Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18-10-2024 03:01
Static task
static1
Behavioral task
behavioral1
Sample
ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe
Resource
win10v2004-20241007-en
General
-
Target
ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe
-
Size
146KB
-
MD5
521666a43aeb19e91e7df9a3f9fe76ba
-
SHA1
663081e2767df7083f765a3a8a994982959d4cbe
-
SHA256
ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd
-
SHA512
cd1414158094328ee2f56a995ee4724604f05c0df5a08f4ae1c653e19cb0158a58ffa2cafc3a2363fc13ef617320979e11bc6281c4c79066a6787c0545c6ec54
-
SSDEEP
3072:S4PDTrekAooSPxQQvYO3ppr4nwd/T7YfeJFDGfYfaPLmy816SX:SOrNAmPiUprWKTMferDGmaP17SX
Malware Config
Signatures
-
Renames multiple (7822) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1988 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
LPW5.tmppid process 1944 LPW5.tmp -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1808 cmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exedescription ioc process File opened (read-only) \??\U: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\X: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\Z: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\L: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\O: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\P: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\Q: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\R: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\W: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\D: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\I: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\H: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\K: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\T: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\F: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\A: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\E: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\G: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\J: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\M: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\N: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\S: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\V: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\B: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\Y: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exedescription ioc process File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\CYLANCE_README.txt ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\INVITE11.POC.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di_1.0.0.v20140328-2112.jar ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\clock.js ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\CYLANCE_README.txt ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPMS.ICO ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\calendar.js ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10R.CHM.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_OFF.GIF ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-core-windows_visualvm.jar ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02068_.WMF ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02361_.WMF ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\THMBNAIL.PNG.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cayman ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099183.WMF.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195254.WMF.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00603_.WMF ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\flyout.html ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\CYLANCE_README.txt ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01145_.WMF ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00601G.GIF ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\SPLASH.WAV ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rainy_River.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL097.XML.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB2B.BDR ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\CYLANCE_README.txt ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\ALARM.WAV ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Nauru.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18181_.WMF.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Chuuk.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\vlc.mo.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Java\jre7\lib\management-agent.jar ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_dot.png ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.RSA ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\CYLANCE_README.txt ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Pyongyang ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\CYLANCE_README.txt ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\InfoPathWelcomeImage.jpg ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPMS.ICO.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrow.jpg ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\CYLANCE_README.txt ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\CYLANCE_README.txt ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.FNT.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21313_.GIF ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImagesMask.bmp.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.annotation_1.2.0.v201401042248.jar.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\CYLANCE_README.txt ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Java\jre7\lib\javafx.properties.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Microsoft Games\More Games\en-US\MoreGames.dll.mui.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msdaremr.dll.mui ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.execmd.exeschtasks.exeLPW5.tmpPING.EXEcmd.exePING.EXEcmd.exeschtasks.execmd.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LPW5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEcmd.exePING.EXEcmd.exepid process 1940 PING.EXE 1576 cmd.exe 2296 PING.EXE 1988 cmd.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exepid process 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exevssvc.exedescription pid process Token: SeDebugPrivilege 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe Token: SeRestorePrivilege 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe Token: SeBackupPrivilege 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe Token: SeTakeOwnershipPrivilege 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe Token: SeAuditPrivilege 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe Token: SeSecurityPrivilege 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe Token: SeIncBasePriorityPrivilege 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe Token: SeBackupPrivilege 1712 vssvc.exe Token: SeRestorePrivilege 1712 vssvc.exe Token: SeAuditPrivilege 1712 vssvc.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.execmd.execmd.execmd.execmd.exeLPW5.tmpcmd.exedescription pid process target process PID 2484 wrote to memory of 2112 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 2484 wrote to memory of 2112 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 2484 wrote to memory of 2112 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 2484 wrote to memory of 2112 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 2112 wrote to memory of 2512 2112 cmd.exe schtasks.exe PID 2112 wrote to memory of 2512 2112 cmd.exe schtasks.exe PID 2112 wrote to memory of 2512 2112 cmd.exe schtasks.exe PID 2112 wrote to memory of 2512 2112 cmd.exe schtasks.exe PID 2484 wrote to memory of 1808 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 2484 wrote to memory of 1808 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 2484 wrote to memory of 1808 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 2484 wrote to memory of 1808 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 2484 wrote to memory of 1236 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 2484 wrote to memory of 1236 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 2484 wrote to memory of 1236 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 2484 wrote to memory of 1236 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 2484 wrote to memory of 1988 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 2484 wrote to memory of 1988 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 2484 wrote to memory of 1988 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 2484 wrote to memory of 1988 2484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 1236 wrote to memory of 1948 1236 cmd.exe schtasks.exe PID 1236 wrote to memory of 1948 1236 cmd.exe schtasks.exe PID 1236 wrote to memory of 1948 1236 cmd.exe schtasks.exe PID 1236 wrote to memory of 1948 1236 cmd.exe schtasks.exe PID 1808 wrote to memory of 1944 1808 cmd.exe LPW5.tmp PID 1808 wrote to memory of 1944 1808 cmd.exe LPW5.tmp PID 1808 wrote to memory of 1944 1808 cmd.exe LPW5.tmp PID 1808 wrote to memory of 1944 1808 cmd.exe LPW5.tmp PID 1988 wrote to memory of 1940 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1940 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1940 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1940 1988 cmd.exe PING.EXE PID 1944 wrote to memory of 1576 1944 LPW5.tmp cmd.exe PID 1944 wrote to memory of 1576 1944 LPW5.tmp cmd.exe PID 1944 wrote to memory of 1576 1944 LPW5.tmp cmd.exe PID 1944 wrote to memory of 1576 1944 LPW5.tmp cmd.exe PID 1576 wrote to memory of 2296 1576 cmd.exe PING.EXE PID 1576 wrote to memory of 2296 1576 cmd.exe PING.EXE PID 1576 wrote to memory of 2296 1576 cmd.exe PING.EXE PID 1576 wrote to memory of 2296 1576 cmd.exe PING.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe"C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe" /F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2512 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\LPW5.tmp"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\ProgramData\LPW5.tmpC:\ProgramData\LPW5.tmp3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 5 > nul & del "C:\ProgramData\LPW5.tmp"4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 55⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2296 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update BETA" /F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Update BETA" /F3⤵
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1940
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD538aa4cc478c9256f32512e2e7ccbd9d2
SHA1f54cc3fa07fea8d745e7c1a84935091f719e49c3
SHA25630a49b4694c9b68f8343714a69c3f9fc96ac24c1d275da4cae47115428ffbf2b
SHA512d94a315c0cefce6dab0687a4b0fcb18218b064ccdc300ea84ae07e48165b49c94f2c4ace54f214bec97af36336459f86806c7f8da0226299b85cabaa5378d464
-
Filesize
5KB
MD5ab65af4349e7c5b0872c8b808d036980
SHA1414b2a2748b7ea6176c1d2453f89fdc8a2d349d0
SHA256a6c41f368f42a7c57c307a48ce2440a60a744226b6414fadb6517a80a5d160a2
SHA5122c61c56e8c299677bad4ce223e3187200c341aa4dd4503fac1217aa8e15687af03544a6d160bb2b1b131a56ea9df2967e00359aa622f12d1b82605c40cca6679