Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2024 03:01
Static task
static1
Behavioral task
behavioral1
Sample
ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe
Resource
win10v2004-20241007-en
General
-
Target
ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe
-
Size
146KB
-
MD5
521666a43aeb19e91e7df9a3f9fe76ba
-
SHA1
663081e2767df7083f765a3a8a994982959d4cbe
-
SHA256
ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd
-
SHA512
cd1414158094328ee2f56a995ee4724604f05c0df5a08f4ae1c653e19cb0158a58ffa2cafc3a2363fc13ef617320979e11bc6281c4c79066a6787c0545c6ec54
-
SSDEEP
3072:S4PDTrekAooSPxQQvYO3ppr4nwd/T7YfeJFDGfYfaPLmy816SX:SOrNAmPiUprWKTMferDGmaP17SX
Malware Config
Signatures
-
Renames multiple (7719) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe -
Executes dropped EXE 1 IoCs
Processes:
LPW5.tmppid process 2332 LPW5.tmp -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exedescription ioc process File opened (read-only) \??\G: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\I: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\O: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\Q: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\U: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\W: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\X: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\M: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\R: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\Y: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\B: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\J: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\K: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\N: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\P: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\T: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\Z: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\F: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\A: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\E: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\H: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\L: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\S: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\V: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened (read-only) \??\D: ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\27.png ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as90.xsl.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoAcq.dll.mui ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-unplated_contrast-black_devicefamily-colorfulunplated.png ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupLargeTile.scale-100.png ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LargeTile.scale-125_contrast-black.png ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-cn\ui-strings.js.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\ui-strings.js ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-16.png ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\msipc.dll.mui.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_NinjaCat.png ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\AppxSignature.p7x ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\AppxMetadata\AppxBundleManifest.xml.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailSmallTile.scale-400.png ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-It.otf ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\PesterThrow.ps1.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\ui-strings.js ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\PlayStore_icon.svg ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\SmallTile.scale-200.png ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-pl.xrm-ms.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-fullcolor.png ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\classlist ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\xaml\onenote\ShareErrorMessagePage.xaml ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\175.png ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File created C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\CYLANCE_README.txt ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\CYLANCE_README.txt ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_ja.properties ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_altform-unplated_contrast-black.png ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reject_18.svg ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_remove_18.svg ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql70.xsl.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ca-es\ui-strings.js ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\he-il\ui-strings.js ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\plugin.js.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File created C:\Program Files\Internet Explorer\de-DE\CYLANCE_README.txt ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\CYLANCE_README.txt ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-32.png ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsLargeTile.scale-100.png ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldContain.snippets.ps1xml ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\Add-Numbers.Tests.ps1.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\CYLANCE_README.txt ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\CYLANCE_README.txt ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssci.dll.mui ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-200_contrast-black.png ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\MSFT_PackageManagement.strings.psd1.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\tr-tr\ui-strings.js.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\jsaddins\CYLANCE_README.txt ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_18.svg.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsym.ttf ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-125.png ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\ui-strings.js ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt.Cylance ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exeschtasks.exeLPW5.tmpPING.EXEcmd.execmd.execmd.execmd.execmd.exeschtasks.exePING.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LPW5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEcmd.exePING.EXEcmd.exepid process 2628 PING.EXE 3164 cmd.exe 4308 PING.EXE 276 cmd.exe -
