Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
93s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21/01/2025, 08:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
Resource
win7-20241010-en
windows7-x64
18 signatures
120 seconds
Behavioral task
behavioral2
Sample
e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
27 signatures
120 seconds
General
-
Target
e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe
-
Size
371KB
-
MD5
c192a273a786b569df2056914faf8327
-
SHA1
87f24f470d678deae2cade1d3fd12255e796c091
-
SHA256
e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced
-
SHA512
8e036f23c66fbd545fd03aba423a47bf422cee52204fc3a2fb2682fd00a31c2f3e6dc982d01fa30ab2f8ba0b3463a763e403b212f00fe9488b2791dd03629427
-
SSDEEP
6144:QtttRvGxiRcePUSrcTQ+Yd6v6AlYhZ+ddp5GuZEE86Yrp0eWIxQO6kUUecBlzJbu:EttRveivPrcqd26A+hcdp5GYEE8D3WIe
Malware Config
Extracted
Path
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_RECoVERY_+hbvil.txt
Family
teslacrypt
Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com
What happened to your files ?
All of your files were protected by a strong encryption with AES
More information about the encryption keys using AES can be found here: http://en.wikipedia.org/wiki/AES
How did this happen ?
!!! Specially for your PC was generated personal AES KEY, both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
!!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server
What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1. http://yyre45dbvn2nhbefbmh.begumvelic.at/63DD62F4A5556EFB
2. http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/63DD62F4A5556EFB
3. http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/63DD62F4A5556EFB
If for some reasons the addresses are not available, follow these steps:
1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2. After a successful installation, run the browser
3. Type in the address bar: xlowfznrg4wf7dli.onion/63DD62F4A5556EFB
4. Follow the instructions on the site.
---------------- IMPORTANT INFORMATION------------------------
*-*-* Your personal pages:
http://yyre45dbvn2nhbefbmh.begumvelic.at/63DD62F4A5556EFB
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/63DD62F4A5556EFB
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/63DD62F4A5556EFB
*-*-* Your personal page Tor-Browser: xlowfznrg4wf7dli.ONION/63DD62F4A5556EFB
URLs
http://yyre45dbvn2nhbefbmh.begumvelic.at/63DD62F4A5556EFB
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/63DD62F4A5556EFB
http://gwe32fdr74bhfsyujb34gfszfv.zatcurr.com/63DD62F4A5556EFB
http://xlowfznrg4wf7dli.ONION/63DD62F4A5556EFB
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Teslacrypt family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (280) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2884 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2716 mcntwvenykep.exe 2316 mcntwvenykep.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bevnemrqgrxt = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\mcntwvenykep.exe\"" mcntwvenykep.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2432 set thread context of 2912 2432 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 29 PID 2716 set thread context of 2316 2716 mcntwvenykep.exe 33 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\_RECoVERY_+hbvil.html mcntwvenykep.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\_RECoVERY_+hbvil.txt mcntwvenykep.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_ButtonGraphic.png mcntwvenykep.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\Common Files\System\es-ES\_RECoVERY_+hbvil.html mcntwvenykep.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_RECoVERY_+hbvil.html mcntwvenykep.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_RECoVERY_+hbvil.html mcntwvenykep.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png mcntwvenykep.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\_RECoVERY_+hbvil.txt mcntwvenykep.exe File opened for modification C:\Program Files\Windows NT\Accessories\fr-FR\_RECoVERY_+hbvil.html mcntwvenykep.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png mcntwvenykep.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\lua\_RECoVERY_+hbvil.txt mcntwvenykep.exe File opened for modification C:\Program Files\Windows Mail\es-ES\_RECoVERY_+hbvil.txt mcntwvenykep.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png mcntwvenykep.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\_RECoVERY_+hbvil.txt mcntwvenykep.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png mcntwvenykep.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt mcntwvenykep.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\es-ES\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png mcntwvenykep.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\_RECoVERY_+hbvil.txt mcntwvenykep.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\_RECoVERY_+hbvil.html mcntwvenykep.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_RECoVERY_+hbvil.html mcntwvenykep.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\_RECoVERY_+hbvil.html mcntwvenykep.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_100_percent.pak mcntwvenykep.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ar\_RECoVERY_+hbvil.html mcntwvenykep.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\logo.png mcntwvenykep.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt mcntwvenykep.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_RECoVERY_+hbvil.txt mcntwvenykep.exe File opened for modification C:\Program Files\Java\jre7\lib\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\_RECoVERY_+hbvil.html mcntwvenykep.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_RECoVERY_+hbvil.txt mcntwvenykep.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\_RECoVERY_+hbvil.html mcntwvenykep.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png mcntwvenykep.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_RECoVERY_+hbvil.html mcntwvenykep.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv mcntwvenykep.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_RECoVERY_+hbvil.html mcntwvenykep.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\_RECoVERY_+hbvil.txt mcntwvenykep.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\de-DE\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png mcntwvenykep.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt mcntwvenykep.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_dot.png mcntwvenykep.exe File opened for modification C:\Program Files\Google\Chrome\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\Common Files\System\ado\_RECoVERY_+hbvil.txt mcntwvenykep.exe File opened for modification C:\Program Files\Google\Chrome\Application\_RECoVERY_+hbvil.png mcntwvenykep.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_RECoVERY_+hbvil.html mcntwvenykep.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_up.png mcntwvenykep.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\mcntwvenykep.exe e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe File opened for modification C:\Windows\mcntwvenykep.exe e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mcntwvenykep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mcntwvenykep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe 2316 mcntwvenykep.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2912 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe Token: SeDebugPrivilege 2316 mcntwvenykep.exe Token: SeIncreaseQuotaPrivilege 2176 WMIC.exe Token: SeSecurityPrivilege 2176 WMIC.exe Token: SeTakeOwnershipPrivilege 2176 WMIC.exe Token: SeLoadDriverPrivilege 2176 WMIC.exe Token: SeSystemProfilePrivilege 2176 WMIC.exe Token: SeSystemtimePrivilege 2176 WMIC.exe Token: SeProfSingleProcessPrivilege 2176 WMIC.exe Token: SeIncBasePriorityPrivilege 2176 WMIC.exe Token: SeCreatePagefilePrivilege 2176 WMIC.exe Token: SeBackupPrivilege 2176 WMIC.exe Token: SeRestorePrivilege 2176 WMIC.exe Token: SeShutdownPrivilege 2176 WMIC.exe Token: SeDebugPrivilege 2176 WMIC.exe Token: SeSystemEnvironmentPrivilege 2176 WMIC.exe Token: SeRemoteShutdownPrivilege 2176 WMIC.exe Token: SeUndockPrivilege 2176 WMIC.exe Token: SeManageVolumePrivilege 2176 WMIC.exe Token: 33 2176 WMIC.exe Token: 34 2176 WMIC.exe Token: 35 2176 WMIC.exe Token: SeIncreaseQuotaPrivilege 2176 WMIC.exe Token: SeSecurityPrivilege 2176 WMIC.exe Token: SeTakeOwnershipPrivilege 2176 WMIC.exe Token: SeLoadDriverPrivilege 2176 WMIC.exe Token: SeSystemProfilePrivilege 2176 WMIC.exe Token: SeSystemtimePrivilege 2176 WMIC.exe Token: SeProfSingleProcessPrivilege 2176 WMIC.exe Token: SeIncBasePriorityPrivilege 2176 WMIC.exe Token: SeCreatePagefilePrivilege 2176 WMIC.exe Token: SeBackupPrivilege 2176 WMIC.exe Token: SeRestorePrivilege 2176 WMIC.exe Token: SeShutdownPrivilege 2176 WMIC.exe Token: SeDebugPrivilege 2176 WMIC.exe Token: SeSystemEnvironmentPrivilege 2176 WMIC.exe Token: SeRemoteShutdownPrivilege 2176 WMIC.exe Token: SeUndockPrivilege 2176 WMIC.exe Token: SeManageVolumePrivilege 2176 WMIC.exe Token: 33 2176 WMIC.exe Token: 34 2176 WMIC.exe Token: 35 2176 WMIC.exe Token: SeBackupPrivilege 1796 vssvc.exe Token: SeRestorePrivilege 1796 vssvc.exe Token: SeAuditPrivilege 1796 vssvc.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2432 wrote to memory of 2912 2432 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 29 PID 2432 wrote to memory of 2912 2432 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 29 PID 2432 wrote to memory of 2912 2432 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 29 PID 2432 wrote to memory of 2912 2432 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 29 PID 2432 wrote to memory of 2912 2432 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 29 PID 2432 wrote to memory of 2912 2432 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 29 PID 2432 wrote to memory of 2912 2432 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 29 PID 2432 wrote to memory of 2912 2432 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 29 PID 2432 wrote to memory of 2912 2432 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 29 PID 2432 wrote to memory of 2912 2432 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 29 PID 2912 wrote to memory of 2716 2912 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 30 PID 2912 wrote to memory of 2716 2912 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 30 PID 2912 wrote to memory of 2716 2912 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 30 PID 2912 wrote to memory of 2716 2912 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 30 PID 2912 wrote to memory of 2884 2912 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 31 PID 2912 wrote to memory of 2884 2912 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 31 PID 2912 wrote to memory of 2884 2912 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 31 PID 2912 wrote to memory of 2884 2912 e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe 31 PID 2716 wrote to memory of 2316 2716 mcntwvenykep.exe 33 PID 2716 wrote to memory of 2316 2716 mcntwvenykep.exe 33 PID 2716 wrote to memory of 2316 2716 mcntwvenykep.exe 33 PID 2716 wrote to memory of 2316 2716 mcntwvenykep.exe 33 PID 2716 wrote to memory of 2316 2716 mcntwvenykep.exe 33 PID 2716 wrote to memory of 2316 2716 mcntwvenykep.exe 33 PID 2716 wrote to memory of 2316 2716 mcntwvenykep.exe 33 PID 2716 wrote to memory of 2316 2716 mcntwvenykep.exe 33 PID 2716 wrote to memory of 2316 2716 mcntwvenykep.exe 33 PID 2716 wrote to memory of 2316 2716 mcntwvenykep.exe 33 PID 2316 wrote to memory of 2176 2316 mcntwvenykep.exe 34 PID 2316 wrote to memory of 2176 2316 mcntwvenykep.exe 34 PID 2316 wrote to memory of 2176 2316 mcntwvenykep.exe 34 PID 2316 wrote to memory of 2176 2316 mcntwvenykep.exe 34 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System mcntwvenykep.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" mcntwvenykep.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"C:\Users\Admin\AppData\Local\Temp\e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\mcntwvenykep.exeC:\Windows\mcntwvenykep.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\mcntwvenykep.exeC:\Windows\mcntwvenykep.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2316 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E3ED21~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2884
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD534bbaad0e68644348f32060476292918
SHA1e618d5868bb5cff3c73fbd471c3bec1b8d0aee19
SHA256abd4e075930be5216e081ae52fcfcef13681e508d4f048adb22692056741086c
SHA51260e469588dc845e12be4beeca7cdfe03d07bcfde9145bc70d21827ea2d8440f7500921420eca07a7251512c6f59ce4d9312f1521ca519e0e2aa3ec39873363b0
-
Filesize
63KB
MD58ebcab2f4ce9972cbaadcee22334d1f1
SHA15a6448c992b3dbe626a8c533cd8cd5c7944edfee
SHA2569028ad600c5bed2a60141b90689f702b6cae84c841d992615c25acd607aff8d5
SHA51282a7fe3571e037b026ad39a53e8e3bc0af5b7818df364b0c18dd2b115b3671050982badeb9a2821daf397ba2117145a1e4a84ad3a566de3d74e4a08a37648936
-
Filesize
1KB
MD5ed0a2fe7ea1e125e971f520dfa2cec59
SHA1bbde919d358312311550a2fca2244b0c5d8da020
SHA256e08dc8eb9fa83bef3d39ccc086240392d322ed2bb1f5f1df084afa8c4cdd2751
SHA5121ddaa351d8e202593fde5b0589b016dc50ef7b8ffeb5f45feadc2280f43f1e4c304b74f964f7b4d3b409f04b5761e7eab31630fca57acfa5ba6302a6b0bc9472
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD5ffbb51486c9bdbd24684b0ac9a2ed829
SHA14a90ad4e724429b3f95e2e71ae4584e494c7833a
SHA256e31048db1d6db78725f8b84e94d6e76f0113a903aed234c24a0745eb7acba117
SHA512867202b77effbb3a6b5254668d7b86d37ee1ba421f9b39fb94947dfdd885a1ae4dca6cc44bf40008ba9821f8551769be8d2de46f2b0ecdde9d52616524788855
-
Filesize
109KB
MD5c99f0faa5af200900db6c18d9c180d83
SHA1d57abc303f81156d206f9b07ab9f7a2f34ac308a
SHA256e63a940db35e5424ecca0b188890e4bce7fe369d2d97a422611a533c58365b28
SHA5123f1d255e02422ee79b87156a437a8bf37a97b5022e2de1e3d55b482f6cccbe3a44226d3171997509fbde7c06837027119c0747abf7ac69fba29eeaf68abd53ca
-
Filesize
173KB
MD589e8cef815ceea95bdd8d72322a5a7c5
SHA10c0546a66cc8cf3fb377ef2d0bb5e01e5cbaeb2c
SHA256548b7364f126e2ba8b01dc01cf64b9958f6902ad96af8469038f101a7ab35080
SHA5122d7e96a5cd3aefc20ae75ea719fe498664a488d473cc67c93a357da8e80558dee92043cab9bfaa48e73d559a846e1478b612eeb0d2f52d378bc4f91b8f0f06d4
-
Filesize
371KB
MD5c192a273a786b569df2056914faf8327
SHA187f24f470d678deae2cade1d3fd12255e796c091
SHA256e3ed211653338adaff59cb0d6161174044018a84b49fa6ee2fab9dccd1221ced
SHA5128e036f23c66fbd545fd03aba423a47bf422cee52204fc3a2fb2682fd00a31c2f3e6dc982d01fa30ab2f8ba0b3463a763e403b212f00fe9488b2791dd03629427
