ffdroider | d0b41ed9435129ccdf1bf7ca87fa4b33649b5b924d8cdbc12966d33fb7b9b873

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-10-2024 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Size

4.5MB
MD5

8f95d249a8940a86f0518d676cfc3096
SHA1

ac3c91f89d4fca14410e24bd348ced70891b543a
SHA256

d0b41ed9435129ccdf1bf7ca87fa4b33649b5b924d8cdbc12966d33fb7b9b873
SHA512

21e8fe5d0f2e2e9ea36a7ea5fc0230a9ac3657528f93ad9b83ef9895fccf2563ecc8f6115a625c60ca8581e6bc043a3a6560a50d650476676bf8c391975e1a82
SSDEEP

24576:HgIWd8sPeH6qAoIqEU502aM56PemUnJNhxtP+AmUmey2s73tOOu55E9QiwzTUBUD:id8gez+AmUvy2s7s5e9QiE

Score

10^/10

ffdroider jupyter maze backdoor discovery evasion ransomware spyware stealer trojan

Malware Config

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Jupyter, SolarMarker
Jupyter is a backdoor and infostealer first seen in mid 2020.
backdoor trojan stealer jupyter
Maze
Ransomware family also known as ChaCha.
trojan ransomware maze

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\system32\DRIVERS\c3.bat\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\DRIVERS\c3.bat\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\DRIVERS\vmtray.dll	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\DRIVERS\NETUTILS2016.SYS\LOCK	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\DRIVERS\NETUTILS2016.SYS\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\DRIVERS\c3.bat	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine\ = "BLOCKING TExplore(R)"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe

Reads ssh keys stored on the system 2 TTPs
Tries to access SSH used by SSH programs.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\Svc	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe

Checks for any installed AV software in registry 1 TTPs 5 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Avira\Safe Shopping\Runtime	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Avira\Safe Shopping\Statistics	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Avira\Safe Shopping	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Avira\Security\SoftwareUpdater	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Avira\Safe Shopping\Config	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName = "VMware Virtual Platform"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer = "VMware, Inc."	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\system32\msinp.ps1	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\LOGMEINUPDSERVICE\HDWID.DAT\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\igfxme.vbs	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\LogonUIinf.exe	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\perfcon.dat\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\msmp4dec.dll\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\wmkawe_3636071.data\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\IsAdm.txt	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\IsAdm.txt\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\msmp4dec.dll	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\LogonUIinf.exe\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\INETSRV\logging.dll\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\INETSRV\logging.dll\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\nsreg1.dat	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\SYSVOLS\log.log	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\wsdchngr.drx	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\WINDOWSPOWERSHELL\V1.0\dbghelp.dll\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\SPOOL\DRIVERS\COLOR\tmp.vbs\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\INETSRV\cache.dll	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\1055cf76.tmp\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\LOGMEINUPDSERVICE\SINF.DAT\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\SPOOL\DRIVERS\COLOR\photo.vbs	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\mssysmgr.ocx	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\INETSRV\CONFIG\ai.pst	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\RED\RED.exe	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\qzy.txt	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\LOGMEINUPDSERVICE\HDWID.DAT\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\defender.reg\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\wmkawe_3636071.data\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\igfxme.vbs\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\RED.ps1	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\qzy.txt\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\RED\RED.exe\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\oci.dll	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\Explrer	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\LOGMEINUPDSERVICE\SINF.DAT\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\MUI\log.log	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\SPOOL\DRIVERS\COLOR\photo.vbs\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\wmkawe_3636071.data	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\perfconfm.dat	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\oci.dll\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\msobjs.drx\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\msrdc64.dat	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\9cda11af69ab0a2b6a9167f7131e7b93.key	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\SPOOL\DRIVERS\COLOR\tmp.vbs\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\LOGMEINUPDSERVICE\PCI.JPG	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\LOGMEINUPDSERVICE\SINF.DAT	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\thumb.db\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\INETSRV\logging.dll	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\SPOOL\DRIVERS\COLOR\office.vbs\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\LogMeInUpdService\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\thumb.db	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\perfcon.dat\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\IsAdm.txt\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\RED\RED.exe\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\thumb.db\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\msncf.dat\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\WBEM\MOF\sysnullevnt.mof\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\9cda11af69ab0a2b6a9167f7131e7b93.key\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\LOGMEINUPDSERVICE\PCI.JPG\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\LogonUIinf.exe\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\msdcsvc.dat	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\WBEM\MOF\sysnullevnt.mof	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\system32\INETSRV\CONFIG\ai.pst\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\dmlconf.dat\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\ieproxysocket64.dll\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\IOBIT\iobit.dll\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\ieproxysocket.dll\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\TCLS	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\complete.dat\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\ieproxysocket.dll\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\ieproxysocket64.dll\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\IOBIT\iobit.dll	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\complete.dat\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\ieproxysocket.dll	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\WinSoft Update Service\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\WinSoft Update Service\pythonw.exe	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\dmlconf.dat\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\complete.dat	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\ieproxysocket64.dll	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\TCLS\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\IOBIT\iobit.dll\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\TCLS\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\PROGRAM FILES (X86)\INTERNET EXPLORER\dmlconf.dat	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Pagesfilo.sys\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\dimens.exe\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\udbcgiut.dat	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\SYSTEM\my1.bat\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\SYSTEM\my1.bat\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\logg.bat\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\q1.dll	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\searchfiles.exe	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\Pagesfilo.sys	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\sysupdate.log\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\cscc.dat	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\spoolsw.exe\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\perfc.dll	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File created	C:\WINDOWS\perfc.dll	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\dispci.exe\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\HELP\cnwb.html	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\perfc	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\MsMpEng.exe	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\dimens.exe	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\tWjdf.js\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\SYSTEM\ApcHelper.sys\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\Pagesfilo.sys\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\MICROSOFT.NET\traffmonetizer\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\delog.bat\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\api.config\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\setupact64.log	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\WEB\c3.bat\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\INF\averbh_noav.pnf\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\INF\ie11.pnf	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\MICROSOFT.NET\traffmonetizer\Traffmonetizer.exe	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\update4.ps1	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\SATURN_RANSOM.exe	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\TASKS\sqlwriter.exe	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\WEB\c3.bat\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\hdv_725x.sys\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\api.config\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\wmi.dll.bak	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\SYSTEM\my1.bat	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\TASKS\commit.dll\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\TASKS\sqlwriter.exe\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File created	C:\WINDOWS\perfc.dat	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\delog.bat\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\Wininet.bat	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\searchfiles.exe\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\INF\averbh_noav.pnf	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\client.exe\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\logg.bat	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\TASKS\sqlwriter.exe\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\SYSTEM\ApcHelper.sys\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\MsMpEng.exe\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\sysupdate.log	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\setupact64.log\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\logg.bat\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\update4.ps1\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\Wininet.bat\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\api.config	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\hdv_725x.sys\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\update4.ps1\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\INF\mtmndkb32.pnf\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\spoolsw.exe	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\searchfiles.exe\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\SATURN_RANSOM.exe\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\spoolsw.exe\TEXPLORE	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
File opened for modification	C:\WINDOWS\tWjdf.js\	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "VMware, Inc."	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName = "VMware Virtual Platform"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\IEWatsonDisabled = "1"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\search-ms\shell\open\COMMAND	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\search-ms\shell	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\search-ms	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}\PROXYSTUBCLSID32	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}\TYPELIB	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinNT\test = "0"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\search-ms\shell\open	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}\PROXYSTUBCLSID	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2660	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe

System policy modification 1 TTPs 15 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "0"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowOnlineTips = "0"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "0"	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe"
1⤵
- Modifies security service
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Identifies Wine through registry keys
- Windows security modification
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Checks system information in the registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\EXTROYAN\Windows\ADMIN\Tertm

Filesize
372B

MD5
2dd171b723aa14cf2d4f34a721cdd937

SHA1
d9b5bd27f31936af66f8f6c409cc35d4c2e57595

SHA256
f11b9ee92c06cc3a6d5c45cf58aca74741d5a2c47f69d4f2ad3bb214391b1228

SHA512
cd08bea0ee2126808090dc84e169ea906b2ae3ffbfc2b6b058962f6d989cd87804854b9ea6f729e0287ed7ccf134174318ee2232e6891a8d2cfe218a3f06e4b8

Download Submit
C:\EXTROYAN\Windows\ADMIN\Tertm

Filesize
384B

MD5
5ba9bedb850ad158eaca84fba0c221fe

SHA1
40ad2d1a813ecc31edb6b182d00598224ca8af42

SHA256
778207013ce7eedbe5b370c5f6f1669d995b301fb4f16f046d976f1605836f23

SHA512
51175e3acb719c6bb8bee3e9ba58f6cc605f43f70e77771812d46070bd71adc1ed57db7dc91f172bcb2cb2051e521ba02496f7f4934c807ee1d93403ce5bc4f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Timetest

Filesize
22KB

MD5
1dae7803a8feac44a8d4bc5e9ae971a4

SHA1
98cc6313c55bef5ed246939581622741cd95ffcb

SHA256
6e9d13f660180734199c70644ca9d98613b61bed51a598fb0c3a506c76896ddd

SHA512
3352a21e63b23670a0100f6be5de60c6e50158b0d7471b29a42c55728a34ec8f61f6609c3c0dcc5153a13f4d05c8ed840222069dca0af22ef31ce3af68036413

Download Submit
C:\targets.xls

Filesize
20B

MD5
dc1187cdd2ecc593e027d5e0a22e3136

SHA1
a7b53cc8bd6a1e2cdd2c50edaece16eccd45c15e

SHA256
a9b7de9a4a699b745d4ac014f7f6bbe3c84cdc89834caf630a7509d3754e6f1f

SHA512
5ee7e518796d4b5c34af36cbf64be6c27807d27e3a5cc8a0068ac7338108cde2460bb4d8db4c7a096129d3145a3a05bc9d06bf7b90ebe50154f1e3bcfbc5195b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads