jigsaw | 80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593

Resubmissions

26/02/2025, 07:01

250226-htjbasxjv8 10

25/02/2025, 04:05

25/02/2025, 04:00

25/02/2025, 03:40

25/02/2025, 03:10

25/02/2025, 02:49

25/02/2025, 02:42

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
25/02/2025, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe
Size

767KB
MD5

d7b952b18e2fba388e8ae076488af9e2
SHA1

20a1a5c98e93b87d58d8c6ddbe2450f657e59113
SHA256

80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593
SHA512

5777c6ff439a89d1571b3104b3fc9b43e5392cecdcd2c8100019582bfb383328648ef86735dbda8e15270f0853bff3ea9864f26a7f9c40d016269e417aa2f04f
SSDEEP

12288:7GqN/XdctpVtkMtsyDqBQ0tA3nyF0Fh0zJmViYV5yvQX05oWI:lNcBtkUqBQ0tknx5yIXgoWI

Score

10^/10

jigsaw bootkit defense_evasion discovery persistence ransomware spyware stealer

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Jigsaw family
jigsaw
Renames multiple (2007) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
defense_evasion

Executes dropped EXE 7 IoCs

pid	Process
1936	mtrmbr.exe
2372	dt.exe
2832	mtr.exe
2872	mbr.exe
2900	bg.exe
1932	dt.exe
1508	drpbx.exe

Loads dropped DLL 20 IoCs

pid	Process
2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe
2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe
2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe
2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe
2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe
2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe
2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe
1936	mtrmbr.exe
1936	mtrmbr.exe
1936	mtrmbr.exe
1936	mtrmbr.exe
2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe
2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe
1936	mtrmbr.exe
1936	mtrmbr.exe
1936	mtrmbr.exe
1936	mtrmbr.exe
2372	dt.exe
2372	dt.exe
2372	dt.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	mtr.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mbr.exe

Sets desktop wallpaper using registry 2 TTPs 20 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp/bg.bmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp/bg.bmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp/bg.bmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp/bg.bmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp/bg.bmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp/bg.bmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp/bg.bmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp/bg.bmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp/bg.bmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp/bg.bmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp/bg.bmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp/bg.bmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp/bg.bmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp/bg.bmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp/bg.bmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp/bg.bmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp/bg.bmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp/bg.bmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp/bg.bmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp/bg.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\fa.txt.rubly	drpbx.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Executive.xml	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_ja_4.4.0.v20140623020002.jar.rubly	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar.rubly	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator_3.3.300.v20140518-1928.jar	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar.rubly	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar.rubly	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\settings.js	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\highDpiImageSwap.js	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImage.jpg	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\default_thumb.jpg	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar.rubly	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Earthy.gif	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml.rubly	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_ja.jar.rubly	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_off.gif	drpbx.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_ring_docked.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_docked.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\12.png	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\DefaultBlackAndWhite.dotx.rubly	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_few-showers.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-favorites.xml.rubly	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageSlice.gif	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Paper.xml	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\gadget.xml	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml.rubly	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar.rubly	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.servlet_1.1.500.v20140318-1755.jar.rubly	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvmstat.jar	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar.rubly	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\4.png	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunjce_provider.jar	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar.rubly	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services_3.4.0.v20140312-2051.jar.rubly	drpbx.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\currency.js	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt	drpbx.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg.rubly	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_zh_CN.jar.rubly	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml	drpbx.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\gadget.xml	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_down.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\Tulip.jpg	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml.rubly	drpbx.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png	drpbx.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.server_8.1.14.v20131031.jar.rubly	drpbx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mtrmbr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
764	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1240	shutdown.exe
Token: SeRemoteShutdownPrivilege	1240	shutdown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 1936	2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe	30
PID 2412 wrote to memory of 1936	2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe	30
PID 2412 wrote to memory of 1936	2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe	30
PID 2412 wrote to memory of 1936	2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe	30
PID 2412 wrote to memory of 2372	2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe	31
PID 2412 wrote to memory of 2372	2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe	31
PID 2412 wrote to memory of 2372	2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe	31
PID 2412 wrote to memory of 2372	2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe	31
PID 1936 wrote to memory of 2832	1936	mtrmbr.exe	33
PID 1936 wrote to memory of 2832	1936	mtrmbr.exe	33
PID 1936 wrote to memory of 2832	1936	mtrmbr.exe	33
PID 1936 wrote to memory of 2832	1936	mtrmbr.exe	33
PID 2412 wrote to memory of 2900	2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe	32
PID 2412 wrote to memory of 2900	2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe	32
PID 2412 wrote to memory of 2900	2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe	32
PID 2412 wrote to memory of 2900	2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe	32
PID 1936 wrote to memory of 2872	1936	mtrmbr.exe	117
PID 1936 wrote to memory of 2872	1936	mtrmbr.exe	117
PID 1936 wrote to memory of 2872	1936	mtrmbr.exe	117
PID 1936 wrote to memory of 2872	1936	mtrmbr.exe	117
PID 2412 wrote to memory of 2544	2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe	35
PID 2412 wrote to memory of 2544	2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe	35
PID 2412 wrote to memory of 2544	2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe	35
PID 2412 wrote to memory of 2544	2412	80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe	35
PID 2372 wrote to memory of 1932	2372	dt.exe	37
PID 2372 wrote to memory of 1932	2372	dt.exe	37
PID 2372 wrote to memory of 1932	2372	dt.exe	37
PID 2372 wrote to memory of 1932	2372	dt.exe	37
PID 2900 wrote to memory of 2940	2900	bg.exe	38
PID 2900 wrote to memory of 2940	2900	bg.exe	38
PID 2900 wrote to memory of 2940	2900	bg.exe	38
PID 2900 wrote to memory of 2940	2900	bg.exe	38
PID 1932 wrote to memory of 564	1932	dt.exe	41
PID 1932 wrote to memory of 564	1932	dt.exe	41
PID 1932 wrote to memory of 564	1932	dt.exe	41
PID 1932 wrote to memory of 564	1932	dt.exe	41
PID 2940 wrote to memory of 1296	2940	cmd.exe	42
PID 2940 wrote to memory of 1296	2940	cmd.exe	42
PID 2940 wrote to memory of 1296	2940	cmd.exe	42
PID 2940 wrote to memory of 1296	2940	cmd.exe	42
PID 2544 wrote to memory of 1240	2544	cmd.exe	43
PID 2544 wrote to memory of 1240	2544	cmd.exe	43
PID 2544 wrote to memory of 1240	2544	cmd.exe	43
PID 2544 wrote to memory of 1240	2544	cmd.exe	43
PID 2940 wrote to memory of 1016	2940	cmd.exe	44
