Malware Analysis Report

2024-12-07 15:17

Sample ID 241113-yxnyys1rfj
Target 70f758a17090a074e26662dee56282d991ce55a6.exe
SHA256 9677f7bc0da5cb2654fb6cc9e0ac3c65208c69cc1d4e7aa7707a30133d058621
Tags
evasion execution persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9677f7bc0da5cb2654fb6cc9e0ac3c65208c69cc1d4e7aa7707a30133d058621

Threat Level: Likely malicious

The file 70f758a17090a074e26662dee56282d991ce55a6.exe was found to be: Likely malicious.

Malicious Activity Summary

evasion execution persistence

Sets file to hidden

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 20:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 20:10

Reported

2024-11-13 20:12

Platform

win7-20240903-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\System32\$77wininit.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\System32\\$77wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A 5.tcp.ngrok.io N/A N/A
N/A 5.tcp.ngrok.io N/A N/A
N/A 5.tcp.ngrok.io N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\System32\$77wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\System32\$77wininit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe C:\Windows\System32\attrib.exe
PID 1924 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe C:\Windows\System32\attrib.exe
PID 1924 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe C:\Windows\System32\attrib.exe
PID 1924 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe C:\Windows\System32\attrib.exe
PID 1924 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe C:\Windows\System32\attrib.exe
PID 1924 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe C:\Windows\System32\attrib.exe
PID 1924 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe C:\Windows\system32\cmd.exe
PID 1924 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe C:\Windows\system32\cmd.exe
PID 1924 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe C:\Windows\system32\cmd.exe
PID 1692 wrote to memory of 324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1692 wrote to memory of 324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1692 wrote to memory of 324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1692 wrote to memory of 796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\System32\$77wininit.exe
PID 1692 wrote to memory of 796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\System32\$77wininit.exe
PID 1692 wrote to memory of 796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\System32\$77wininit.exe
PID 796 wrote to memory of 1636 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\system32\schtasks.exe
PID 796 wrote to memory of 1636 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\system32\schtasks.exe
PID 796 wrote to memory of 1636 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\system32\schtasks.exe
PID 796 wrote to memory of 2460 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\system32\schtasks.exe
PID 796 wrote to memory of 2460 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\system32\schtasks.exe
PID 796 wrote to memory of 2460 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\system32\schtasks.exe
PID 796 wrote to memory of 1736 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\system32\schtasks.exe
PID 796 wrote to memory of 1736 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\system32\schtasks.exe
PID 796 wrote to memory of 1736 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\system32\schtasks.exe
PID 796 wrote to memory of 2648 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 796 wrote to memory of 2648 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 796 wrote to memory of 2648 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 796 wrote to memory of 1304 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\System32\schtasks.exe
PID 796 wrote to memory of 1304 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\System32\schtasks.exe
PID 796 wrote to memory of 1304 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe

"C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\System32"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\System32\$77wininit.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp36A.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\System32\$77wininit.exe

"C:\Users\Admin\System32\$77wininit.exe"

C:\Windows\system32\schtasks.exe

"schtasks.exe" /query /TN $77wininit.exe

C:\Windows\system32\schtasks.exe

"schtasks.exe" /Create /SC ONCE /TN "$77wininit.exe" /TR "C:\Users\Admin\System32\$77wininit.exe \"\$77wininit.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST

C:\Windows\system32\schtasks.exe

"schtasks.exe" /query /TN $77wininit.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "wininit_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 5.tcp.ngrok.io udp
US 3.141.204.47:20636 5.tcp.ngrok.io tcp
US 3.141.204.47:20636 5.tcp.ngrok.io tcp
US 3.141.204.47:20636 5.tcp.ngrok.io tcp
US 3.141.204.47:20636 5.tcp.ngrok.io tcp
US 3.141.204.47:20636 5.tcp.ngrok.io tcp
US 3.141.204.47:20636 5.tcp.ngrok.io tcp
US 3.141.204.47:20636 5.tcp.ngrok.io tcp
US 3.141.204.47:20636 5.tcp.ngrok.io tcp
US 3.141.204.47:20636 5.tcp.ngrok.io tcp
US 3.141.204.47:20636 5.tcp.ngrok.io tcp
US 3.141.204.47:20636 5.tcp.ngrok.io tcp
US 8.8.8.8:53 5.tcp.ngrok.io udp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 8.8.8.8:53 5.tcp.ngrok.io udp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp

Files

memory/1924-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

memory/1924-1-0x000000013F5E0000-0x000000013F5F0000-memory.dmp

memory/1924-2-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

memory/1924-3-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

memory/1924-4-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp36A.tmp.bat

MD5 b4fa2a6988b96158c6434d608bd11ee0
SHA1 7932875262345ff58553b726b7d9f3979daf369d
SHA256 f82c264d9aaac6868595cc5163d7788447e91bd0e0968b3271209d24e37a1de0
SHA512 f3371ab70b3796ed3588098cf3a75cd92cbfc179e1b70fdfbc9d948c1a2e533865740c3c7abc630cf9f654758124389f15e297a34404b6ba4d97ef28dc752e5b

memory/1924-14-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

\Users\Admin\System32\$77wininit.exe

MD5 0ffb0e04f66e70f0cd320df2db61999e
SHA1 70f758a17090a074e26662dee56282d991ce55a6
SHA256 9677f7bc0da5cb2654fb6cc9e0ac3c65208c69cc1d4e7aa7707a30133d058621
SHA512 c287b991970602307b7ebba6d95acc5b02e0d753565a5c1b4622bd94161912e891ec2896f964bf7f350f72f6ed5eeaa41f9116e63c9cfeea61d40067ed9f79a1

memory/796-19-0x000000013F550000-0x000000013F560000-memory.dmp

memory/2648-24-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

memory/2648-25-0x0000000001E00000-0x0000000001E08000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 20:10

Reported

2024-11-13 20:12

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\System32\$77wininit.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\System32\$77wininit.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\System32\\$77wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 5.tcp.ngrok.io N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A 5.tcp.ngrok.io N/A N/A
N/A 5.tcp.ngrok.io N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\System32\$77wininit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\System32\$77wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\System32\$77wininit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4296 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe C:\Windows\System32\attrib.exe
PID 4296 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe C:\Windows\System32\attrib.exe
PID 4296 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe C:\Windows\System32\attrib.exe
PID 4296 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe C:\Windows\System32\attrib.exe
PID 4296 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe C:\Windows\system32\cmd.exe
PID 4296 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe C:\Windows\system32\cmd.exe
PID 3668 wrote to memory of 4464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3668 wrote to memory of 4464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3668 wrote to memory of 3444 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\System32\$77wininit.exe
PID 3668 wrote to memory of 3444 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\System32\$77wininit.exe
PID 3444 wrote to memory of 2424 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3444 wrote to memory of 2424 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3444 wrote to memory of 1984 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3444 wrote to memory of 1984 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3444 wrote to memory of 1360 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3444 wrote to memory of 1360 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3444 wrote to memory of 3404 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 3404 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 3684 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\System32\schtasks.exe
PID 3444 wrote to memory of 3684 N/A C:\Users\Admin\System32\$77wininit.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe

"C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\System32"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\System32\$77wininit.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE1A5.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\System32\$77wininit.exe

"C:\Users\Admin\System32\$77wininit.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN $77wininit.exe

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /Create /SC ONCE /TN "$77wininit.exe" /TR "C:\Users\Admin\System32\$77wininit.exe \"\$77wininit.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN $77wininit.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "wininit_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 5.tcp.ngrok.io udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 3.141.126.222:20636 5.tcp.ngrok.io tcp
US 8.8.8.8:53 82.190.18.2.in-addr.arpa udp
US 3.141.126.222:20636 5.tcp.ngrok.io tcp
US 3.141.126.222:20636 5.tcp.ngrok.io tcp
US 3.141.126.222:20636 5.tcp.ngrok.io tcp
US 3.141.126.222:20636 5.tcp.ngrok.io tcp
US 3.141.126.222:20636 5.tcp.ngrok.io tcp
US 3.141.126.222:20636 5.tcp.ngrok.io tcp
US 3.141.126.222:20636 5.tcp.ngrok.io tcp
US 3.141.126.222:20636 5.tcp.ngrok.io tcp
US 3.141.126.222:20636 5.tcp.ngrok.io tcp
US 3.141.126.222:20636 5.tcp.ngrok.io tcp
US 3.141.126.222:20636 5.tcp.ngrok.io tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 3.141.126.222:20636 5.tcp.ngrok.io tcp
US 3.141.126.222:20636 5.tcp.ngrok.io tcp
US 3.141.126.222:20636 5.tcp.ngrok.io tcp
US 3.141.126.222:20636 5.tcp.ngrok.io tcp
US 3.141.126.222:20636 5.tcp.ngrok.io tcp
US 3.141.126.222:20636 5.tcp.ngrok.io tcp
US 3.141.126.222:20636 5.tcp.ngrok.io tcp
US 3.141.126.222:20636 5.tcp.ngrok.io tcp
US 3.141.126.222:20636 5.tcp.ngrok.io tcp
US 3.141.126.222:20636 5.tcp.ngrok.io tcp
US 8.8.8.8:53 5.tcp.ngrok.io udp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 3.137.123.63:20636 5.tcp.ngrok.io tcp
US 8.8.8.8:53 5.tcp.ngrok.io udp
US 3.142.157.76:20636 5.tcp.ngrok.io tcp
US 3.142.157.76:20636 5.tcp.ngrok.io tcp
US 3.142.157.76:20636 5.tcp.ngrok.io tcp
US 3.142.157.76:20636 5.tcp.ngrok.io tcp
US 3.142.157.76:20636 5.tcp.ngrok.io tcp
US 3.142.157.76:20636 5.tcp.ngrok.io tcp
US 3.142.157.76:20636 5.tcp.ngrok.io tcp
US 3.142.157.76:20636 5.tcp.ngrok.io tcp
US 3.142.157.76:20636 5.tcp.ngrok.io tcp
US 3.142.157.76:20636 5.tcp.ngrok.io tcp
US 3.142.157.76:20636 5.tcp.ngrok.io tcp
US 3.142.157.76:20636 5.tcp.ngrok.io tcp

Files

memory/4296-0-0x00007FFCC7303000-0x00007FFCC7305000-memory.dmp

memory/4296-1-0x0000000000E90000-0x0000000000EA0000-memory.dmp

memory/4296-2-0x00007FFCC7300000-0x00007FFCC7DC1000-memory.dmp

memory/4296-3-0x00007FFCC7303000-0x00007FFCC7305000-memory.dmp

memory/4296-4-0x00007FFCC7300000-0x00007FFCC7DC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE1A5.tmp.bat

MD5 8b7258d973caefbcd6ab0462ea50b144
SHA1 613dc20250f78416dd494a8f60a917654f716dc8
SHA256 b2d14c301f476f2e07a8f2db073afa2c36d96c5c713a1b2f93ee4c9c5e18915b
SHA512 1c0097ac36d7d2427b699478c13c3275646fc08a07b88b2605a4790b42b65fcc3354b9c7dfd421b6aea0f16728266c1ce5a96b922ebeb03c230cfed04badb02e

memory/4296-10-0x00007FFCC7300000-0x00007FFCC7DC1000-memory.dmp

C:\Users\Admin\System32\$77wininit.exe

MD5 0ffb0e04f66e70f0cd320df2db61999e
SHA1 70f758a17090a074e26662dee56282d991ce55a6
SHA256 9677f7bc0da5cb2654fb6cc9e0ac3c65208c69cc1d4e7aa7707a30133d058621
SHA512 c287b991970602307b7ebba6d95acc5b02e0d753565a5c1b4622bd94161912e891ec2896f964bf7f350f72f6ed5eeaa41f9116e63c9cfeea61d40067ed9f79a1

memory/3404-14-0x000002B8C3050000-0x000002B8C3072000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_riihvaq3.xoe.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82