Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-10-2024 02:55
Static task
static1
Behavioral task
behavioral1
Sample
df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe
Resource
win10v2004-20241007-en
General
-
Target
df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe
-
Size
175KB
-
MD5
df1e348372d344568c4505dca7846e77
-
SHA1
e0b4f55bb7fb8c0948b86511ce48ffdaac06bf71
-
SHA256
df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9
-
SHA512
bd924bbce90f1a2d4588960121ca1b74a7616d291ded5b8cf1a28e8a7c93358b3b9dc552c79b89d85bf76ebcb1200d91028bafacfce65058fd921f3e3b80d077
-
SSDEEP
3072:ayPqTcNkM2jt3MuZOjr6GtDp5BSzFOrPJxFc60cRAp:aTcNkTt5OfZpv8QcBkAp
Malware Config
Signatures
-
Renames multiple (7478) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1232 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
ss.exepid process 2952 ss.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 536 cmd.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exedescription ioc process File opened (read-only) \??\X: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\Y: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\J: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\P: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\S: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\T: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\W: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\R: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\U: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\V: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\E: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\G: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\K: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\M: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\Q: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\Z: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\F: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\L: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\O: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\D: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\A: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\B: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\H: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\I: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened (read-only) \??\N: df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe -
Drops file in Program Files directory 64 IoCs
Processes:
df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exedescription ioc process File opened for modification C:\Program Files\Java\jre7\lib\jvm.hprof.txt.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\Elons_Help.txt df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files\Windows Media Player\es-ES\wmpnssui.dll.mui df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00799_.WMF df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00170_.GIF.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01176_.WMF.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107150.WMF df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\ARCTIC.INF.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01039_.WMF.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCAL.DPV.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveReport.dotx.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\Elons_Help.txt df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\setup_wm.exe.mui df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02388_.WMF.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR4B.GIF df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterNotificationDescriptors.xml df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Wake df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02093_.WMF df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382957.JPG.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBOX.XML df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR41F.GIF df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Scoresbysund.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\msado25.tlb df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BOATINST.WMF df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107724.WMF df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Opulent.xml df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\Elons_Help.txt df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk_1.0.300.v20140407-1803.jar.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\wmplayer.exe.mui df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199429.WMF df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File created C:\Program Files (x86)\Common Files\microsoft shared\DAO\Elons_Help.txt df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN110.XML df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\AUTHOR.XSL df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Metro.xml df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0290548.WMF df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Waveform.xml.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Matamoros df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Hobart.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_ON.GIF.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099171.WMF.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00004_.GIF.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00343_.WMF df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107728.WMF df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Groove Starter Template.xsn df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\THMBNAIL.PNG df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105414.WMF.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\Elons_Help.txt df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDCNCL.CFG.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_zh_4.4.0.v20140623020002.jar df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tunis.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\msadomd28.tlb df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL.XML.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\STUDIO.INF df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00516L.GIF df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14514_.GIF.Elons df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15034_.GIF df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00555_.WMF df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe -
Processes:
powershell.exepowershell.exepid process 2704 powershell.exe 2268 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.execmd.execmd.execmd.execmd.execmd.execmd.exepowershell.execmd.exedf138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exeschtasks.execmd.execmd.exepowershell.execmd.exeschtasks.exePING.EXEss.exePING.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEcmd.exePING.EXEpid process 204 cmd.exe 216 PING.EXE 1232 cmd.exe 2112 PING.EXE -
Runs ping.exe 1 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
