Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2024 20:59
Static task
static1
Behavioral task
behavioral1
Sample
0376107fac6e7b418b2fe8eedc5dd73e6ecd65ec0dadbfd205d48f852db87638.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0376107fac6e7b418b2fe8eedc5dd73e6ecd65ec0dadbfd205d48f852db87638.exe
Resource
win10v2004-20241007-en
General
-
Target
0376107fac6e7b418b2fe8eedc5dd73e6ecd65ec0dadbfd205d48f852db87638.exe
-
Size
1.3MB
-
MD5
3b716d0222278500c7dc8522b8b87662
-
SHA1
e87ab56a84a329b4d4b758bbadd49116efb6e94e
-
SHA256
0376107fac6e7b418b2fe8eedc5dd73e6ecd65ec0dadbfd205d48f852db87638
-
SHA512
2e20e0381e6dbe9db2f0b034519eddeb9ac3160072265cc68bb9dded302a1c14172ee8c7388e38c35b9266c0ad18afb0279a98af40bf8dda4fe36527789f038d
-
SSDEEP
24576:pJutuFWvPDnW22ibKGed8oZ2abjmiJlUafCz2BSTZQMS0fUwSB2dyKcjNyqkPL2:S0m2yKGUZ/bqgiax2eESB2dOkPa
Malware Config
Extracted
C:\$Recycle.Bin\HOW TO BACK FILES.txt
targetcompany
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1212 created 3452 1212 0376107fac6e7b418b2fe8eedc5dd73e6ecd65ec0dadbfd205d48f852db87638.exe 56 -
TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
-
Targetcompany family
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 544 bcdedit.exe 4980 bcdedit.exe -
Renames multiple (6539) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VersionString.vbs 0376107fac6e7b418b2fe8eedc5dd73e6ecd65ec0dadbfd205d48f852db87638.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: InstallUtil.exe File opened (read-only) \??\A: InstallUtil.exe File opened (read-only) \??\Z: InstallUtil.exe File opened (read-only) \??\P: InstallUtil.exe File opened (read-only) \??\R: InstallUtil.exe File opened (read-only) \??\T: InstallUtil.exe File opened (read-only) \??\U: InstallUtil.exe File opened (read-only) \??\W: InstallUtil.exe File opened (read-only) \??\M: InstallUtil.exe File opened (read-only) \??\B: InstallUtil.exe File opened (read-only) \??\G: InstallUtil.exe File opened (read-only) \??\H: InstallUtil.exe File opened (read-only) \??\I: InstallUtil.exe File opened (read-only) \??\J: InstallUtil.exe File opened (read-only) \??\K: InstallUtil.exe File opened (read-only) \??\L: InstallUtil.exe File opened (read-only) \??\N: InstallUtil.exe File opened (read-only) \??\O: InstallUtil.exe File opened (read-only) \??\Q: InstallUtil.exe File opened (read-only) \??\D: InstallUtil.exe File opened (read-only) \??\S: InstallUtil.exe File opened (read-only) \??\V: InstallUtil.exe File opened (read-only) \??\X: InstallUtil.exe File opened (read-only) \??\Y: InstallUtil.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1212 set thread context of 2088 1212 0376107fac6e7b418b2fe8eedc5dd73e6ecd65ec0dadbfd205d48f852db87638.exe 82 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\HOW TO BACK FILES.txt InstallUtil.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\es-es\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageBadgeLogo.scale-100.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x InstallUtil.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Controls\HOW TO BACK FILES.txt InstallUtil.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\es-es\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsStoreLogo.contrast-black_scale-200.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-150.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\GeometryShader.cso InstallUtil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\move.svg InstallUtil.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\he-il\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-125.png InstallUtil.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009 InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Sunglasses.png InstallUtil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js InstallUtil.exe File created C:\Program Files (x86)\Windows Media Player\en-US\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl InstallUtil.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR InstallUtil.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ppd.xrm-ms InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\180.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarWideTile.scale-400.png InstallUtil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-press.svg InstallUtil.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\af\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\Windows Media Player\ja-JP\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark2x.gif InstallUtil.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-80.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ModifiedAlphaTexturePixelShader.cso InstallUtil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\CompleteCheckmark.png InstallUtil.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\HOW TO BACK FILES.txt InstallUtil.exe File created C:\Program Files\Java\jre-1.8\lib\amd64\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W6.png InstallUtil.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\AppxMetadata\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\LargeTile.scale-200.png InstallUtil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\duplicate.svg InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-200_contrast-black.png InstallUtil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js InstallUtil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_highcontrast.png InstallUtil.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerpivot.x-none.msi.16.x-none.boot.tree.dat InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-125_contrast-black.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-100.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg2_thumb.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationSensorCalibrationFigure.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-96_altform-unplated.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-125.png InstallUtil.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-unplated_contrast-white.png InstallUtil.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.bundle.map InstallUtil.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\HOW TO BACK FILES.txt InstallUtil.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\HOW TO BACK FILES.txt InstallUtil.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionSmallTile.scale-400.png InstallUtil.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-250.png InstallUtil.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\next-arrow-disabled.svg InstallUtil.exe File created C:\Program Files\VideoLAN\VLC\locale\cs\HOW TO BACK FILES.txt InstallUtil.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms InstallUtil.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\THMBNAIL.PNG InstallUtil.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] InstallUtil.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\TargetInfo.txt InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1212 0376107fac6e7b418b2fe8eedc5dd73e6ecd65ec0dadbfd205d48f852db87638.exe 2088 InstallUtil.exe 2088 InstallUtil.exe 2088 InstallUtil.exe 2088 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1212 0376107fac6e7b418b2fe8eedc5dd73e6ecd65ec0dadbfd205d48f852db87638.exe Token: SeDebugPrivilege 1212 0376107fac6e7b418b2fe8eedc5dd73e6ecd65ec0dadbfd205d48f852db87638.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeDebugPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe Token: SeTakeOwnershipPrivilege 2088 InstallUtil.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1212 wrote to memory of 2088 1212 0376107fac6e7b418b2fe8eedc5dd73e6ecd65ec0dadbfd205d48f852db87638.exe 82 PID 1212 wrote to memory of 2088 1212 0376107fac6e7b418b2fe8eedc5dd73e6ecd65ec0dadbfd205d48f852db87638.exe 82 PID 1212 wrote to memory of 2088 1212 0376107fac6e7b418b2fe8eedc5dd73e6ecd65ec0dadbfd205d48f852db87638.exe 82 PID 1212 wrote to memory of 2088 1212 0376107fac6e7b418b2fe8eedc5dd73e6ecd65ec0dadbfd205d48f852db87638.exe 82 PID 1212 wrote to memory of 2088 1212 0376107fac6e7b418b2fe8eedc5dd73e6ecd65ec0dadbfd205d48f852db87638.exe 82 PID 1212 wrote to memory of 2088 1212 0376107fac6e7b418b2fe8eedc5dd73e6ecd65ec0dadbfd205d48f852db87638.exe 82 PID 1212 wrote to memory of 2088 1212 0376107fac6e7b418b2fe8eedc5dd73e6ecd65ec0dadbfd205d48f852db87638.exe 82 PID 1212 wrote to memory of 2088 1212 0376107fac6e7b418b2fe8eedc5dd73e6ecd65ec0dadbfd205d48f852db87638.exe 82 PID 1212 wrote to memory of 2088 1212 0376107fac6e7b418b2fe8eedc5dd73e6ecd65ec0dadbfd205d48f852db87638.exe 82 PID 1212 wrote to memory of 2088 1212 0376107fac6e7b418b2fe8eedc5dd73e6ecd65ec0dadbfd205d48f852db87638.exe 82 PID 2088 wrote to memory of 1804 2088 InstallUtil.exe 85 PID 2088 wrote to memory of 1804 2088 InstallUtil.exe 85 PID 2088 wrote to memory of 3096 2088 InstallUtil.exe 87 PID 2088 wrote to memory of 3096 2088 InstallUtil.exe 87 PID 1804 wrote to memory of 544 1804 cmd.exe 91 PID 1804 wrote to memory of 544 1804 cmd.exe 91 PID 3096 wrote to memory of 4980 3096 cmd.exe 92 PID 3096 wrote to memory of 4980 3096 cmd.exe 92
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\0376107fac6e7b418b2fe8eedc5dd73e6ecd65ec0dadbfd205d48f852db87638.exe"C:\Users\Admin\AppData\Local\Temp\0376107fac6e7b418b2fe8eedc5dd73e6ecd65ec0dadbfd205d48f852db87638.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:544
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:4980
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD518ea4072b08d2a9321be0931e69506b4
SHA18703a28745855bacc4b5b5f7187537aac7f14896
SHA256f53fafd81bde3662db1f22b949e630657dc72180da9850ec30231b350cacb995
SHA512bfb698103db1ca363d3e6cbb825a08dd8dcf163a36042048d462f46dbc75bed28fc0907dbc0e04ef2ab588eb72a63f1d5bfde732b1fb820c0aa27c0a69fe2fd4
-
Filesize
196B
MD581c2889ed94d03c84fa24061b82792bc
SHA10c9e5ff9c74bba0de8c24d7e8324069bf4916aad
SHA2566e5b3d1dd7359b1075d70b6f8adf43b84b709fc54939a82112feeba78b6f2c08
SHA512b5a0b7cc43747754d2a4083bb02cfe4f028dd854d35f90d41e42ae5eb59ba9e31dafcc3e7fe3b5dce454cfae035f6c9f39edd3c1149799a7fba88cbfa43dc70e
-
Filesize
14B
MD52c807857a435aa8554d595bd14ed35d1
SHA19003a73beceab3d1b1cd65614347c33117041a95
SHA2563c4fae56f61b7cdf09709c2aaf65ca47d3bf9077b1e5eb0eb1e6c5c34923eb9b
SHA51295c6fa9f5b342ef34d896f083700ee12d55723e24aff42805bac5c1aa73f07d0db4f9d435d31a61da187edc2336252dfb38529b3f2b1d2039aa2a8e65d64a7a9