183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b

Resubmissions

26/09/2024, 03:06

240926-dlyc2atfqp 9

19/09/2024, 03:30

19/09/2024, 03:22

19/09/2024, 03:15

19/09/2024, 03:14

18/09/2024, 21:46

Analysis

max time kernel
16s
max time network
19s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 03:14

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
Size

581KB
MD5

8b70ba0f3b9818b5e2909e370254ea48
SHA1

56ffda57fd9161b441f0715d848cbcc0c0ccf5bf
SHA256

183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b
SHA512

53e8a9319f9cb58b2de4069c8a579cb0ad49408ba93f052d58eb5fb7e8996953fb8569babf5b6853f89d054309c457162277a360947972e9e4e8f0ec67f0cb28
SSDEEP

12288:N9C7oO/76BYSuTDqymSutZLcTra3qxsOeNMzrTKcJmVcgrdC:N94DmSuteagsUzXJmmgrdC

Score

9^/10

bootkit discovery persistence ransomware upx

Malware Config

Signatures

Renames multiple (282) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Loads dropped DLL 1 IoCs

pid	Process
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3604-0-0x0000000000400000-0x0000000000676000-memory.dmp	upx
behavioral2/memory/3604-195-0x0000000000400000-0x0000000000676000-memory.dmp	upx
behavioral2/memory/3604-194-0x0000000000400000-0x0000000000676000-memory.dmp	upx

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\desktop.ini	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\$Recycle.Bin\S-1-5-21-2629364133-3182087385-364449604-1000\desktop.ini	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Program Files\desktop.ini	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Users\Admin\Documents\desktop.ini	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Users\Admin\Favorites\desktop.ini	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Users\Admin\Desktop\desktop.ini	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Program Files\desktop.ini	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\UnblockSave.vsx	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\ExpandExport.001	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\SkipPing.bat	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\DebugTest.scf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\ShowResume.doc	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\SearchAssert.mp4	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\StartWrite.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\StepOptimize.eprtx	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\PublishMount.ogg	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\vgafixe.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\courbi.ttf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\malgunbd.ttf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\consola.ttf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\ega40737.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\Candaraz.ttf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\coure.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\mmrtext.ttf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\SitkaI.ttc	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\arial.ttf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\constan.ttf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\corbell.ttf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\vgasysr.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\fms_metadata.xml	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\85f1257.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\85s1255.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\app855.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\symbol.ttf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Windows\Fonts\GARA.TTF	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\app949.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\ebrimabd.ttf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\sseriffr.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\vga863.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\app857.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\pala.ttf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\verdanab.ttf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\8514syst.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Windows\Fonts\ARIALNBI.TTF	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Windows\Fonts\DUBAI-MEDIUM.TTF	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\h8514fix.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Windows\Fonts\PRISTINA.TTF	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Windows\Fonts\GOTHICBI.TTF	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\SitkaB.ttc	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\arialbi.ttf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\ssef1257.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\vgas1255.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\app936.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\gadugib.ttf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\hvgasys.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\constanb.ttf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\Nirmala.ttf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\segoeprb.ttf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\smallft.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\85s874.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\mvboli.ttf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\serifer.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File opened for modification	C:\Windows\Fonts\FREESCPT.TTF	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\app866.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\segmdl2.ttf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\segoeuib.ttf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\tahomabd.ttf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\seriffr.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\Sitka.ttc	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\ariali.ttf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\ega40869.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\vgaf1257.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\8514oemg.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\ega80woa.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\seguibli.ttf	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\couf1257.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\8514fix.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\8514fixe.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\8514sys.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
File created	C:\Windows\Fonts\ega80866.fon	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\WallpaperStyle = "0"	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\Desktop\TileWallpaper = "0"	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 1792	3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe	94
PID 3604 wrote to memory of 1792	3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe	94
PID 3604 wrote to memory of 1792	3604	183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe	94

C:\Users\Admin\AppData\Local\Temp\183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
"C:\Users\Admin\AppData\Local\Temp\183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\system32\notepad.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2629364133-3182087385-364449604-1000\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\lframe32.dll

Filesize
91KB

MD5
e473f639723972758004181c216e7654

SHA1
b99232cdee41a86599861a882d8a92c71509f803

SHA256
df96be89403fed5ca5fc815dca978c85a03064e24ccf9df15df1c99cc8aa491e

SHA512
10b1a515850e24ddfe3aa389f40bded1552f2525179b350b58cc057342d6ef97b5a764a74643ea5afbd25608f524661c93d1e204689a05a7a4567b5f308a656a

Download Submit
memory/3604-0-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3604-195-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3604-194-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads