrote to memory of 3088 1288 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe PID 1288 wrote to memory of 3088 1288 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe PID 1288 wrote to memory of 3088 1288 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe PID 1288 wrote to memory of 3088 1288 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe PID 1288 wrote to memory of 3088 1288 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe PID 1288 wrote to memory of 3088 1288 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe 0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe"C:\Users\Admin\AppData\Local\Temp\0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Users\Admin\AppData\Local\Temp\GTpwsO.exeC:\Users\Admin\AppData\Local\Temp\GTpwsO.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\126764c9.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe"C:\Users\Admin\AppData\Local\Temp\0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\0197d4f0-99cd-4f58-99b7-75b2de68df15" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:748 -
C:\Users\Admin\AppData\Local\Temp\0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe"C:\Users\Admin\AppData\Local\Temp\0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\GTpwsO.exeC:\Users\Admin\AppData\Local\Temp\GTpwsO.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\62760151.bat" "5⤵
- System Location Discovery: System Language Discovery
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe"C:\Users\Admin\AppData\Local\Temp\0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe" --Admin IsNotAutoStart IsNotTask4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3088
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57fb5fa1534dcf77f2125b2403b30a0ee
SHA1365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA25633a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e
-
Filesize
436B
MD51bfe0a81db078ea084ff82fe545176fe
SHA150b116f578bd272922fa8eae94f7b02fd3b88384
SHA2565ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f
SHA51237c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD53fef17aa69250ae33a67dd10066a05da
SHA1a162a4844d444067b9c2e781d075c54edca51079
SHA25679c6f2fd6f87d498f84128a56d582b807677b075ff2124f03105aba0d83bb7f0
SHA5125798c869c63b143d32de600ecb923a0959bea482734b2c302a7bebeef01c89ba14506f4f1637480754961cc7f8023a7e0e8b80c8c682681ecacb90d75a09acb0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD571dcdf29dc5cb8f63787ff71e2efcdc1
SHA1e11b97feaa0ebb589af8718a30817959f5a94c0f
SHA256c9c9705064101b71457d95a526664471af619ac64fe8746550475ec0f69cc36d
SHA512b63de9c1981525117d6309f6e327caafa355e12bbe1084d6049854c10c42e38145a56c43c53420dee93e809173846aa8c70bdff0a001647797f720eb61cd094d
-
C:\Users\Admin\AppData\Local\0197d4f0-99cd-4f58-99b7-75b2de68df15\0fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db.exe
Filesize792KB
MD54e8dcbde14041ca343eea4ab3f0966c6
SHA1ed696645eca467d84ea2fd5c7d03517f3762da93
SHA2560fca5cc453a703c35c7c311dd7d7d0ffd64d5551f874399eef8aa25cd46fc6db
SHA512fd31800fa8139f4cda7977b4bf4c298359e39d606f5db480063546765f9b4a1e3280abce985cb58fe8ae783479e0f006350e52e4bd6b8160a19ec2b3cb4f31bc
-
Filesize
4B
MD5d3b07384d113edec49eaa6238ad5ff00
SHA1f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA5120cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6
-
Filesize
187B
MD55a38b27d8834711c4c2b36cc60ced2cd
SHA1f5d930894ae2d5c00b08fc9e1be1d974ff276f23
SHA256673a442373e8cb026b56707ad947dd6852c8db77d4c24bfa742bb9dfb1948960
SHA512d730fb55c02aba55ea8774c0dbbe6060b08ac1ced7175747560c94bcdd65e6eb7e5764ab22cefe936e2f808cd54a5296a8fd47d5764ea920c45b511d3f470345
-
Filesize
4B
MD520879c987e2f9a916e578386d499f629
SHA1c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA2569f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f
-
Filesize
187B
MD595879db5dd3d9ddeaa78c3fcb8d795ee
SHA124c71a2b5dbc58b75318f3122be4c3bc3c503ab4
SHA2569078f1d1518d0c9bf6cc9b030f9fe4d016e6d2c417f9100baba89bca85d3a5f5
SHA51280d35b5f7ac076abe57da81cf24dd75d5f9da889a38124b0a5b800b09ffa5f965f9697ca57195d90164f6ba0c84aee9824c2b8afe43bf47f6fced7b5d6da4eb9
-
Filesize
15KB
MD5f7d21de5c4e81341eccd280c11ddcc9a
SHA1d4e9ef10d7685d491583c6fa93ae5d9105d815bd
SHA2564485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794
SHA512e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3