Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-10-2024 02:10
Static task
static1
Behavioral task
behavioral1
Sample
8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe
Resource
win10v2004-20241007-en
General
-
Target
8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe
-
Size
175KB
-
MD5
6a5385a7e3a32d785e5e1e3a6b75bd30
-
SHA1
e7a958a1ec25507ef4e7780f28cd9d575690438e
-
SHA256
8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6
-
SHA512
79326f406a834508778d94bef5001c130e5e9b16a7856ca78eaa42b92ba35a5346e3cacdb13f614f8a44c4d7f1797f9b73665240bd4ebdf6c3fcc01e2c076989
-
SSDEEP
3072:KyPqTYzh0M2jt3MuZOjr6GtDp5BKzF6PfZxFI20cRAp:KTmh0Tt5OfZpv04I9kAp
Malware Config
Signatures
-
Renames multiple (7454) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2272 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
df.exepid process 780 df.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1208 cmd.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exedescription ioc process File opened (read-only) \??\T: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\H: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\I: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\K: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\L: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\M: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\P: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\Q: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\V: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\D: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\G: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\J: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\O: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\W: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\X: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\A: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\E: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\R: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\S: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\U: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\Y: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\F: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\B: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\N: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened (read-only) \??\Z: 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe -
Drops file in Program Files directory 64 IoCs
Processes:
8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exedescription ioc process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File created C:\Program Files\VideoLAN\VLC\locale\ast\Dominik_Help.txt 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00163_.GIF 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN022.XML 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME20.CSS.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File created C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\Dominik_Help.txt 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0295241.GIF 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\Dominik_Help.txt 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Opulent.thmx.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0186348.WMF 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV.HXS 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions.css 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\Dominik_Help.txt 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files\SkipProtect.mhtml 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Hardcover.eftx 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153313.WMF 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Verve.thmx 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198102.WMF.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01330_.GIF 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECURE.CFG.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\jvm.cfg 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0290548.WMF 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Clarity.eftx.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBOX.DPV 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10299_.GIF 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\PABR.SAM 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Johannesburg.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-charts.jar.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\Dominik_Help.txt 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02424_.WMF 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00194_.WMF.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\msado26.tlb 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090089.WMF 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00671_.WMF.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251301.WMF.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\XLSLICER.DLL.IDX_DLL 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\splash.gif.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPM.CFG.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\vlc.mo.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0278882.WMF 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02198_.GIF 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_alignright.gif 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File created C:\Program Files\Java\jre7\lib\zi\Indian\Dominik_Help.txt 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00092_.WMF 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195248.WMF.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIcons.jpg 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF.Dominik 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe -
Processes:
powershell.exepowershell.exepid process 1472 powershell.exe 2248 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.execmd.exeschtasks.exePING.EXE8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.execmd.execmd.execmd.exedf.execmd.exeschtasks.exepowershell.execmd.execmd.exepowershell.execmd.execmd.execmd.exePING.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEcmd.exePING.EXEpid process 2272 cmd.exe 1408 PING.EXE 2700 cmd.exe 2508 PING.EXE -
Runs ping.exe 1 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
powershell.exe8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exepowershell.exepid process 2248 powershell.exe 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe 1472 powershell.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exevssvc.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe Token: SeRestorePrivilege 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe Token: SeBackupPrivilege 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe Token: SeTakeOwnershipPrivilege 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe Token: SeAuditPrivilege 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe Token: SeSecurityPrivilege 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe Token: SeIncBasePriorityPrivilege 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe Token: SeBackupPrivilege 2888 vssvc.exe Token: SeRestorePrivilege 2888 vssvc.exe Token: SeAuditPrivilege 2888 vssvc.exe Token: SeDebugPrivilege 2248 powershell.exe Token: SeDebugPrivilege 1472 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2520 wrote to memory of 2004 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 2004 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 2004 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 2004 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 2320 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 2320 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 2320 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 2320 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 1632 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 1632 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 1632 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 1632 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 1924 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 1924 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 1924 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 1924 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2004 wrote to memory of 2940 2004 cmd.exe schtasks.exe PID 2004 wrote to memory of 2940 2004 cmd.exe schtasks.exe PID 2004 wrote to memory of 2940 2004 cmd.exe schtasks.exe PID 2004 wrote to memory of 2940 2004 cmd.exe schtasks.exe PID 1924 wrote to memory of 2248 1924 cmd.exe powershell.exe PID 1924 wrote to memory of 2248 1924 cmd.exe powershell.exe PID 1924 wrote to memory of 2248 1924 cmd.exe powershell.exe PID 1924 wrote to memory of 2248 1924 cmd.exe powershell.exe PID 2520 wrote to memory of 1092 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 1092 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 1092 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 1092 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 2924 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 2924 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 2924 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 2924 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 2036 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 2036 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 2036 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 2036 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2036 wrote to memory of 1472 2036 cmd.exe powershell.exe PID 2036 wrote to memory of 1472 2036 cmd.exe powershell.exe PID 2036 wrote to memory of 1472 2036 cmd.exe powershell.exe PID 2036 wrote to memory of 1472 2036 cmd.exe powershell.exe PID 2520 wrote to memory of 1208 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 1208 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 1208 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 1208 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 1656 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 1656 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 1656 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 1656 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 2272 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 2272 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 2272 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 2520 wrote to memory of 2272 2520 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe cmd.exe PID 1656 wrote to memory of 2332 1656 cmd.exe schtasks.exe PID 1656 wrote to memory of 2332 1656 cmd.exe schtasks.exe PID 1656 wrote to memory of 2332 1656 cmd.exe schtasks.exe PID 1656 wrote to memory of 2332 1656 cmd.exe schtasks.exe PID 1208 wrote to memory of 780 1208 cmd.exe df.exe PID 1208 wrote to memory of 780 1208 cmd.exe df.exe PID 1208 wrote to memory of 780 1208 cmd.exe df.exe PID 1208 wrote to memory of 780 1208 cmd.exe df.exe PID 2272 wrote to memory of 1408 2272 cmd.exe PING.EXE PID 2272 wrote to memory of 1408 2272 cmd.exe PING.EXE PID 2272 wrote to memory of 1408 2272 cmd.exe PING.EXE PID 2272 wrote to memory of 1408 2272 cmd.exe PING.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe"C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe" /F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2940 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q P:\$RECYCLE.BIN,Q:\$RECYCLE.BIN,R:\$RECYCLE.BIN,S:\$RECYCLE.BIN,T:\$RECYCLE.BIN,U:\$RECYCLE.BIN,V:\$RECYCLE.BIN,W:\$RECYCLE.BIN,X:\$RECYCLE.BIN,F:\$RECYCLE.BIN,G:\$RECYCLE.BIN,K:\$RECYCLE.BIN,L:\$RECYCLE.BIN,M:\$RECYCLE.BIN,N:\$RECYCLE.BIN,O:\$RECYCLE.BIN,Y:\$RECYCLE.BIN,Z:\$RECYCLE.BIN,A:\$RECYCLE.BIN,B:\$RECYCLE.BIN,C:\$RECYCLE.BIN,D:\$RECYCLE.BIN,E:\$RECYCLE.BIN,H:\$RECYCLE.BIN,I:\$RECYCLE.BIN,J:\$RECYCLE.BIN2⤵
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q P:\Recycler,Q:\Recycler,R:\Recycler,S:\Recycler,T:\Recycler,U:\Recycler,V:\Recycler,W:\Recycler,X:\Recycler,F:\Recycler,G:\Recycler,K:\Recycler,L:\Recycler,M:\Recycler,N:\Recycler,O:\Recycler,Y:\Recycler,Z:\Recycler,A:\Recycler,B:\Recycler,C:\Recycler,D:\Recycler,E:\Recycler,H:\Recycler,I:\Recycler,J:\Recycler2⤵
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q P:\$RECYCLE.BIN,Q:\$RECYCLE.BIN,R:\$RECYCLE.BIN,S:\$RECYCLE.BIN,T:\$RECYCLE.BIN,U:\$RECYCLE.BIN,V:\$RECYCLE.BIN,W:\$RECYCLE.BIN,X:\$RECYCLE.BIN,F:\$RECYCLE.BIN,G:\$RECYCLE.BIN,K:\$RECYCLE.BIN,L:\$RECYCLE.BIN,M:\$RECYCLE.BIN,N:\$RECYCLE.BIN,O:\$RECYCLE.BIN,Y:\$RECYCLE.BIN,Z:\$RECYCLE.BIN,A:\$RECYCLE.BIN,B:\$RECYCLE.BIN,C:\$RECYCLE.BIN,D:\$RECYCLE.BIN,E:\$RECYCLE.BIN,H:\$RECYCLE.BIN,I:\$RECYCLE.BIN,J:\$RECYCLE.BIN2⤵
- System Location Discovery: System Language Discovery
PID:1092 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q P:\Recycler,Q:\Recycler,R:\Recycler,S:\Recycler,T:\Recycler,U:\Recycler,V:\Recycler,W:\Recycler,X:\Recycler,F:\Recycler,G:\Recycler,K:\Recycler,L:\Recycler,M:\Recycler,N:\Recycler,O:\Recycler,Y:\Recycler,Z:\Recycler,A:\Recycler,B:\Recycler,C:\Recycler,D:\Recycler,E:\Recycler,H:\Recycler,I:\Recycler,J:\Recycler2⤵
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\df.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\ProgramData\df.exeC:\ProgramData\df.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:780 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 5 > nul & del "C:\ProgramData\df.exe"4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2700 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 55⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2508 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update BETA" /F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Update BETA" /F3⤵
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1408
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2888
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
543B
MD551f91dadfe4357fb7230949938d4786d
SHA1b020f84574d8810a275ed4ae57e945df838316fc
SHA2560d67b4686d72fa7f566443e4636c7f116f0e5716b4f9002125e359151139520f
SHA512585ef6bae2dd2389ebb8d0cd2face54879e6589da8899ef446350c3175a179253006a3e035e34ef675087567ece327d70ca9cfc39092f92ca23598b4e02ce1f8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5f56e9b90446ea7816c02b44523783b5a
SHA1b24f4204ac23f745c2eceb942fbc242524fa90a1
SHA2562e4b16fbd840b82457f25fbdfbe3a00764de90f28458151aee5d3d269f9404f7
SHA512d93170d39e03d8f0e7f1993d7cfc63d3dc83dbb60dda9a2efd558d633442861af6b56db1b6d19de29244542e9fd7ad53d3406e12436d20a6b1681420e177864e
-
Filesize
6KB
MD539728325879572ffe56a194319f2731f
SHA13898a219352dd3aedc54ff924b01317107c9ce2f
SHA2568e3ff1907d973d91167c2d74ac8414496d7f430687eef52e3201721e01513761
SHA5127d80af3e2df1c02bfda76e5ada4b4ce25921418cfcd7f26434293e746968f4187f6c9cf5bbb1c7c4703117eaabdd958700f7b1cefcfa44bd11afe95ad7f1599b