0c35ab1832945198c2e913891461a84f4872b5be60a64fd91084eead9e4e23e6

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 12:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

host.exe
Size

16KB
MD5

407318721d5587b5db6ce7873890db96
SHA1

87e69c62e196961f51b3a973a6b7e810dcb922c9
SHA256

c641e79ae3fa662a639f4fa3a0cb8723030c114bfb2d7ffad488de73afd574ce
SHA512

2dfa2e3c1ad5ba3e4dd81bfd646995fdcdc20c1080974a26cd01254506ba32d394693144758cf71bdc5726b71aa7721551ecea4f0bd8ca2ccffc17a837ff6f74
SSDEEP

384:y0sAA+LPsuTnVshZ9hA+b3Qj5MRjV1V/QBOIjLb1:yaV/+b3N31V/yb

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (878) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\README.txt	host.exe
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt.abc	host.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	host.exe
File opened (read-only)	\??\A:	host.exe
File opened (read-only)	\??\B:	host.exe
File opened (read-only)	\??\E:	host.exe
File opened (read-only)	\??\H:	host.exe
File opened (read-only)	\??\R:	host.exe
File opened (read-only)	\??\T:	host.exe
File opened (read-only)	\??\W:	host.exe
File opened (read-only)	\??\K:	host.exe
File opened (read-only)	\??\L:	host.exe
File opened (read-only)	\??\O:	host.exe
File opened (read-only)	\??\P:	host.exe
File opened (read-only)	\??\V:	host.exe
File opened (read-only)	\??\Z:	host.exe
File opened (read-only)	\??\G:	host.exe
File opened (read-only)	\??\I:	host.exe
File opened (read-only)	\??\J:	host.exe
File opened (read-only)	\??\N:	host.exe
File opened (read-only)	\??\X:	host.exe
File opened (read-only)	\??\M:	host.exe
File opened (read-only)	\??\Q:	host.exe
File opened (read-only)	\??\S:	host.exe
File opened (read-only)	\??\U:	host.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lt-LT\README.txt	host.exe
File created	C:\Windows\SysWOW64\Dism\MsiProvider.dll.abc	host.exe
File created	C:\Windows\SysWOW64\de-DE\xpsfilt.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\hu-HU\README.txt	host.exe
File created	C:\Windows\SysWOW64\lv-LV\README.txt	host.exe
File created	C:\Windows\SysWOW64\el-GR\d2d1.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\de-DE\wpcsvc.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\en-US\autoplay.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\zh-HK\README.txt	host.exe
File created	C:\Windows\SysWOW64\Dism\DismProv.dll.abc	host.exe
File created	C:\Windows\SysWOW64\en-US\cmdial32.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\en-US\cryptui.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\en-US\azman.msc.abc	host.exe
File created	C:\Windows\SysWOW64\diskcopy.com.abc	host.exe
File created	C:\Windows\SysWOW64\dxva2.dll.abc	host.exe
File created	C:\Windows\SysWOW64\fi-FI\README.txt	host.exe
File created	C:\Windows\SysWOW64\InstallShield\README.txt	host.exe
File created	C:\Windows\SysWOW64\de-DE\QAgentRT.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\Dism\DismCore.dll.abc	host.exe
File created	C:\Windows\SysWOW64\en-US\apphelp.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\en-US\CSRR.rs.mui.abc	host.exe
File created	C:\Windows\SysWOW64\en-US\Apphlpdm.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\DWrite.dll.abc	host.exe
File created	C:\Windows\SysWOW64\README.txt	host.exe
File created	C:\Windows\SysWOW64\ras\README.txt	host.exe
File created	C:\Windows\SysWOW64\en-US\cscobj.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\DeviceCenter.dll.abc	host.exe
File created	C:\Windows\SysWOW64\dmusic.dll.abc	host.exe
File created	C:\Windows\SysWOW64\en-US\DDACLSys.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\eappcfg.dll.abc	host.exe
File created	C:\Windows\SysWOW64\en-US\csrsrv.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\en-US\aaclient.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\dhcpcsvc.dll.abc	host.exe
File created	C:\Windows\SysWOW64\EAPQEC.DLL.abc	host.exe
File created	C:\Windows\SysWOW64\icsxml\README.txt	host.exe
File created	C:\Windows\SysWOW64\de-DE\wshrm.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\de-DE\wsecedit.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\Setup\README.txt	host.exe
File created	C:\Windows\SysWOW64\en-US\acctres.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\en-US\appwiz.cpl.mui.abc	host.exe
File created	C:\Windows\SysWOW64\de-DE\provsvc.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\de-DE\QAgent.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\Dism\WimProvider.dll.abc	host.exe
File created	C:\Windows\SysWOW64\DevicePairingProxy.dll.abc	host.exe
File created	C:\Windows\SysWOW64\de-DE\prnfldr.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\el-GR\comdlg32.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\en-US\adprovider.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\en-US\clusapi.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\DevicePairingFolder.dll.abc	host.exe
File created	C:\Windows\SysWOW64\de-DE\wlangpui.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\en-US\asferror.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\cs-CZ\README.txt	host.exe
File created	C:\Windows\SysWOW64\el-GR\README.txt	host.exe
File created	C:\Windows\SysWOW64\uk-UA\README.txt	host.exe
File created	C:\Windows\SysWOW64\de-DE\wlancfg.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\en-US\accessibilitycpl.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\devmgr.dll.abc	host.exe
File created	C:\Windows\SysWOW64\dpwsockx.dll.abc	host.exe
File created	C:\Windows\SysWOW64\EhStorShell.dll.abc	host.exe
File created	C:\Windows\SysWOW64\et-EE\README.txt	host.exe
File created	C:\Windows\SysWOW64\de-DE\xmlfilter.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\dhcpsapi.dll.abc	host.exe
File created	C:\Windows\SysWOW64\sk-SK\README.txt	host.exe
File created	C:\Windows\SysWOW64\en-US\xwtpdui.dll.mui.abc	host.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll.abc	host.exe
File created	C:\Program Files\Windows Defender\MpSvc.dll.abc	host.exe
File created	C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp.abc	host.exe
File created	C:\Program Files\Windows Photo Viewer\ImagingEngine.dll.abc	host.exe
File created	C:\Program Files\Windows Media Player\it-IT\mpvis.dll.mui.abc	host.exe
File created	C:\Program Files\Windows Journal\Templates\Genko_2.jtp.abc	host.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\README.txt	host.exe
File created	C:\Program Files (x86)\Windows Media Player\README.txt	host.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\eula.rtf.abc	host.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE.abc	host.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml.abc	host.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ADVTEL.DIC.abc	host.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\README.txt	host.exe
File created	C:\Program Files\Windows Media Player\de-DE\wmpnssci.dll.mui.abc	host.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PTXT9.DLL.abc	host.exe
File created	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui.abc	host.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ENGLISH.LNG.abc	host.exe
File created	C:\Program Files\Windows Defender\de-DE\README.txt	host.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\mscss7cm_en.dub.abc	host.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OUTLRPC.DLL.abc	host.exe
File created	C:\Program Files\Windows Mail\it-IT\README.txt	host.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.ini.abc	host.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini.abc	host.exe
File created	C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt.abc	host.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OCRVC.DAT.abc	host.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\README.txt	host.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.abc	host.exe
File created	C:\Program Files (x86)\Common Files\System\DirectDB.dll.abc	host.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\iedvtool.dll.mui.abc	host.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.abc	host.exe
File created	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt.abc	host.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OUTLFLTR.DAT.abc	host.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSODCW.DLL.abc	host.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\mset7jp.kic.abc	host.exe
File created	C:\Program Files\Windows Media Player\es-ES\README.txt	host.exe
File created	C:\Program Files (x86)\Internet Explorer\F12Tools.dll.abc	host.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\avtransport.xml.abc	host.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\AUDIOSEARCHLTS.DLL.abc	host.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\bdcmetadataresource.xsd.abc	host.exe
File created	C:\Program Files\Mozilla Firefox\README.txt	host.exe
File created	C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui.abc	host.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OUTLPH.DLL.abc	host.exe
File created	C:\Program Files\DVD Maker\rtstreamsink.ax.abc	host.exe
File created	C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui.abc	host.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONTAB32.DLL.abc	host.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\NL7MODELS0009.dll.abc	host.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\REVERSE.DLL.abc	host.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\README.txt	host.exe
File created	C:\Program Files (x86)\Windows Defender\README.txt	host.exe
File created	C:\Program Files\TestBlock.js.abc	host.exe
File created	C:\Program Files\Windows Journal\jnwppr.dll.abc	host.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\README.txt	host.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini.abc	host.exe
File created	C:\Program Files\Microsoft Games\Chess\ChessMCE.lnk.abc	host.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll.abc	host.exe
File created	C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui.abc	host.exe
File created	C:\Program Files\Windows Media Player\de-DE\WMPDMCCore.dll.mui.abc	host.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\GFX.DLL.abc	host.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\README.txt	host.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\README.txt	host.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE.abc	host.exe
File created	C:\Program Files\Java\jre7\LICENSE.abc	host.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Opulent.thmx.abc	host.exe
File created	C:\Program Files\Mozilla Firefox\xul.dll.sig.abc	host.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_xnacc.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4224bf32598fa004\README.txt	host.exe
File created	C:\Windows\winsxs\Manifests\wow64_microsoft-windows-i..psecurity.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2ca604c3e99b5420.manifest.abc	host.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..utomation.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fb0acbc28638b473\wiaaut.dll.mui.abc	host.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ntservice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9b272608114ddd24\lpdsvc.dll.mui.abc	host.exe
File created	C:\Windows\winsxs\Manifests\x86_microsoft-windows-media-mp3acm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_821c77c20363ed45.manifest.abc	host.exe
File created	C:\Windows\winsxs\Manifests\x86_microsoft-windows-m..mdac-sql-netlibs-np_31bf3856ad364e35_6.1.7600.16385_none_eeb24528dbcb8823.manifest.abc	host.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-langreg.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2c40e6785093a2ba\README.txt	host.exe
File created	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..nbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_35192b698968a983.manifest.abc	host.exe
File created	C:\Windows\winsxs\Manifests\wow64_microsoft-windows-shell-accessories_31bf3856ad364e35_6.1.7601.17514_none_57702afd500ce4b5.manifest.abc	host.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_tr-tr_68f632f43987fd09\bootmgr.efi.mui.abc	host.exe
File created	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-l..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_99829fb19862ac06.manifest.abc	host.exe
File created	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-s..licytools.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e383dccf8e63c5e8.manifest.abc	host.exe
File created	C:\Windows\winsxs\Manifests\x86_microsoft-windows-t..hedulerv2.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b776bfc9870efaf3.manifest.abc	host.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c4612d3f03b3254c\kmddsp.tsp.mui.abc	host.exe
File created	C:\Windows\winsxs\x86_netfx-dfdll_dll_b03f5f7f11d50a3a_6.1.7600.16385_none_5cd78bb510da3dfc\README.txt	host.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\README.txt	host.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Windows Balloon.wav.abc	host.exe
File created	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-w..vironment.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a6010356dbaf118a.manifest.abc	host.exe
File created	C:\Windows\winsxs\Manifests\amd64_mtconfig.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_es-es_12df1ad6da899601.manifest.abc	host.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..layswitch.resources_31bf3856ad364e35_6.1.7600.16385_it-it_93d4e72ed679bf41\README.txt	host.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_04801f69e1dbd8e6\WMI-Core-DL.man.abc	host.exe
File created	C:\Windows\winsxs\amd64_wpdcomp.inf_31bf3856ad364e35_6.1.7601.17514_none_d7b74761221e6838\wpdcomp.inf.abc	host.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wpfcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_3f0a45b66435bdc5\UIAutomationTypes.resources.dll.abc	host.exe
File created	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-ncrypt-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c27f4a08e8f74baa.manifest.abc	host.exe
File created	C:\Windows\winsxs\Manifests\x86_microsoft-windows-dataclen.resources_31bf3856ad364e35_6.1.7600.16385_de-de_142d3e4e8f7ea4a1.manifest.abc	host.exe
File created	C:\Windows\winsxs\msil_microsoft.build.utilities.v3.5_b03f5f7f11d50a3a_6.1.7601.17514_none_1706fc424884a211\README.txt	host.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..rtmonitor.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e1bbd91348b28fbd\README.txt	host.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..rityzones.resources_31bf3856ad364e35_11.2.9600.16428_en-us_50d9c4adf68799f0\urlmon.dll.mui.abc	host.exe
File created	C:\Windows\winsxs\Backup\x86_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94492e5609cc02ce_hid.dll.mui_cccd5ae0.abc	host.exe
File created	C:\Windows\winsxs\Manifests\wow64_microsoft-windows-installer-engine_31bf3856ad364e35_6.1.7601.17514_none_6bf52decfe850b3d.manifest.abc	host.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..veryagent.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3cf3ec9673ab78ae\reagent.dll.mui.abc	host.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_appdata_b03f5f7f11d50a3a_6.1.7600.16385_none_27e5cecd389a11b4\GroupedProviders.xml.abc	host.exe
