Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2024 23:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4112fd7d49336a390f856b252e13d9b198b54307e5499a00df45ac66c8211854N.exe
Resource
win7-20241010-en
windows7-x64
4 signatures
120 seconds
Behavioral task
behavioral2
Sample
4112fd7d49336a390f856b252e13d9b198b54307e5499a00df45ac66c8211854N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
120 seconds
General
-
Target
4112fd7d49336a390f856b252e13d9b198b54307e5499a00df45ac66c8211854N.exe
-
Size
1.3MB
-
MD5
a3dfc070755d94030ad0e7627a0c8440
-
SHA1
f770be3504c1846226302c1b61ac55a379fb913c
-
SHA256
4112fd7d49336a390f856b252e13d9b198b54307e5499a00df45ac66c8211854
-
SHA512
6426241b13edfa3ea3d0538a52581f31f7b5fb5e1a7389fe2a2c4b05349bd572b8362ca55d969067ab2ad6d6f8fdfc6aca63a371ad2e0e5820425f2c730e1ca3
-
SSDEEP
24576:pJutuFWvPDnW22ibKGed8oZ2abjmiJlUafCz2BSTZQMS0fUwSB2dyKcjNyqkPL:S0m2yKGUZ/bqgiax2eESB2dOkP
Score
10/10
Malware Config
Extracted
Path
\Device\HarddiskVolume1\HOW TO BACK FILES.txt
Family
targetcompany
Ransom Note
Hello
Your data has been stolen and encrypted
We will delete the stolen data and help with the recovery of encrypted files after payment has been made
Do not try to change or restore files yourself, this will break them
We provide free decryption for any 3 files up to 3MB in size on our website
How to contact with us:
1) Download and install TOR browser by this link: https://www.torproject.org/download/
2) If TOR blocked in your country and you can't access to the link then use any VPN software
3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
4) Copy your private ID in the input field. Your Private key: 0B2BE8B2194EB1CC22A04505
5) You will see chat, payment information and we can make free test decryption here
Our blog of leaked companies:
wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
If you are unable to contact us through the site, then you can email us: [email protected]
Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.�
Emails
URLs
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2160 created 3512 2160 4112fd7d49336a390f856b252e13d9b198b54307e5499a00df45ac66c8211854N.exe 56 -
TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
-
Targetcompany family
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1644 bcdedit.exe 2748 bcdedit.exe -
Renames multiple (6537) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VersionString.vbs 4112fd7d49336a390f856b252e13d9b198b54307e5499a00df45ac66c8211854N.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: InstallUtil.exe File opened (read-only) \??\E: InstallUtil.exe File opened (read-only) \??\B: InstallUtil.exe File opened (read-only) \??\J: InstallUtil.exe File opened (read-only) \??\Y: InstallUtil.exe File opened (read-only) \??\O: InstallUtil.exe File opened (read-only) \??\V: InstallUtil.exe File opened (read-only) \??\X: InstallUtil.exe File opened (read-only) \??\Z: InstallUtil.exe File opened (read-only) \??\G: InstallUtil.exe File opened (read-only) \??\I: InstallUtil.exe File opened (read-only) \??\L: InstallUtil.exe File opened (read-only) \??\Q: InstallUtil.exe File opened (read-only) \??\S: InstallUtil.exe File opened (read-only) \??\T: InstallUtil.exe File opened (read-only) \??\W: InstallUtil.exe File opened (read-only) \??\U: InstallUtil.exe File opened (read-only) \??\A: InstallUtil.exe File opened (read-only) \??\H: InstallUtil.exe File opened (read-only) \??\K: InstallUtil.exe File opened (read-only) \??\M: InstallUtil.exe File opened (read-only) \??\N: InstallUtil.exe File opened (read-only) \??\P: InstallUtil.exe File opened (read-only) \??\R: InstallUtil.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2160 set thread context of 3000 2160 4112fd7d49336a390f856b252e13d9b198b54307e5499a00df45ac66c8211854N.exe 82 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\es-es\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-black_scale-100.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\SmallTile.scale-100.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-36.png InstallUtil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-300.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleSmallTile.scale-200.png InstallUtil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\AppStore_icon.svg InstallUtil.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\pl.pak.DATA InstallUtil.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Retail\HOW TO BACK FILES.txt InstallUtil.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\HOW TO BACK FILES.txt InstallUtil.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-ma\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms InstallUtil.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\is-IS\HOW TO BACK FILES.txt InstallUtil.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\de-de\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_de.properties InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.2140f8bb.pri InstallUtil.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sv-SE\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11wrapper.md InstallUtil.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\public_suffix_list.dat InstallUtil.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\onenote.x-none.msi.16.x-none.vreg.dat InstallUtil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSmallTile.scale-400.png InstallUtil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\ui-strings.js InstallUtil.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-ms InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-125_contrast-black.png InstallUtil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\tr-tr\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-200.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-200_contrast-white.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-100_contrast-high.png InstallUtil.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\dom.md InstallUtil.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20_altform-lightunplated.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-32_altform-unplated.png InstallUtil.exe File created C:\Program Files\VideoLAN\VLC\locale\mai\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_SmallTile.scale-125.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-64_altform-unplated_contrast-white.png InstallUtil.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\it-it\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\203.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-72_altform-unplated_contrast-black.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri InstallUtil.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\autofill_labeling_email.ort.DATA InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-200_contrast-black.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-200_contrast-white.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsWideTile.scale-100.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-256_altform-lightunplated.png InstallUtil.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ru\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\ICE.INF InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\190.png InstallUtil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_closereview_18.svg InstallUtil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\ui-strings.js InstallUtil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-100_contrast-white.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WebviewOffline.html InstallUtil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reminders_18.svg InstallUtil.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\TargetInfo.txt InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2160 4112fd7d49336a390f856b252e13d9b198b54307e5499a00df45ac66c8211854N.exe 3000 InstallUtil.exe 3000 InstallUtil.exe 3000 InstallUtil.exe 3000 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2160 4112fd7d49336a390f856b252e13d9b198b54307e5499a00df45ac66c8211854N.exe Token: SeDebugPrivilege 2160 4112fd7d49336a390f856b252e13d9b198b54307e5499a00df45ac66c8211854N.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeDebugPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe Token: SeTakeOwnershipPrivilege 3000 InstallUtil.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2160 wrote to memory of 3000 2160 4112fd7d49336a390f856b252e13d9b198b54307e5499a00df45ac66c8211854N.exe 82 PID 2160 wrote to memory of 3000 2160 4112fd7d49336a390f856b252e13d9b198b54307e5499a00df45ac66c8211854N.exe 82 PID 2160 wrote to memory of 3000 2160 4112fd7d49336a390f856b252e13d9b198b54307e5499a00df45ac66c8211854N.exe 82 PID 2160 wrote to memory of 3000 2160 4112fd7d49336a390f856b252e13d9b198b54307e5499a00df45ac66c8211854N.exe 82 PID 2160 wrote to memory of 3000 2160 4112fd7d49336a390f856b252e13d9b198b54307e5499a00df45ac66c8211854N.exe 82 PID 2160 wrote to memory of 3000 2160 4112fd7d49336a390f856b252e13d9b198b54307e5499a00df45ac66c8211854N.exe 82 PID 2160 wrote to memory of 3000 2160 4112fd7d49336a390f856b252e13d9b198b54307e5499a00df45ac66c8211854N.exe 82 PID 2160 wrote to memory of 3000 2160 4112fd7d49336a390f856b252e13d9b198b54307e5499a00df45ac66c8211854N.exe 82 PID 2160 wrote to memory of 3000 2160 4112fd7d49336a390f856b252e13d9b198b54307e5499a00df45ac66c8211854N.exe 82 PID 2160 wrote to memory of 3000 2160 4112fd7d49336a390f856b252e13d9b198b54307e5499a00df45ac66c8211854N.exe 82 PID 3000 wrote to memory of 4816 3000 InstallUtil.exe 83 PID 3000 wrote to memory of 4816 3000 InstallUtil.exe 83 PID 3000 wrote to memory of 4324 3000 InstallUtil.exe 85 PID 3000 wrote to memory of 4324 3000 InstallUtil.exe 85 PID 4816 wrote to memory of 1644 4816 cmd.exe 87 PID 4816 wrote to memory of 1644 4816 cmd.exe 87 PID 4324 wrote to memory of 2748 4324 cmd.exe 90 PID 4324 wrote to memory of 2748 4324 cmd.exe 90
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\4112fd7d49336a390f856b252e13d9b198b54307e5499a00df45ac66c8211854N.exe"C:\Users\Admin\AppData\Local\Temp\4112fd7d49336a390f856b252e13d9b198b54307e5499a00df45ac66c8211854N.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1644
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:2748
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196B
MD5d8f64ba1557669ec5196b13c2e18f7c9
SHA14e80be4236830cf287ef19a728f1ff3e1b7dc7b4
SHA256590a76b354a0ef5284d16bb5aa6f148173d5a71f52a16451e1f41cebc20f3ab7
SHA512df2f9b16a89ede9bc3383eaa793a44af51282efc7be871d070ab43b812c7892195ab736ef6a99237f3551c93064efa38878dffc51505fac6ce042abaa4d1baf8
-
Filesize
1KB
MD56ffd922e0541cb1712805ecc3730b25d
SHA136f17aec5f9ce608841c9d727a644cb4d1127f92
SHA256a187da6babd5bfa203bfe6db50d87ac6972c6a71f875ee67693a132aa47c5485
SHA512bb2f5871341c8f9973086a1720a40d9c2708cb070f7928616631204af9fe914f0e53a59d972f43a615bf3bdfe63fde762f888a08951acf04853b464a1615c5ec