powershell.exedf138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exepowershell.exepid process 2704 powershell.exe 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe 2268 powershell.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exevssvc.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe Token: SeRestorePrivilege 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe Token: SeBackupPrivilege 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe Token: SeTakeOwnershipPrivilege 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe Token: SeAuditPrivilege 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe Token: SeSecurityPrivilege 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe Token: SeIncBasePriorityPrivilege 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe Token: SeBackupPrivilege 2864 vssvc.exe Token: SeRestorePrivilege 2864 vssvc.exe Token: SeAuditPrivilege 2864 vssvc.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 2268 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2396 wrote to memory of 2548 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 2548 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 2548 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 2548 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 2348 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 2348 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 2348 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 2348 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 2516 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 2516 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 2516 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 2516 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 2520 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 2520 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 2520 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 2520 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2548 wrote to memory of 2148 2548 cmd.exe schtasks.exe PID 2548 wrote to memory of 2148 2548 cmd.exe schtasks.exe PID 2548 wrote to memory of 2148 2548 cmd.exe schtasks.exe PID 2548 wrote to memory of 2148 2548 cmd.exe schtasks.exe PID 2520 wrote to memory of 2704 2520 cmd.exe powershell.exe PID 2520 wrote to memory of 2704 2520 cmd.exe powershell.exe PID 2520 wrote to memory of 2704 2520 cmd.exe powershell.exe PID 2520 wrote to memory of 2704 2520 cmd.exe powershell.exe PID 2396 wrote to memory of 3024 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 3024 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 3024 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 3024 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 1828 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 1828 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 1828 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 1828 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 1276 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 1276 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 1276 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 1276 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 536 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 536 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 536 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 536 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 1276 wrote to memory of 2268 1276 cmd.exe powershell.exe PID 1276 wrote to memory of 2268 1276 cmd.exe powershell.exe PID 1276 wrote to memory of 2268 1276 cmd.exe powershell.exe PID 1276 wrote to memory of 2268 1276 cmd.exe powershell.exe PID 2396 wrote to memory of 2956 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 2956 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 2956 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 2956 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 1232 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 1232 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 1232 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 2396 wrote to memory of 1232 2396 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe cmd.exe PID 536 wrote to memory of 2952 536 cmd.exe ss.exe PID 536 wrote to memory of 2952 536 cmd.exe ss.exe PID 536 wrote to memory of 2952 536 cmd.exe ss.exe PID 536 wrote to memory of 2952 536 cmd.exe ss.exe PID 2956 wrote to memory of 2312 2956 cmd.exe schtasks.exe PID 2956 wrote to memory of 2312 2956 cmd.exe schtasks.exe PID 2956 wrote to memory of 2312 2956 cmd.exe schtasks.exe PID 2956 wrote to memory of 2312 2956 cmd.exe schtasks.exe PID 1232 wrote to memory of 2112 1232 cmd.exe PING.EXE PID 1232 wrote to memory of 2112 1232 cmd.exe PING.EXE PID 1232 wrote to memory of 2112 1232 cmd.exe PING.EXE PID 1232 wrote to memory of 2112 1232 cmd.exe PING.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe"C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe" /F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2148 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q P:\$RECYCLE.BIN,Q:\$RECYCLE.BIN,R:\$RECYCLE.BIN,S:\$RECYCLE.BIN,T:\$RECYCLE.BIN,U:\$RECYCLE.BIN,V:\$RECYCLE.BIN,W:\$RECYCLE.BIN,X:\$RECYCLE.BIN,F:\$RECYCLE.BIN,G:\$RECYCLE.BIN,K:\$RECYCLE.BIN,L:\$RECYCLE.BIN,M:\$RECYCLE.BIN,N:\$RECYCLE.BIN,O:\$RECYCLE.BIN,Y:\$RECYCLE.BIN,Z:\$RECYCLE.BIN,A:\$RECYCLE.BIN,B:\$RECYCLE.BIN,C:\$RECYCLE.BIN,D:\$RECYCLE.BIN,E:\$RECYCLE.BIN,H:\$RECYCLE.BIN,I:\$RECYCLE.BIN,J:\$RECYCLE.BIN2⤵
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q P:\Recycler,Q:\Recycler,R:\Recycler,S:\Recycler,T:\Recycler,U:\Recycler,V:\Recycler,W:\Recycler,X:\Recycler,F:\Recycler,G:\Recycler,K:\Recycler,L:\Recycler,M:\Recycler,N:\Recycler,O:\Recycler,Y:\Recycler,Z:\Recycler,A:\Recycler,B:\Recycler,C:\Recycler,D:\Recycler,E:\Recycler,H:\Recycler,I:\Recycler,J:\Recycler2⤵
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q P:\$RECYCLE.BIN,Q:\$RECYCLE.BIN,R:\$RECYCLE.BIN,S:\$RECYCLE.BIN,T:\$RECYCLE.BIN,U:\$RECYCLE.BIN,V:\$RECYCLE.BIN,W:\$RECYCLE.BIN,X:\$RECYCLE.BIN,F:\$RECYCLE.BIN,G:\$RECYCLE.BIN,K:\$RECYCLE.BIN,L:\$RECYCLE.BIN,M:\$RECYCLE.BIN,N:\$RECYCLE.BIN,O:\$RECYCLE.BIN,Y:\$RECYCLE.BIN,Z:\$RECYCLE.BIN,A:\$RECYCLE.BIN,B:\$RECYCLE.BIN,C:\$RECYCLE.BIN,D:\$RECYCLE.BIN,E:\$RECYCLE.BIN,H:\$RECYCLE.BIN,I:\$RECYCLE.BIN,J:\$RECYCLE.BIN2⤵
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q P:\Recycler,Q:\Recycler,R:\Recycler,S:\Recycler,T:\Recycler,U:\Recycler,V:\Recycler,W:\Recycler,X:\Recycler,F:\Recycler,G:\Recycler,K:\Recycler,L:\Recycler,M:\Recycler,N:\Recycler,O:\Recycler,Y:\Recycler,Z:\Recycler,A:\Recycler,B:\Recycler,C:\Recycler,D:\Recycler,E:\Recycler,H:\Recycler,I:\Recycler,J:\Recycler2⤵
- System Location Discovery: System Language Discovery
PID:1828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\ss.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:536 -
C:\ProgramData\ss.exeC:\ProgramData\ss.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 5 > nul & del "C:\ProgramData\ss.exe"4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:204 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 55⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:216 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update BETA" /F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Update BETA" /F3⤵
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2112
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
452B
MD5f84a71740c0c41fcc0e63ab1cc6d1750
SHA12e7a66a6caeac383afc8952aff89bb179ba8ba3e
SHA256d365234eaf09459997a8ced335ef6659b7c23af70b3bd6be2e653c8d9160c8f1
SHA512d6a5378969520be3f2f561a087de08d99e80cbe4a7c432bee7c6fa31fcb15736f5380c44a0eb447b00e0b5f95552a0f314ef23e39bb267f7812e5e8558a8243e
-
Filesize
6KB
MD539728325879572ffe56a194319f2731f
SHA13898a219352dd3aedc54ff924b01317107c9ce2f
SHA2568e3ff1907d973d91167c2d74ac8414496d7f430687eef52e3201721e01513761
SHA5127d80af3e2df1c02bfda76e5ada4b4ce25921418cfcd7f26434293e746968f4187f6c9cf5bbb1c7c4703117eaabdd958700f7b1cefcfa44bd11afe95ad7f1599b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD56e7e9e61495c9fdf80d792c761e38b55
SHA1ee06e240fcb36c6648b3d5e0ec6e6583af70b43e
SHA2568ee030da8fbffe2b516fef68c01280ba2d73e8ecd7c87b4b2bb49640975a669c
SHA5120ef8615fb1c0bbdf0695cde7c3f85711ce11f3c9456697536a18e3260bf923196583fda667d85a13587e27290a3ff6fb642216ec9cf30a2019ce789e54f31e06