Analysis
-
max time kernel
38s -
max time network
40s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11-11-2024 21:48
Static task
static1
Errors
General
-
Target
RNSM00333.7z
-
Size
2.6MB
-
MD5
73c7199cad40284673528fb73187650b
-
SHA1
69bd456a3d719830586ad233b2a5ca7f78174f24
-
SHA256
718ccf80dfae80725fb06a9e2e55fcd728d12659ca905ce5e9f34ed9e1d7915d
-
SHA512
461a5d32c3a426355c07085bd317a6e4430889cc0c303584c197c59c132e99ab354abfa44bbbbb5f95c8c8cb3b7a695dd96c8835ddb3a7f519e09b7870ac95d8
-
SSDEEP
49152:bTQPXliVgR2BFwlFNbz8f6BRekpFIDIPOC+kRw4UwhmhW86jN7QBhE8ufhhfTgc6:bTQNjRSFwlLYCSIP+r3jhGjlQkvTPVbo
Malware Config
Extracted
azorult
http://200.63.45.106/index.php
Extracted
gozi
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Gozi family
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,,C:\\Users\\Admin\\AppData\\Local\\hypiuotl\\pfhufoac.exe" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\hypiuotl\\pfhufoac.exe" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe -
Modifies security service 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pfhufoac.exe Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pfhufoac.exe Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe -
Executes dropped EXE 11 IoCs
pid Process 2724 HEUR-Trojan-Ransom.Win32.Agent.gen-a0692466f4354a043443b76694afed846b17364033fc7951d46d7b11d6687d6e.exe 2632 Maps and Driving Direction.exe 1144 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe 2032 9274516112.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 828 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 788 Trojan-Ransom.Win32.Foreign.oasy-030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48.exe 324 Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe 1764 Trojan-Ransom.Win32.Crypmodadv.xuh-e5ceb5d39db5e8ad24eaec0b5f5798675946a15a9a39bea106ad55bebfe8da60.exe 2844 Trojan-Ransom.Win32.Foreign.oasy-030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48.exe 2600 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe -
Loads dropped DLL 22 IoCs
pid Process 2724 HEUR-Trojan-Ransom.Win32.Agent.gen-a0692466f4354a043443b76694afed846b17364033fc7951d46d7b11d6687d6e.exe 2724 HEUR-Trojan-Ransom.Win32.Agent.gen-a0692466f4354a043443b76694afed846b17364033fc7951d46d7b11d6687d6e.exe 2724 HEUR-Trojan-Ransom.Win32.Agent.gen-a0692466f4354a043443b76694afed846b17364033fc7951d46d7b11d6687d6e.exe 2724 HEUR-Trojan-Ransom.Win32.Agent.gen-a0692466f4354a043443b76694afed846b17364033fc7951d46d7b11d6687d6e.exe 1144 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe 1144 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 2248 WerFault.exe 2248 WerFault.exe 2248 WerFault.exe 2248 WerFault.exe 2248 WerFault.exe 2248 WerFault.exe 2248 WerFault.exe 2600 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 2600 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 2624 WerFault.exe 2624 WerFault.exe 2624 WerFault.exe 2624 WerFault.exe 2624 WerFault.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Maps and Driving Direction = "\"C:\\Users\\Admin\\AppData\\Local\\Maps and Driving Direction\\Maps and Driving Direction.exe\" /delay 0" HEUR-Trojan-Ransom.Win32.Agent.gen-a0692466f4354a043443b76694afed846b17364033fc7951d46d7b11d6687d6e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\PfhUfoac = "C:\\Users\\Admin\\AppData\\Local\\hypiuotl\\pfhufoac.exe" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1980 set thread context of 828 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 45 -
resource yara_rule behavioral1/memory/324-180-0x0000000015190000-0x0000000015240000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2248 2032 WerFault.exe 38 2624 2600 WerFault.exe 54 -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Foreign.oasy-030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9274516112.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Foreign.oasy-030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Trojan-Ransom.Win32.Agent.gen-a0692466f4354a043443b76694afed846b17364033fc7951d46d7b11d6687d6e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maps and Driving Direction.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x000700000001907c-95.dat nsis_installer_1 behavioral1/files/0x000700000001907c-95.dat nsis_installer_2 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9274516112.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9274516112.exe -
Kills process with taskkill 1 IoCs
