blackbasta | d905781d05edf7deb91f595b96efa5a5f6a55d693305da5161db32989f8d2d9b

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
Size

13.6MB
MD5

9f28f87be2197981d2e32009a91093d5
SHA1

c6d37a32e08c244ca866d3250ae1ddb0aa1a81e6
SHA256

d905781d05edf7deb91f595b96efa5a5f6a55d693305da5161db32989f8d2d9b
SHA512

0fb502a720d6e110b2e1195b793fad05713701fcd49f89d4f49ccd0b21e30948d145356f4d8108d8acf7566ef0503889167d4ddb4c275ec23e5b98c7dc85e8ef
SSDEEP

98304:+Lu1TIRtUOV5ZQ+5jZArLu1OWWqXpy05Q4BN2IJjscn:+TRtBYk405Q03FP

Score

10^/10

blackbasta pandastealer defense_evasion discovery execution impact ransomware spyware stealer

Malware Config

Signatures

Black Basta
A ransomware family targeting Windows and Linux ESXi first seen in February 2022.
ransomware blackbasta

Black Basta payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000100000000f879-13.dat	family_blackbasta

Blackbasta family
blackbasta

Panda Stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000100000000f879-13.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Pandastealer family
pandastealer
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Kaspersky.exe	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Kaspersky.exe	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\autorun.inf	cmd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\imjplm.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\OPTINPS.DLL	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msadomd.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\msadcor.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdadc.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXEV.DLL	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FPERSON.DLL	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\MSCONV97.DLL	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\WTSP61MS.DLL	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\FPSRVUTL.DLL	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msadrh15.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\pdfshell.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\hxdsui.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\penchs.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FSTOCK.DLL	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\journal.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msader15.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\WebKit.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\hxdsui.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEWDAT.DLL	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\EEINTL.DLL	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\hxdsui.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXPSRV.DLL	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\MSOSV.DLL	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\xmlrwbin.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwjpn.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pencht.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\MSOSVINT.DLL	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Filters\odffilt.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ACEWSTR.DLL	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\promointl.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\OPHPROXY.DLL	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado15.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msjro.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\dicjp.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\xlsrvintl.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\PortalConnect.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\NPSWF32.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\InkObj.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mraut.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\oledb32.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\Microsoft.Ink.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1STAR.DLL	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msxactps.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EURO\MSOEURO.DLL	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\CsiSoap.dll	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\IMCONTACT.DLL	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2676	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
Token: SeDebugPrivilege	2260	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
Token: SeBackupPrivilege	2384	vssvc.exe
Token: SeRestorePrivilege	2384	vssvc.exe
Token: SeAuditPrivilege	2384	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2928	2260	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe	30
PID 2260 wrote to memory of 2928	2260	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe	30
PID 2260 wrote to memory of 2928	2260	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe	30
PID 2260 wrote to memory of 2928	2260	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe	30
PID 2928 wrote to memory of 2676	2928	cmd.exe	32
PID 2928 wrote to memory of 2676	2928	cmd.exe	32
PID 2928 wrote to memory of 2676	2928	cmd.exe	32
PID 2928 wrote to memory of 2676	2928	cmd.exe	32
PID 2260 wrote to memory of 2872	2260	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe	34
PID 2260 wrote to memory of 2872	2260	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe	34
PID 2260 wrote to memory of 2872	2260	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe	34
PID 2260 wrote to memory of 2872	2260	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe	34
PID 2260 wrote to memory of 2664	2260	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe	36
PID 2260 wrote to memory of 2664	2260	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe	36
PID 2260 wrote to memory of 2664	2260	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe	36
PID 2260 wrote to memory of 2664	2260	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe	36
PID 2260 wrote to memory of 2568	2260	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe	38
PID 2260 wrote to memory of 2568	2260	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe	38
PID 2260 wrote to memory of 2568	2260	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe	38
PID 2260 wrote to memory of 2568	2260	2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-19_9f28f87be2197981d2e32009a91093d5_darkside_hawkeye_luca-stealer.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.inf
  2⤵
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  PID:2872
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C echo ^open^=KasperskyScan^.exe >>autorun.inf
  2⤵
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  PID:2664
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C echo ^execute=^KasperskyScan^.exe >>autorun.inf
  2⤵
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  PID:2568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe

Filesize
13.6MB

MD5
9f28f87be2197981d2e32009a91093d5

SHA1
c6d37a32e08c244ca866d3250ae1ddb0aa1a81e6

SHA256
d905781d05edf7deb91f595b96efa5a5f6a55d693305da5161db32989f8d2d9b

SHA512
0fb502a720d6e110b2e1195b793fad05713701fcd49f89d4f49ccd0b21e30948d145356f4d8108d8acf7566ef0503889167d4ddb4c275ec23e5b98c7dc85e8ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\autorun.inf

Filesize
37B

MD5
3883f693b2911e7b9cabaf1d89601ebd

SHA1
a733bc5b66e5b7beb1ab54ce430ff16cdb935fcb

SHA256
747ea7ec54ee0bc9b637867de0c451df65c840f757988f5a3b6e3fe6c73ab1b6

SHA512
41fb0555004f392f2c67fd7675d2aea2a7a28a4f51d92237fdaff2d60624c559a5401335887b66f49a721dff669f8f9bd150fde0afe0845eb366309ca1088a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\autorun.inf

Filesize
65B

MD5
fbefa88e6b51c05dd63d97dfdbeb3589

SHA1
67e09918d878c6615befab5dc9194439027f268d

SHA256
3861acedffd29452d2fdb96728f7347652bde9353915d3873a7414843f49b8b1

SHA512
58f8c1a64f2eb21be7b96db335d1ade0ce0878566a8386b3689b650132ca28e14761b20fdfe50f2af9915dff2bdd3a5b07f6f3ed082e4e6998ec5f0cd052f12f

Download Submit
memory/2260-0-0x0000000074E1E000-0x0000000074E1F000-memory.dmp

Filesize
4KB

Download
memory/2260-1-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

Filesize
32KB

Download
memory/2260-2-0x0000000074E10000-0x00000000754FE000-memory.dmp

Filesize
6.9MB

Download
memory/2260-394-0x0000000074E1E000-0x0000000074E1F000-memory.dmp

Filesize
4KB

Download
memory/2260-451-0x0000000074E10000-0x00000000754FE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads