Overview
overview
10Static
static
10757e3242f6...b4.exe
windows7-x64
976fe72e0ec...ss.exe
windows7-x64
778d4cf8df6...B3.exe
windows7-x64
778d4cf8df6...59.exe
windows7-x64
778db508226...69.exe
windows7-x64
97965f6adf3...ss.exe
windows7-x64
77B75B33BCF...B5.exe
windows7-x64
17E3903944E...72.exe
windows7-x64
77dd9312307...ca.dll
windows7-x64
37e4c9a7e39...1f.exe
windows7-x64
980eb72d781...B3.exe
windows7-x64
780eb72d781...9A.exe
windows7-x64
7845263c869...c8.exe
windows7-x64
98524224187...8f.exe
windows7-x64
686be3831f5...39.exe
windows7-x64
68791931bac...DA.exe
windows7-x64
78791931bac...69.exe
windows7-x64
787a4f3f9f6...88.exe
windows7-x64
789fb6d7ff2...f6.exe
windows7-x64
98c59148535...21.exe
windows7-x64
98d372fcf8a...e0.exe
windows7-x64
7900.exe
windows7-x64
9911d5905cb...b9.exe
windows7-x64
791d24e0657...eb.zip
windows7-x64
192ac6be4d9...5b.exe
windows7-x64
97512f4617...7c.exe
windows7-x64
1098aadc95c5...e7.exe
windows7-x64
109943256.exe
windows7-x64
109B9517FA15...DF.exe
windows7-x64
79b7eaffe4d...c8.exe
windows7-x64
10a322da0be4...44.exe
windows7-x64
10a42252e674...34.exe
windows7-x64
9Analysis
-
max time kernel
1200s -
max time network
839s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 02:43
Behavioral task
behavioral1
Sample
757e3242f6a2685ed9957c9e66235af889a7accead5719514719106d0b3c6fb4.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
76fe72e0ecdc389b5749df5fe406cb70110b1ef8b64e51cf0a96da2fa2ec5eb2_not_packed_maybe_useless.exe
Resource
win7-20241010-en
Behavioral task
behavioral3
Sample
78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b_Dumped_TDS=4F9911B3.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b_TDS=4FA04B59.exe
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
7965f6adf3261e8820fe583e94dcb2d17dc665efa0442743e47d27c989fcb05f_not_packed_maybe_useless.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
7B75B33BCF4ECF013B93F84ED98B3FB5.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
7E3903944EAB7B61B495572BAA60FB72.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
7dd93123078b383ec179c4c381f9119f4eac4efb287fe8f538a82e7336dfa4ca.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2_Dumped_TDS=4F9911B3.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2_TDS=4FAAF59A.exe
Resource
win7-20240729-en
Behavioral task
behavioral13
Sample
845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe
Resource
win7-20241023-en
Behavioral task
behavioral14
Sample
85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
86be3831f5d8a975b0924168117fc7fcd1f5067ac5935c657efbb4798cb6a439.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f_Dumped_TDS=4F83FCDA.exe
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f_TDS=4F84A969.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
87a4f3f9f6dc263378f2f01db5f2c988.exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
89fb6d7ff29b0c349c19df2e81028a62a2758c33f2c72b87dc11af4f22d3c6f6.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
8c591485357e45a09dad3116496e6f686fa11f445a6bea5ef3cd5ed1ac078821.exe
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe
Resource
win7-20241010-en
Behavioral task
behavioral22
Sample
900.exe
Resource
win7-20241023-en
Behavioral task
behavioral23
Sample
911d5905cbe1dd462f171b7167cd15b9.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
91d24e06572099ba0aa5c20be6b1021fa48e864913fe3676ed05323e6b68fceb.zip
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
92ac6be4d9215b237d624177ca0543844d0dc8d071660ae4a4cf7c93cc11505b.exe
Resource
win7-20240708-en
Behavioral task
behavioral26
Sample
97512f4617019c907cd0f88193039e7c.exe
Resource
win7-20240708-en
Behavioral task
behavioral27
Sample
98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
9943256.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
9B9517FA1515F47A502FE56536236A20BE5BBADF.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
9b7eaffe4dffcbd06445d0b32785cdc8.exe
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
a42252e674a09a0b689e71c88f59969f538a473da647cc4eb5457a5d5e03a234.exe
Resource
win7-20240903-en
General
-
Target
98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe
-
Size
151KB
-
MD5
993135dacbff2607839ee5a76ca06c61
-
SHA1
c1a9a8cdad293887214605ca0e47f3ddfa4e1a52
-
SHA256
98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7
-
SHA512
69472dc86d5d3c44742b209fb0a57ab3afd8f93d0c5adfdcd48c2e4828828309101fcb9500813044712b1bc3e85e6a2ad3e5dde5f3818fb8772f0ff5d0b873ea
-
SSDEEP
3072:aMAr2Q8LH/r1GgDwheOj9Pm4uX2QZJiU8ypfoAWe:aMAaQ0D1VDwheuhJmJiU8y90
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\How to restore files.hta
Signatures
-
Renames multiple (4603) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 3 IoCs
pid Process 2768 msiscan.exe 2180 ~wtmp001.exe 2472 wmon.exe -
Loads dropped DLL 6 IoCs
pid Process 2888 98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe 2888 98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe 2768 msiscan.exe 2768 msiscan.exe 2180 ~wtmp001.exe 2180 ~wtmp001.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\How to restore files = "mshta.exe \"C:\\Users\\Admin\\How to restore files.hta\"" msiscan.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wmon = "C:\\Users\\Admin\\AppData\\Local\\wmon.exe" mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\{7EE83558-92B4-4741-8714-1DE414DEA489} = "C:\\Users\\Admin\\AppData\\Local\\msiscan.exe" mshta.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 msiscan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum msiscan.exe -
resource yara_rule behavioral27/memory/2888-0-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/files/0x000b0000000120f6-3.dat upx behavioral27/memory/2888-12-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-13-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-226-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-225-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-491-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-712-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-872-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-1017-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-1154-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-1283-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-1400-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-1542-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-1883-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-2279-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-2760-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-3122-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-3265-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-3424-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-3572-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-3737-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-3891-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-4049-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-4189-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-4334-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-4596-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-4860-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-5097-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-5769-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-6284-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-6920-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-7159-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-7352-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-7525-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-7683-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-7838-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-8002-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-8155-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-8288-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-8450-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-8686-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-8754-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral27/memory/2768-8768-0x0000000000400000-0x000000000044B000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\slideShow.js.purge msiscan.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util.gui_1.7.0.v200903091627.jar.purge msiscan.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_left.png.purge msiscan.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as80.xsl.purge msiscan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG.purge msiscan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\tab_on.gif.purge msiscan.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png.purge msiscan.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\gadget.xml.purge msiscan.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.purge msiscan.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar.purge msiscan.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\How to restore files.hta msiscan.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\calendar.js.purge msiscan.exe File created C:\Program Files (x86)\Windows Media Player\es-ES\mpvis.dll.mui.purge msiscan.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\settings.css.purge msiscan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\background.gif.purge msiscan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html.purge msiscan.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml.purge msiscan.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\How to restore files.hta msiscan.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar.purge msiscan.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\calendar.css.purge msiscan.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\currency.css.purge msiscan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDECL.ICO.purge msiscan.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\How to restore files.hta msiscan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01213K.JPG.purge msiscan.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\de-DE\Hearts.exe.mui.purge msiscan.exe File created C:\Program Files\Windows Mail\ja-JP\How to restore files.hta msiscan.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\How to restore files.hta msiscan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR47B.GIF.purge msiscan.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_down.png.purge msiscan.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt.purge msiscan.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar.purge msiscan.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar.purge msiscan.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\gadget.xml.purge msiscan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN102.XML.purge msiscan.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_right.png.purge msiscan.exe File created C:\Program Files\DVD Maker\en-US\DVDMaker.exe.mui.purge msiscan.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\How to restore files.hta msiscan.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html.purge msiscan.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT.purge msiscan.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\How to restore files.hta msiscan.exe File created C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui.purge msiscan.exe File opened for modification C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.purge msiscan.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png.purge msiscan.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\settings.js.purge msiscan.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\PREVIEW.GIF.purge msiscan.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\1px.gif.purge msiscan.exe File opened for modification C:\Program Files\Windows Media Player\ja-JP\wmlaunch.exe.mui.purge msiscan.exe File created C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.purge msiscan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14538_.GIF.purge msiscan.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui.purge msiscan.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\How to restore files.hta msiscan.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png.purge msiscan.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar.purge msiscan.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml.purge msiscan.exe File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf.purge msiscan.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png.purge msiscan.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml.purge msiscan.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\msdaorar.dll.mui.purge msiscan.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\How to restore files.hta msiscan.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png.purge msiscan.exe File opened for modification C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui.purge msiscan.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\gadget.xml.purge msiscan.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\How to restore files.hta msiscan.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\drag.png.purge msiscan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~wtmp001.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiscan.exe -
Kills process with taskkill 1 IoCs
pid Process 1620 taskkill.exe -
Modifies Control Panel 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop msiscan.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\TileWallpaper = "0" msiscan.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\WallpaperStyle = "2" msiscan.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2768 msiscan.exe 2768 msiscan.exe 2768 msiscan.exe 2768 msiscan.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1620 taskkill.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2768 2888 98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe 30 PID 2888 wrote to memory of 2768 2888 98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe 30 PID 2888 wrote to memory of 2768 2888 98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe 30 PID 2888 wrote to memory of 2768 2888 98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe 30 PID 2768 wrote to memory of 2620 2768 msiscan.exe 31 PID 2768 wrote to memory of 2620 2768 msiscan.exe 31 PID 2768 wrote to memory of 2620 2768 msiscan.exe 31 PID 2768 wrote to memory of 2620 2768 msiscan.exe 31 PID 2768 wrote to memory of 904 2768 msiscan.exe 34 PID 2768 wrote to memory of 904 2768 msiscan.exe 34 PID 2768 wrote to memory of 904 2768 msiscan.exe 34 PID 2768 wrote to memory of 904 2768 msiscan.exe 34 PID 2768 wrote to memory of 2180 2768 msiscan.exe 35 PID 2768 wrote to memory of 2180 2768 msiscan.exe 35 PID 2768 wrote to memory of 2180 2768 msiscan.exe 35 PID 2768 wrote to memory of 2180 2768 msiscan.exe 35 PID 2180 wrote to memory of 2472 2180 ~wtmp001.exe 36 PID 2180 wrote to memory of 2472 2180 ~wtmp001.exe 36 PID 2180 wrote to memory of 2472 2180 ~wtmp001.exe 36 PID 2180 wrote to memory of 2472 2180 ~wtmp001.exe 36 PID 2180 wrote to memory of 2148 2180 ~wtmp001.exe 37 PID 2180 wrote to memory of 2148 2180 ~wtmp001.exe 37 PID 2180 wrote to memory of 2148 2180 ~wtmp001.exe 37 PID 2180 wrote to memory of 2148 2180 ~wtmp001.exe 37 PID 2472 wrote to memory of 2520 2472 wmon.exe 38 PID 2472 wrote to memory of 2520 2472 wmon.exe 38 PID 2472 wrote to memory of 2520 2472 wmon.exe 38 PID 2472 wrote to memory of 2520 2472 wmon.exe 38 PID 2768 wrote to memory of 772 2768 msiscan.exe 39 PID 2768 wrote to memory of 772 2768 msiscan.exe 39 PID 2768 wrote to memory of 772 2768 msiscan.exe 39 PID 2768 wrote to memory of 772 2768 msiscan.exe 39 PID 772 wrote to memory of 1620 772 cmd.exe 41 PID 772 wrote to memory of 1620 772 cmd.exe 41 PID 772 wrote to memory of 1620 772 cmd.exe 41 PID 772 wrote to memory of 1620 772 cmd.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe"C:\Users\Admin\AppData\Local\Temp\98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\msiscan.exe"C:\Users\Admin\AppData\Local\msiscan.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\mshta.exemshta.exe "javascript:o=new ActiveXObject('WScript.Shell');setInterval(function(){try{o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{7EE83558-92B4-4741-8714-1DE414DEA489}','C:\\Users\\Admin\\AppData\\Local\\msiscan.exe');}catch(e){}},10);"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2620
-
-
C:\Windows\SysWOW64\mshta.exemshta.exe "C:\Users\Admin\How to restore files.hta"3⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:904
-
-
C:\Users\Admin\AppData\Local\Temp\~wtmp001.exeC:\Users\Admin\AppData\Local\Temp\~wtmp001.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Local\wmon.exe"C:\Users\Admin\AppData\Local\wmon.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\mshta.exemshta.exe "javascript:o=new ActiveXObject('WScript.Shell');setInterval(function(){try{o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wmon','C:\\Users\\Admin\\AppData\\Local\\wmon.exe');}catch(e){}},10);"5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2520
-
-
-
C:\Windows\SysWOW64\mshta.exemshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('C:\\Users\\Admin\\AppData\\Local\\Temp\\~wtmp001.exe');close()}catch(e){}},10);"4⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2148
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C taskkill /PID 2620 /F3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\taskkill.exetaskkill /PID 2620 /F4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.purge
Filesize405KB
MD562b8f4566bf68bab6db8d110ddb0cef6
SHA156812afca274e27bdb22d6a59f0e8dfddd585c17
SHA2563cf6e420e9251f1505d1b999d981f488c4f7aa83e9c4ae360026cc9ee62c003a
SHA51275dd30956cd45c47d1b0f2e06d94d577830cadd7420748d8e389725cf43e17d597ae3b1ae2e0ab01e8924cec36ce24500f24fa34dcc94140798f5f6d931c0d3a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\How to restore files.hta
Filesize4KB
MD5501901da96ea73075c3cb2ce15f97d6d
SHA11bf1cc4f8739e59505b97762b95bc2d589fd015a
SHA256ac1059b9d881d5e66934fb4e1d1d625647b30559e9694e963633935408a00221
SHA51253e9b0bb3556aa96b2f3d47423e2f414e0c767c05fab8d0e6b68ee932443bfbfde317307d1da846655cded63e1bb94281c5a41978ff64d0e8cf1c226db7bf8d1
-
Filesize
26KB
MD50f619a859872cee5c1fac8594f2ce9ad
SHA1fae9e83196477b9fa770916026427c6e0a4438be
SHA256866a90a9f3db2fde0311fdd46e69f54cf761c845e06ab73468ede4fe466ce2bd
SHA512cb612d9d0b2c7ecca4379146076bd90d0ad374fea65e622883386455ef388d7957d48c537d3b0c0b4b965c99c3277bd6edfd11cf8cb5aedb460903e8956c5104
-
Filesize
151KB
MD5993135dacbff2607839ee5a76ca06c61
SHA1c1a9a8cdad293887214605ca0e47f3ddfa4e1a52
SHA25698aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7
SHA51269472dc86d5d3c44742b209fb0a57ab3afd8f93d0c5adfdcd48c2e4828828309101fcb9500813044712b1bc3e85e6a2ad3e5dde5f3818fb8772f0ff5d0b873ea