pid Process 1872 taskkill.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Maps and Driving Direction.exe = "9999" Maps and Driving Direction.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ADB71A51-A076-11EF-9BF6-6AE4CEDF004B} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION Maps and Driving Direction.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl Maps and Driving Direction.exe Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff240000001a000000aa0400007f020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main Maps and Driving Direction.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 324 Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeRestorePrivilege 2644 7zFM.exe Token: 35 2644 7zFM.exe Token: SeSecurityPrivilege 2644 7zFM.exe Token: SeDebugPrivilege 1872 taskkill.exe Token: SeSecurityPrivilege 324 Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe Token: SeRestorePrivilege 324 Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe Token: SeBackupPrivilege 324 Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe Token: SeShutdownPrivilege 324 Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 2644 7zFM.exe 2644 7zFM.exe 2632 Maps and Driving Direction.exe 2632 Maps and Driving Direction.exe 2632 Maps and Driving Direction.exe 2632 Maps and Driving Direction.exe 2632 Maps and Driving Direction.exe 2960 IEXPLORE.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2632 Maps and Driving Direction.exe 2632 Maps and Driving Direction.exe 2632 Maps and Driving Direction.exe 2632 Maps and Driving Direction.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2632 Maps and Driving Direction.exe 2632 Maps and Driving Direction.exe 2960 IEXPLORE.EXE 2960 IEXPLORE.EXE 296 IEXPLORE.EXE 296 IEXPLORE.EXE 788 Trojan-Ransom.Win32.Foreign.oasy-030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48.exe 324 Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe 2844 Trojan-Ransom.Win32.Foreign.oasy-030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2724 wrote to memory of 2632 2724 HEUR-Trojan-Ransom.Win32.Agent.gen-a0692466f4354a043443b76694afed846b17364033fc7951d46d7b11d6687d6e.exe 32 PID 2724 wrote to memory of 2632 2724 HEUR-Trojan-Ransom.Win32.Agent.gen-a0692466f4354a043443b76694afed846b17364033fc7951d46d7b11d6687d6e.exe 32 PID 2724 wrote to memory of 2632 2724 HEUR-Trojan-Ransom.Win32.Agent.gen-a0692466f4354a043443b76694afed846b17364033fc7951d46d7b11d6687d6e.exe 32 PID 2724 wrote to memory of 2632 2724 HEUR-Trojan-Ransom.Win32.Agent.gen-a0692466f4354a043443b76694afed846b17364033fc7951d46d7b11d6687d6e.exe 32 PID 2632 wrote to memory of 2960 2632 Maps and Driving Direction.exe 34 PID 2632 wrote to memory of 2960 2632 Maps and Driving Direction.exe 34 PID 2632 wrote to memory of 2960 2632 Maps and Driving Direction.exe 34 PID 2632 wrote to memory of 2960 2632 Maps and Driving Direction.exe 34 PID 2960 wrote to memory of 296 2960 IEXPLORE.EXE 35 PID 2960 wrote to memory of 296 2960 IEXPLORE.EXE 35 PID 2960 wrote to memory of 296 2960 IEXPLORE.EXE 35 PID 2960 wrote to memory of 296 2960 IEXPLORE.EXE 35 PID 1144 wrote to memory of 2032 1144 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe 38 PID 1144 wrote to memory of 2032 1144 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe 38 PID 1144 wrote to memory of 2032 1144 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe 38 PID 1144 wrote to memory of 2032 1144 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe 38 PID 1144 wrote to memory of 1152 1144 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe 39 PID 1144 wrote to memory of 1152 1144 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe 39 PID 1144 wrote to memory of 1152 1144 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe 39 PID 1144 wrote to memory of 1152 1144 HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe 39 PID 1152 wrote to memory of 1872 1152 cmd.exe 41 PID 1152 wrote to memory of 1872 1152 cmd.exe 41 PID 1152 wrote to memory of 1872 1152 cmd.exe 41 PID 1152 wrote to memory of 1872 1152 cmd.exe 41 PID 2032 wrote to memory of 2248 2032 9274516112.exe 44 PID 2032 wrote to memory of 2248 2032 9274516112.exe 44 PID 2032 wrote to memory of 2248 2032 9274516112.exe 44 PID 2032 wrote to memory of 2248 2032 9274516112.exe 44 PID 1980 wrote to memory of 828 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 45 PID 1980 wrote to memory of 828 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 45 PID 1980 wrote to memory of 828 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 45 PID 1980 wrote to