File created	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..oyment-languagepack_31bf3856ad364e35_6.1.7601.17514_it-it_97946aef9efcd8bf.manifest.abc	host.exe
File created	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-imagingengine_31bf3856ad364e35_6.1.7601.17514_none_8a0f014c44ba8e25.manifest.abc	host.exe
File created	C:\Windows\winsxs\Manifests\x86_netfx-installutil_exe_config_rtm_31bf3856ad364e35_6.1.7600.16385_none_c4b459e91851aaf5.manifest.abc	host.exe
File created	C:\Windows\winsxs\FileMaps\$$_system32_es-es_licenses_default_ultimate_52c4b8a2e3868b32.cdf-ms.abc	host.exe
File created	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-help-errmes.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4e8fdbbdaf49b193.manifest.abc	host.exe
File created	C:\Windows\winsxs\amd64_netfx-corperfmonsymbols_b03f5f7f11d50a3a_6.1.7600.16385_none_5b4a172573c72f57\corperfmonsymbols.ini.abc	host.exe
File created	C:\Windows\winsxs\amd64_wiabr006.inf_31bf3856ad364e35_6.1.7600.16385_none_08ee5d89caf5d98d\wiabr006.inf.abc	host.exe
File created	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-s..oyment-languagepack_31bf3856ad364e35_6.1.7600.16385_de-de_a85f04398468229d.manifest.abc	host.exe
File created	C:\Windows\winsxs\amd64_brmfcwia.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_73bc69059e699de0\RSMGRSTR.dll.mui.abc	host.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..ewall-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_63715dabe6810645\WindowsFirewall.adml.abc	host.exe
File created	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7e0554d80f997b54.manifest.abc	host.exe
File created	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-help-deskpr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_35fcd08f4ac1d149.manifest.abc	host.exe
File created	C:\Windows\winsxs\amd64_prnca00d.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_62efd6227ab667ed\CNBBR290.DLL.mui.abc	host.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ylistener.resources_31bf3856ad364e35_6.1.7600.16385_it-it_50e13bd0c915c530\IdListen.dll.mui.abc	host.exe
File created	C:\Windows\winsxs\FileMaps\$$_syswow64_0410_1bf214d7bb311e77.cdf-ms.abc	host.exe
File created	C:\Windows\winsxs\Manifests\amd64_prnok002.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1305893b38d4fb29.manifest.abc	host.exe
File created	C:\Windows\winsxs\FileMaps\$$_system32_fr-fr_licenses_eval_starter_da5f41a32e1a931c.cdf-ms.abc	host.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..confg-rll.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9169f04eb7bce565\README.txt	host.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..35cdfcomp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_38034e6c77100d40\SqlPersistenceProviderSchema.sql.abc	host.exe
File created	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18633fbb02ac1dfc.manifest.abc	host.exe
File created	C:\Windows\winsxs\amd64_prnlx00y.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_78704df40b217710\prnlx00y.inf_loc.abc	host.exe
File created	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-h..ragelayer.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a0b8ce5c8bdc72bb.manifest.abc	host.exe
File created	C:\Windows\winsxs\Manifests\x86_microsoft-windows-m..er-wmvsdk.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b1d87cd5233e83dc.manifest.abc	host.exe
File created	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-directwrite.resources_31bf3856ad364e35_7.1.7601.16492_nb-no_9b8d0467f7e1805b.manifest.abc	host.exe
File created	C:\Windows\winsxs\x86_taskschedulersettings.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4a528b30a02d4cbd\README.txt	host.exe
File created	C:\Windows\winsxs\amd64_prnlx00z.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4907ce2cfe9a0ad9\README.txt	host.exe
File created	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-s..ity-pku2u.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_48b90bfeb16b5072.manifest.abc	host.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..eercollab.resources_31bf3856ad364e35_6.1.7600.16385_es-es_82946e72e9a0f858\README.txt	host.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_nb-no_1d6cc00f7f128cc9\comctl32.dll.mui.abc	host.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ponent-sku-ultimate_31bf3856ad364e35_6.1.7601.17514_none_f7e6a2aa970662b7\README.txt	host.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ef3f3b3b9e7e8bff\umpo.dll.mui.abc	host.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_en-us_39b468a7491888f2\gadget.xml.abc	host.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	host.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	host.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	host.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	host.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2860	3020	host.exe	31
PID 3020 wrote to memory of 2860	3020	host.exe	31
PID 3020 wrote to memory of 2860	3020	host.exe	31
PID 3020 wrote to memory of 2860	3020	host.exe	31

C:\Users\Admin\AppData\Local\Temp\host.exe
"C:\Users\Admin\AppData\Local\Temp\host.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\host.exe
  "C:\Users\Admin\AppData\Local\Temp\host.exe" --foodsum
  2⤵
  - Drops file in Drivers directory
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\eo.txt.abc

Filesize
5KB

MD5
9bc90465a186e972c7f03bd12849b099

SHA1
00b08ed28684fbda868fb459b2ce9c1a2c4bfa1e

SHA256
6d02907e16e959462487ff7339c7ac25943befea414c9b123c9eeb6424f97f6f

SHA512
1e20f4f56c373d2968b2a8ee6b9cde270e0f358ec5cf5f617791771e6dbf024e6fd07410c8f8e3eab03172c2f01cb298818933076c54f3f819f4e709c5af0ccf

Download Submit
C:\Program Files\Internet Explorer\msdbg2.dll.abc

Filesize
391KB

MD5
3f2be8e60acb1960e31d1fe315470f40

SHA1
2ce4df8d4e555c7ec3d028ed63297cd1b9763a97

SHA256
f01e98ad32ee62c569d6a8ae178b1b6f29eb6f0bbaa9614723b1c3c1a982f237

SHA512
25162be71b7d6ae3f3edac47b91ba8d82e1c24a836553c3ac96cf049cecea9c058beb064976c6d8ec9e6142a6e543f18017d0ef43a721597a938f9bed214de82

Download Submit
C:\Program Files\Mozilla Firefox\firefox.cfg.abc

Filesize
4KB

MD5
d516a1f8968fafbd5d89564fb1f29e62

SHA1
14c8735213245fc23333265eb3517a691df58b2f

SHA256
e3ffe92beeddc8e8968f016c2abf91ef1115ddce744921f6f8724153e843a699

SHA512
8b31151c22dff0e98ed22ea619da3d54f7d04240ad399ca923441e4bc8f79847e709e343bda1f33e25331aa4b035d008fcce0915c2cd782acee7c16907f2a28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab19BA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar19FB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Documents\FormatStep.vssx.abc

Filesize
244KB

MD5
c5f7374890b6337b2c8fcb7d6bb4af81

SHA1
ea7c9bec686543f33ce8eda4a21de06422c2b2b3

SHA256
552cc0ae1402beb57b0919744c7c05e55190e6fb1a21529aca1805627a5a1aa6

SHA512
16f9bbf5e6b4368afe827dc63ad3e27c627359c1a659c2aa65b59281bd5ae26ae5003c40209f0fd2f7bda2f2b62d50b937240362259dd1b97878e5d5e5baabd2

Download Submit
C:\Users\Admin\Documents\README.txt

Filesize
111B

MD5
ed96f73c7232b4e6bc6b8e54993d1d7b

SHA1
4a517548e17356dfba09be166daf34ff91f69387

SHA256
e5d27c881c0308284da6b846e90625da4b959fcf8600e9dd015fac46177d63ef

SHA512
540243245e4eca9b30f32b61eff6098ece0246c7a25ee61ffebdf398436c8b9c9f24f552dad3e14d61601828780001340c3b628c1a2c43cab68f4e8688920f1b

Download Submit
C:\Windows\SysWOW64\dmdskres2.dll.abc

Filesize
2KB

MD5
765431b6312be708a4499e1b1253706b

SHA1
d9e33e7cec09ca124192f6ad8a7567cef81926ce

SHA256
bb2f50ec7699dc94e11b326a5477522a1b4ef914dfaab009caf0cf9b8e623f12

SHA512
085e1f7347852f2bf4f2d4a51418a59e2c946d97823888a89c366e1241012abacc7bd0bf15331fddc7fb7aaefb6dbdd43ae99a57a83a67b15c602607638e374e

Download Submit
C:\Windows\SysWOW64\en-US\adsnt.dll.mui.abc

Filesize
2KB

MD5
3145f8345d5ef5e01d243896de5fc505

SHA1
7d85c6c2bcab5f58d549beb47615927736689ab6

SHA256
18aa5022bb2db9106e3e0d62cb1617888d4cda2f32aabe765594ba8cd1d47034

SHA512
43844cd420d24d2ca1f696b1cd6376e2cc0f96addd2f045ec2307149c26d50b75e8211131a0253277bc4a024e6c4580d93c34bc6bc916c6f6056e9ad28e482df

Download Submit