Modifies registry class 1 IoCs
Processes:
StartMenuExperienceHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exepid process 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exevssvc.exedescription pid process Token: SeDebugPrivilege 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe Token: SeRestorePrivilege 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe Token: SeBackupPrivilege 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe Token: SeTakeOwnershipPrivilege 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe Token: SeAuditPrivilege 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe Token: SeSecurityPrivilege 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe Token: SeIncBasePriorityPrivilege 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe Token: SeBackupPrivilege 4888 vssvc.exe Token: SeRestorePrivilege 4888 vssvc.exe Token: SeAuditPrivilege 4888 vssvc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
StartMenuExperienceHost.exepid process 4312 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.execmd.execmd.execmd.execmd.exeLPW5.tmpcmd.exedescription pid process target process PID 3484 wrote to memory of 4416 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 3484 wrote to memory of 4416 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 3484 wrote to memory of 4416 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 4416 wrote to memory of 3764 4416 cmd.exe schtasks.exe PID 4416 wrote to memory of 3764 4416 cmd.exe schtasks.exe PID 4416 wrote to memory of 3764 4416 cmd.exe schtasks.exe PID 3484 wrote to memory of 2920 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 3484 wrote to memory of 2920 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 3484 wrote to memory of 2920 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 3484 wrote to memory of 1676 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 3484 wrote to memory of 1676 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 3484 wrote to memory of 1676 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 3484 wrote to memory of 276 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 3484 wrote to memory of 276 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 3484 wrote to memory of 276 3484 ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe cmd.exe PID 2920 wrote to memory of 2332 2920 cmd.exe LPW5.tmp PID 2920 wrote to memory of 2332 2920 cmd.exe LPW5.tmp PID 2920 wrote to memory of 2332 2920 cmd.exe LPW5.tmp PID 1676 wrote to memory of 1616 1676 cmd.exe schtasks.exe PID 1676 wrote to memory of 1616 1676 cmd.exe schtasks.exe PID 1676 wrote to memory of 1616 1676 cmd.exe schtasks.exe PID 276 wrote to memory of 2628 276 cmd.exe PING.EXE PID 276 wrote to memory of 2628 276 cmd.exe PING.EXE PID 276 wrote to memory of 2628 276 cmd.exe PING.EXE PID 2332 wrote to memory of 3164 2332 LPW5.tmp cmd.exe PID 2332 wrote to memory of 3164 2332 LPW5.tmp cmd.exe PID 2332 wrote to memory of 3164 2332 LPW5.tmp cmd.exe PID 3164 wrote to memory of 4308 3164 cmd.exe PING.EXE PID 3164 wrote to memory of 4308 3164 cmd.exe PING.EXE PID 3164 wrote to memory of 4308 3164 cmd.exe PING.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe"C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe" /F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\LPW5.tmp"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\ProgramData\LPW5.tmpC:\ProgramData\LPW5.tmp3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 5 > nul & del "C:\ProgramData\LPW5.tmp"4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 55⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4308 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update BETA" /F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Update BETA" /F3⤵
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2628
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:1804
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4312
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD538aa4cc478c9256f32512e2e7ccbd9d2
SHA1f54cc3fa07fea8d745e7c1a84935091f719e49c3
SHA25630a49b4694c9b68f8343714a69c3f9fc96ac24c1d275da4cae47115428ffbf2b
SHA512d94a315c0cefce6dab0687a4b0fcb18218b064ccdc300ea84ae07e48165b49c94f2c4ace54f214bec97af36336459f86806c7f8da0226299b85cabaa5378d464
-
Filesize
5KB
MD5ab65af4349e7c5b0872c8b808d036980
SHA1414b2a2748b7ea6176c1d2453f89fdc8a2d349d0
SHA256a6c41f368f42a7c57c307a48ce2440a60a744226b6414fadb6517a80a5d160a2
SHA5122c61c56e8c299677bad4ce223e3187200c341aa4dd4503fac1217aa8e15687af03544a6d160bb2b1b131a56ea9df2967e00359aa622f12d1b82605c40cca6679
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize13KB
MD5e30a90024fb5d2689a2a788523783c3d
SHA1669bb4c3ccae7934b5bc129da1703338ece5f344
SHA256f3690c626887e31071b1a6b9a98e511dd0653d2160bd552464acf278044d74c7
SHA5128d636c87b5d541dc69c2fa683b696a479a9a433086b5e00b5c1c2d663c350380f7a5e70e44145228262cb9dabfc6935d611208ad47d3dae7504ddbb46f89161b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize14KB
MD52aa6ced24f1da6b5041592d9c4ac425a
SHA123d77a272dc42217d24ef15f3bbd2de04625bd25
SHA2567d7753c0d9090da3911b701a1094c7f313dbab948784bca584b62faf474a67bb
SHA512846717046f3bd8982bd82a71dad3142c21970305dc949b2a43080259b52003fcedbba905246612b8551a8e345fc1f97bd3923443e5e17b9ad9d25c6fd876fde0