memory of 828 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 45 PID 1980 wrote to memory of 828 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 45 PID 1980 wrote to memory of 828 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 45 PID 1980 wrote to memory of 828 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 45 PID 1980 wrote to memory of 828 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 45 PID 1980 wrote to memory of 828 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 45 PID 1980 wrote to memory of 828 1980 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 45 PID 1764 wrote to memory of 2644 1764 Trojan-Ransom.Win32.Crypmodadv.xuh-e5ceb5d39db5e8ad24eaec0b5f5798675946a15a9a39bea106ad55bebfe8da60.exe 51 PID 1764 wrote to memory of 2644 1764 Trojan-Ransom.Win32.Crypmodadv.xuh-e5ceb5d39db5e8ad24eaec0b5f5798675946a15a9a39bea106ad55bebfe8da60.exe 51 PID 1764 wrote to memory of 2644 1764 Trojan-Ransom.Win32.Crypmodadv.xuh-e5ceb5d39db5e8ad24eaec0b5f5798675946a15a9a39bea106ad55bebfe8da60.exe 51 PID 2644 wrote to memory of 2200 2644 cmd.exe 53 PID 2644 wrote to memory of 2200 2644 cmd.exe 53 PID 2644 wrote to memory of 2200 2644 cmd.exe 53 PID 2600 wrote to memory of 2624 2600 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 55 PID 2600 wrote to memory of 2624 2600 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 55 PID 2600 wrote to memory of 2624 2600 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 55 PID 2600 wrote to memory of 2624 2600 Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe 55 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00333.7z"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2644
-
C:\Users\Admin\Desktop\00333\HEUR-Trojan-Ransom.Win32.Agent.gen-a0692466f4354a043443b76694afed846b17364033fc7951d46d7b11d6687d6e.exe"C:\Users\Admin\Desktop\00333\HEUR-Trojan-Ransom.Win32.Agent.gen-a0692466f4354a043443b76694afed846b17364033fc7951d46d7b11d6687d6e.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Maps and Driving Direction\Maps and Driving Direction.exe"C:\Users\Admin\AppData\Local\Maps and Driving Direction\Maps and Driving Direction.exe" /firstrun2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://results.hmapsanddrivingdirection.com/s?uid=4b2eb7c9-9d09-446a-a3bc-9b3d2229d7c1&uc=20180822&source=g-ccc7-lp0-bb8-sbe-ab&i_id=maps_&ap=appfocus13⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2960 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:296
-
-
-
-
C:\Users\Admin\Desktop\00333\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe"C:\Users\Admin\Desktop\00333\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\ProgramData\Arkei-5a410d66-f84f-4a6b-9b29-3982febe58d9\9274516112.exe"C:\ProgramData\Arkei-5a410d66-f84f-4a6b-9b29-3982febe58d9\9274516112.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 7363⤵
- Loads dropped DLL
- Program crash
PID:2248
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe /f & erase C:\Users\Admin\Desktop\00333\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe /f3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1872
-
-
-
C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe"C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe"C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:828
-
-
C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Foreign.oasy-030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48.exe"C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Foreign.oasy-030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:788
-
C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe"C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe"1⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Windows security bypass
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:324
-
C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Crypmodadv.xuh-e5ceb5d39db5e8ad24eaec0b5f5798675946a15a9a39bea106ad55bebfe8da60.exe"C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Crypmodadv.xuh-e5ceb5d39db5e8ad24eaec0b5f5798675946a15a9a39bea106ad55bebfe8da60.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Crypmodadv.xuh-e5ceb5d39db5e8ad24eaec0b5f5798675946a15a9a39bea106ad55bebfe8da60.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:2200
-
-
-
C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Foreign.oasy-030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48.exe"C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Foreign.oasy-030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2844
-
C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe"C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 93642⤵
- Loads dropped DLL
- Program crash
PID:2624
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
9Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD553724c544e22ccf39b5eb38943e42ee3
SHA1fc2097652464c629805f7e645b047426e7f8edae
SHA256c4a0bf827057ec6f4578dc4587c6ec546f7c9c9b48a507f8187c6ca6e1ed776f
SHA512b49a65bbbcf7d66fa686e75f34addc4fc4c193048647ee95311f2586b16188aa588736fffd5ab337f1f34a94d07d2b0705b1f65c18813948a8ee89bf16f86021
-
Filesize
295KB
MD5131acdb9fb02af0f12e6a3854386caf2
SHA19488242580d4de08d86b7ec3a2cf38fcb4b9a057
SHA256884894a631f0e2585e0414cf26c836b13763b319993126ac28b1d96d2b6f7abc
SHA512a4fe99f6c4e53568c3331f39f4e2a3215e203f44c121a80231ae9df936d4b0d12150725e9077024a65a25790716a681a2a572d29faee09503351506071d8e59f
-
C:\Users\Admin\Desktop\00333\HEUR-Trojan-Ransom.Win32.Agent.gen-a0692466f4354a043443b76694afed846b17364033fc7951d46d7b11d6687d6e.exe
Filesize1.2MB
MD5578f6744a32d63298c455a8f6c120249
SHA1ce569ff1b442501462d05e23855b0c8d957cab52
SHA256a0692466f4354a043443b76694afed846b17364033fc7951d46d7b11d6687d6e
SHA51247f4c9b1325e4e0f07252ad5bf0b28df0e9217f1d98bab5a9090e9640cb9c563fd3e9c06c2e28e11c2f8f440a0a2e2f0a50a5f4c1c59f1259bd5c6ba6b9ddc6d
-
C:\Users\Admin\Desktop\00333\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d.exe
Filesize651KB
MD56ac4d355cd99adc2264a9c9bd64b38fa
SHA14d630ea8cbeebae92a3b4ed1a02cff7b1a673328
SHA256ae03b5f18323ab3249a116a93196ee26124c559380518a938089dea9b354b95d
SHA5123aeb5f38715fc6de6ab53ac45e9d3f555c9dea72aaa42394692a89fc4d4d057a8ca9afa722baffea29a3f857f6121d3802bad28208fb93f4604f82c818c8cbf6
-
C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Blocker.ldpe-0bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc.exe
Filesize196KB
MD50923de94897e0707a089e3c3bc315636
SHA1202a39670bbdcbb8c20ad1c1300b4d111a46ded4
SHA2560bf165c3c8d65dd7f0307d2c380431fbf638196447c05089b54bf07668455fbc
SHA512d396b9c7414886b53064d24a4574d83c596f88880e71c1ec9fbfccdcf8f9b3bd895542553bffe52ab68ccd491f88d990d47b3eaf590350e8841d3dc5de0d2824
-
C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Crypmodadv.xuh-e5ceb5d39db5e8ad24eaec0b5f5798675946a15a9a39bea106ad55bebfe8da60.exe
Filesize275KB
MD58325e1443e414d2d88a080e58244abef
SHA1703204d540c016a61bab2b358a6a4a348d500d1d
SHA256e5ceb5d39db5e8ad24eaec0b5f5798675946a15a9a39bea106ad55bebfe8da60
SHA512c5be6745998887b02e0461e33900d5d11a8cc6f6dcf50e350f84742dc1caa4a3dff0b1ae162e4c2cdfd70a5e7efe7ed509c819dc38b21f5b8106a028b025162a
-
C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Foreign.oasy-030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48.exe
Filesize652KB
MD5581fdc46eb3b1e3cded338ff4ba6e15e
SHA1e90b69e103d6bbd90e4af626ce952842212bb4b8
SHA256030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48
SHA5128099fab7f666e609085ee393e7a36cd62713d217bb94f568f2f8283349f6ea21ef8f90d2b12185a45f94084774068dbc3da0064693ef7b71ae5a33b1c2d35694
-
C:\Users\Admin\Desktop\00333\Trojan-Ransom.Win32.Foreign.oatq-a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10.exe
Filesize683KB
MD5d9da38d6564da90e0580010b664d2fcb
SHA176ebc3ff214f65ef962978ce1be4eff93d7f6939
SHA256a5fe18ea25809fdbcf5a958c5e434b291f84a27961a6844da8f1f864d5357e10
SHA5124d00337becbabd6163f59401e81139e7a85f148a4ad62cda3df7004b75b21ad975b9cf27549c471179283984bf33e58e97d84cb6ec0fde8aa5727fd4baf0ea48
-
Filesize
2.0MB
MD5bed5050567df247e174ae41b5f14b04b
SHA169d56071412a4350681792a007c51ea59e34bf0e
SHA2568a8fcde6287c92b435e947ff15d577bb4553d9265c78e55907b71823cf8dc9fc
SHA512fc2c2fa47a23a7bcab9ec1c37b15cd0cfd3117491d25a4ac65a5b8616393f283461824869ff68aceb60bcf3aad8db13c3289e72da0acd52ec0cb3d4fafd03e1c
-
Filesize
16KB
MD5d267e2ea2c54993bf6db257fd0f0e0ce
SHA1237bd57064b6c5bae638b356675a22555b819e6b
SHA256354f572620c13c593cc4ad387a7834cdcd39b2baaa4b3a3a38d97cc358a994cd
SHA512449b41ca7b04783e3949a6569d3c38df2f171035747421f1db29ebe9d22c7254856d99527b7894aff1836a3f11e702368d2ae9e2ded88c3743532436ecba2bbf
-
Filesize
11KB
MD5a4dd044bcd94e9b3370ccf095b31f896
SHA117c78201323ab2095bc53184aa8267c9187d5173
SHA2562e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA51287335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a
-
Filesize
11KB
MD5b0c77267f13b2f87c084fd86ef51ccfc
SHA1f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
SHA256a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
SHA512f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e