Overview
overview
10Static
static
101/0178b79b...bd.exe
windows7-x64
101/0178b79b...bd.exe
windows10-2004-x64
101/0280cde4...60.exe
windows7-x64
101/0280cde4...60.exe
windows10-2004-x64
101/08b76206...65.exe
windows7-x64
101/08b76206...65.exe
windows10-2004-x64
101/0e4fc438...91.exe
windows7-x64
31/0e4fc438...91.exe
windows10-2004-x64
101/0fb86a8b...05.exe
windows7-x64
1/0fb86a8b...05.exe
windows10-2004-x64
101/25898c73...8f.exe
windows7-x64
101/25898c73...8f.exe
windows10-2004-x64
101/2c2e9491...3c.exe
windows7-x64
31/2c2e9491...3c.exe
windows10-2004-x64
101/2ef0f582...2e.exe
windows7-x64
31/2ef0f582...2e.exe
windows10-2004-x64
101/39884fc0...82.exe
windows7-x64
101/39884fc0...82.exe
windows10-2004-x64
101/3a72ecec...8a.exe
windows7-x64
101/3a72ecec...8a.exe
windows10-2004-x64
101/3bfcb4f7...71.exe
windows7-x64
101/3bfcb4f7...71.exe
windows10-2004-x64
101/4103411f...f5.exe
windows7-x64
101/4103411f...f5.exe
windows10-2004-x64
101/4e0fdb84...95.exe
windows7-x64
31/4e0fdb84...95.exe
windows10-2004-x64
71/5297372f...33.exe
windows7-x64
31/5297372f...33.exe
windows10-2004-x64
51/68292f38...e4.exe
windows7-x64
31/68292f38...e4.exe
windows10-2004-x64
101/6da4696b...e5.exe
windows7-x64
71/6da4696b...e5.exe
windows10-2004-x64
7Resubmissions
11-12-2024 15:32
241211-sy44nssrdm 1009-08-2024 21:57
240809-1t1vfs1cpm 1006-08-2024 13:01
240806-p9f97szdlm 1006-08-2024 12:52
240806-p3672stdkg 1006-08-2024 12:29
240806-ppa8fsygqr 1006-08-2024 12:26
240806-pmc92ashlh 10Analysis
-
max time kernel
226s -
max time network
234s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
06-08-2024 12:29
Behavioral task
behavioral1
Sample
1/0178b79bd084c2597b2de4e62e61a88bb8359e4fcac2fe672bb887e0e52e5dbd.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
1/0178b79bd084c2597b2de4e62e61a88bb8359e4fcac2fe672bb887e0e52e5dbd.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
1/0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral4
Sample
1/0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
1/08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral6
Sample
1/08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
1/0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral8
Sample
1/0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral10
Sample
1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
1/25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral12
Sample
1/25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
1/2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral14
Sample
1/2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
1/2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral16
Sample
1/2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
1/39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral18
Sample
1/39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
1/3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral20
Sample
1/3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
1/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral22
Sample
1/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
1/4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral24
Sample
1/4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral26
Sample
1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
1/5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral28
Sample
1/5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
1/68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral30
Sample
1/68292f388207f8ec69774dbad429e67420881ce46ecfad55f23182ec3a8893e4.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
1/6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral32
Sample
1/6da4696b804777582ae586a4e9f42f6c18ccf540222d70dcf3374ee291e674e5.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Errors
General
-
Target
1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
-
Size
146KB
-
MD5
2357ecbcf3b566c76c839daf7ecf2681
-
SHA1
89d9b7c3eff0a15dc9dbbfe2163de7d5e9479f58
-
SHA256
0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305
-
SHA512
bb5630ae44e684f2dfc74478c57bf97a94045501a64022d563e87f2a60d777307cab2b5a14e6764d25a2fd1f27901624c1ee76ca551d5a5e3a21abc4befef401
-
SSDEEP
3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUS:V6gDBGpvEByocWeauV2gvzwU
Malware Config
Extracted
C:\7V7uPExzv.README.txt
http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/
http://group.goocasino.org
https://nullbulge.com
Signatures
-
Renames multiple (342) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2616 DB42.tmp -
Executes dropped EXE 1 IoCs
pid Process 2616 DB42.tmp -
Loads dropped DLL 1 IoCs
pid Process 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\Saved Games\Microsoft Games\desktop.ini PurblePlace.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft Games\Purble Place\desktop.ini PurblePlace.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\7V7uPExzv.bmp" 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\7V7uPExzv.bmp" 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe 2616 DB42.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DB42.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language csrss.exe -
Enumerates system info in registry 2 TTPs 32 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController csrss.exe -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\WallpaperStyle = "10" 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" winlogon.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" winlogon.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.7V7uPExzv 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.7V7uPExzv\ = "7V7uPExzv" 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7V7uPExzv\DefaultIcon 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7V7uPExzv 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\7V7uPExzv\DefaultIcon\ = "C:\\ProgramData\\7V7uPExzv.ico" 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 572 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1888 PurblePlace.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp 2616 DB42.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeDebugPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: 36 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeImpersonatePrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeIncBasePriorityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeIncreaseQuotaPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: 33 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeManageVolumePrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeProfSingleProcessPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeRestorePrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSystemProfilePrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeTakeOwnershipPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeShutdownPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeDebugPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeBackupPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe Token: SeSecurityPrivilege 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1976 wrote to memory of 2616 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe 33 PID 1976 wrote to memory of 2616 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe 33 PID 1976 wrote to memory of 2616 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe 33 PID 1976 wrote to memory of 2616 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe 33 PID 1976 wrote to memory of 2616 1976 0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe 33 PID 2616 wrote to memory of 1732 2616 DB42.tmp 34 PID 2616 wrote to memory of 1732 2616 DB42.tmp 34 PID 2616 wrote to memory of 1732 2616 DB42.tmp 34 PID 2616 wrote to memory of 1732 2616 DB42.tmp 34 PID 2316 wrote to memory of 2124 2316 csrss.exe 49 PID 2316 wrote to memory of 2124 2316 csrss.exe 49 PID 2428 wrote to memory of 2124 2428 winlogon.exe 49 PID 2428 wrote to memory of 2124 2428 winlogon.exe 49 PID 2428 wrote to memory of 2124 2428 winlogon.exe 49 PID 2316 wrote to memory of 2124 2316 csrss.exe 49 PID 2316 wrote to memory of 2124 2316 csrss.exe 49 PID 2316 wrote to memory of 2124 2316 csrss.exe 49 PID 2316 wrote to memory of 2124 2316 csrss.exe 49 PID 2316 wrote to memory of 2124 2316 csrss.exe 49 PID 2316 wrote to memory of 2124 2316 csrss.exe 49 PID 2316 wrote to memory of 2124 2316 csrss.exe 49 PID 2316 wrote to memory of 2124 2316 csrss.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\1\0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe"C:\Users\Admin\AppData\Local\Temp\1\0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\ProgramData\DB42.tmp"C:\ProgramData\DB42.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\DB42.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:1732
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\7V7uPExzv.README.txt1⤵
- Opens file in notepad (likely ransom note)
PID:572
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1481⤵PID:1984
-
C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe"C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: GetForegroundWindowSpam
PID:1888
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1736
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:2692
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2620
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2316
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x02⤵PID:2124
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5b0b8bb8b7906d1861f0a103ecfae1981
SHA196b28a08f591e578adb14a50cfcfca2a269d00fa
SHA2560aa4cd4ade5750862a0109cdef99d663a948e986a78638d6eab4a97f38ad4937
SHA512a2ae83aee3399f28517249cfaa54217c15a4e4fdc559e561c9a60a7bacfd5d679f30253b116b1baed5cfc52e1f2c6e06b458b22c535cfba83044da98a775b8df
-
Filesize
1KB
MD5311c4037f3a7c235dd502bc4edde36d4
SHA1add566472b17172ae95ae23836a9f3b3dd4f4622
SHA2563db2d979ffe8d66d71a8be5146fa3fb05dc104ac6b84d529cdde11fc8821131e
SHA512fab70444dc0e2657d5e07ee60cbf1ee77ba549493547ed16fe456647ae90429ef6b1dce218c942859e87319c814bf9c16fde75b6344a7194cbc27f6bafac4071
-
Filesize
12KB
MD5ee51a9063a2bd12be1283abea9dd28ee
SHA150404d233902762543886b7a1a79e76e7dcec0a1
SHA256bd5b02477d3bf53be7ab8f9cbf14bd7738216b127519f243671a08c8e8518bb9
SHA5122fbb39233ea478456d1f14e21326446c307322ca796c056b89239f5b1bb156c3bf20be8ec03cff3e7e5301d57fb38a912813e3de236e8b76c9dfd46a959cd966
-
C:\Users\Admin\AppData\Local\Temp\1\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize146KB
MD51ec48d038cbf118bcecf950b6c2914cf
SHA1babcd68998a061f9fe47a84b5e3021c23562c6b1
SHA2566dafb54ceb8fd4c1cb21c241c7c3e091d7f3daf2c3573a8effc90efe25caa580
SHA51223494c97aee3809b9b45a6ae30d8742be08259717b2cd14cf2a80169e401d6dd938de06c2923c7c85870d4cb885b8d153a34a486a01dfb21b77dda1484a95b8b
-
Filesize
129B
MD5a68464fba4173baf49fa93fc0a00abb4
SHA1b754c575077d853d6c14601e23f1082242ce6908
SHA256800536a97cc038e639c47b24c380a1e912a7de470bc8aaa77ef8ff85fab88066
SHA51231e91d5f831f65fdf10e46f789f6ad5d52f4aadef7fc18b3d98efbe7f1a9c7c8df3f0a0450ae9a25022cecbb442404d9d26436331b48b0b5e33e48cece6f36bd
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf