Malware Analysis Report

2024-11-30 23:53

Sample ID 241120-l5qfjazmbq
Target c7c4ba1401f1bc59b0ac4f6f5732d224a610dafd586418bc8afdb9fc67dc32d1
SHA256 c7c4ba1401f1bc59b0ac4f6f5732d224a610dafd586418bc8afdb9fc67dc32d1
Tags
targetcompany evasion ransomware discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7c4ba1401f1bc59b0ac4f6f5732d224a610dafd586418bc8afdb9fc67dc32d1

Threat Level: Known bad

The file c7c4ba1401f1bc59b0ac4f6f5732d224a610dafd586418bc8afdb9fc67dc32d1 was found to be: Known bad.

Malicious Activity Summary

targetcompany evasion ransomware discovery

TargetCompany,Mallox

Targetcompany family

Renames multiple (6527) files with added filename extension

Modifies boot configuration data using bcdedit

Renames multiple (7156) files with added filename extension

Checks computer location settings

Looks up external IP address via web service

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Browser Information Discovery

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 10:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 10:07

Reported

2024-11-20 10:09

Platform

win7-20240729-en

Max time kernel

85s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe"

Signatures

TargetCompany,Mallox

ransomware targetcompany

Targetcompany family

targetcompany

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (7156) files with added filename extension

ransomware

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticattribute.exsd C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Guatemala C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Microsoft Games\More Games\ja-JP\MoreGames.dll.mui C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107364.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.GIF C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\notification_plugin.jar C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Mendoza C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01805_.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME17.CSS C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\COUPLER.WAV C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR47F.GIF C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115863.GIF C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPUOptIn.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Windows Journal\es-ES\PDIALOG.exe.mui C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00426_.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CERT.DPV C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-annotations-common.jar C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Pangnirtung C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Bougainville C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105348.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt_0.11.101.v20140818-1343.jar C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\JAVA_01.MID C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02054_.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\CT_ROOTS.XML C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287417.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152696.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\DVD Maker\ja-JP\WMM2CLIP.dll.mui C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\DVD Maker\de-DE\DVDMaker.exe.mui C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00095_.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR24F.GIF C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BREAK.JPG C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mr.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+2 C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14829_.GIF C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\de-DE\FreeCell.exe.mui C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02124_.WMF C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jce.jar C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\shvlzm.exe.mui C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7ES.LEX C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB3A.BDR C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {current} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {current} recoveryenabled no

Network

Country Destination Domain Proto
N/A 10.127.0.1:135 tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:80 api.ipify.org tcp
RU 91.215.85.135:80 91.215.85.135 tcp
N/A 10.127.0.1:135 tcp
DE 136.243.76.21:135 tcp
DE 136.243.76.21:135 tcp

Files

C:\$Recycle.Bin\HOW TO BACK FILES.txt

MD5 18463a792ccba7c21973abd427ad19bd
SHA1 012ec1c9b641c04b617f1c843363e960ad654cf0
SHA256 92035b2232919b7582498170750b1b46e52c77fee93e49d68dedf9424aa7e7ec
SHA512 1a81294240a9549e53a8736c36f2556b94089687c25f62b2bf49a716d70782a452cb2a3802ea34dabcbafa87749ded886a43a5ae4782933866449d3c9eb4accc

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-20 10:07

Reported

2024-11-20 10:09

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe"

Signatures

TargetCompany,Mallox

ransomware targetcompany

Targetcompany family

targetcompany

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (6527) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-GB\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nb-NO\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-60_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\en-US.PhoneNumber.model C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.LEX C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryResume.dotx C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Concrete.dxt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\autofill_labeling.ort C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4 C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\PlayStore_icon.svg C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Paint3D.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-300.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\SmartSelect\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-24.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-80.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyView.scale-200.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cy.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg7.jpg C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\star_half.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File created C:\Program Files\dotnet\host\fxr\8.0.2\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nl-nl\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\JumpListNewNote.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-40_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\LargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\lt.pak.DATA C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxMetadata\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Network Sharing\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\HOW TO BACK FILES.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Protocol.winmd C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-150.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\VideoWhatsNewItems.json C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\ui-strings.js C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\x.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {current} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {current} recoveryenabled no

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:80 api.ipify.org tcp
RU 91.215.85.135:80 91.215.85.135 tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 135.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
N/A 10.127.0.1:135 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
N/A 10.127.0.1:135 tcp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 136.243.76.21:445 tcp
DE 136.243.76.21:139 tcp
DE 136.243.76.21:135 tcp

Files

\Device\HarddiskVolume1\HOW TO BACK FILES.txt

MD5 4320c059e089580302f8ed9fb5c254a2
SHA1 37adfee38897711be7bb27a550432ff597c1635e
SHA256 d5fbea79d7809252124493c60a3a8d404dd783d68a532fe0e96185d10c7a99e7
SHA512 958f19bfe02e449ee5f755e5522001e3ff6354a344a33e75521a60136e3aaabfe88689f9924f3bf97b04c9ff9eb61857dc8c048409493b07261e1b12399ae47f

C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.b783ffe3.pri

MD5 fdd862409073fff953baab6f5f09eb65
SHA1 763e278f9a26d7e823052b56a2553a46ec2179c0
SHA256 f0853a1adcc79698f10ec0db6087f15ee77dae8f166bc5f6879f19ae5fe41e95
SHA512 ae3adffcda379fe00c9485cfb9c4c6d0b3a4848505c9ef9ee8b33ae647e5212cd8683616e68790e5a6b77e5285041667ac20e3c36c70287fcba0399841420bb9