PID 2940 wrote to memory of 1016	2940	cmd.exe	44
PID 2940 wrote to memory of 1016	2940	cmd.exe	44
PID 2940 wrote to memory of 1016	2940	cmd.exe	44
PID 2940 wrote to memory of 2208	2940	cmd.exe	46
PID 2940 wrote to memory of 2208	2940	cmd.exe	46
PID 2940 wrote to memory of 2208	2940	cmd.exe	46
PID 2940 wrote to memory of 2208	2940	cmd.exe	46
PID 2940 wrote to memory of 2292	2940	cmd.exe	47
PID 2940 wrote to memory of 2292	2940	cmd.exe	47
PID 2940 wrote to memory of 2292	2940	cmd.exe	47
PID 2940 wrote to memory of 2292	2940	cmd.exe	47
PID 2940 wrote to memory of 2660	2940	cmd.exe	50
PID 2940 wrote to memory of 2660	2940	cmd.exe	50
PID 2940 wrote to memory of 2660	2940	cmd.exe	50
PID 2940 wrote to memory of 2660	2940	cmd.exe	50
PID 2940 wrote to memory of 2212	2940	cmd.exe	51
PID 2940 wrote to memory of 2212	2940	cmd.exe	51
PID 2940 wrote to memory of 2212	2940	cmd.exe	51
PID 2940 wrote to memory of 2212	2940	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe
"C:\Users\Admin\AppData\Local\Temp\80f45f70d66652a814a2784f3e3da3d304a2e3466bda889791a5de0117862593.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Roaming\mtrmbr.exe
  "C:\Users\Admin\AppData\Roaming\mtrmbr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\mtr.exe
    "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\mtr.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2832
  - - C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\ProgramData\Microsoft\Windows\Start?Menu\Programs\StartUp\mtr.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:1508
- - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\mbr.exe
    "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\mbr.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:2872
- C:\Users\Admin\AppData\Roaming\dt.exe
  "C:\Users\Admin\AppData\Roaming\dt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\dt.exe
    "C:\Users\Admin\AppData\Local\Temp\dt.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\9270.tmp\disable_taskmgr.bat""
      4⤵
      System Location Discovery: System Language Discovery
      PID:564
    - - C:\Windows\SysWOW64\reg.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:764
- C:\Users\Admin\AppData\Roaming\bg.exe
  "C:\Users\Admin\AppData\Roaming\bg.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\run.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp/bg.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1296
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp/bg.bmp /f
        5⤵
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        
        PID:2336
    - - C:\Windows\SysWOW64\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp/bg.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1016
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp/bg.bmp /f
        5⤵
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        
        PID:2548
    - - C:\Windows\SysWOW64\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp/bg.bat
      4⤵
      PID:2208
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp/bg.bmp /f
        5⤵
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        
        PID:2284
    - - C:\Windows\SysWOW64\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp/bg.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:2292
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp/bg.bmp /f
        5⤵
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        
        PID:1892
    - - C:\Windows\SysWOW64\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp/bg.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:2660
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp/bg.bmp /f
        5⤵
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        
        PID:2180
    - - C:\Windows\SysWOW64\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp/bg.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:2212
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp/bg.bmp /f
        5⤵
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        
        PID:1592
    - - C:\Windows\SysWOW64\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp/bg.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:332
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp/bg.bmp /f
        5⤵
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        
        PID:2972
    - - C:\Windows\SysWOW64\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp/bg.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:2276
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp/bg.bmp /f
        5⤵
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        
        PID:2836
    - - C:\Windows\SysWOW64\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp/bg.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1468
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp/bg.bmp /f
        5⤵
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        
        PID:2216
    - - C:\Windows\SysWOW64\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp/bg.bat
      4⤵
      PID:2172
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp/bg.bmp /f
        5⤵
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        
        PID:2436
    - - C:\Windows\SysWOW64\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp/bg.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:2124
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp/bg.bmp /f
        5⤵
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        
        PID:2876
    - - C:\Windows\SysWOW64\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp/bg.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1880
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp/bg.bmp /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2528
    - - C:\Windows\SysWOW64\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp/bg.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1500
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp/bg.bmp /f
        5⤵
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        
        PID:2844
    - - C:\Windows\SysWOW64\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp/bg.bat
      4⤵
      PID:2668
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp/bg.bmp /f
        5⤵
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        
        PID:2912
    - - C:\Windows\SysWOW64\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp/bg.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1928
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp/bg.bmp /f
        5⤵
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        
        PID:2652
    - - C:\Windows\SysWOW64\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp/bg.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1484
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp/bg.bmp /f
        5⤵
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        
        PID:2720
    - - C:\Windows\SysWOW64\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp/bg.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1372
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp/bg.bmp /f
        5⤵
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        
        PID:2944
    - - C:\Windows\SysWOW64\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp/bg.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:2344
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp/bg.bmp /f
        5⤵
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        
        PID:2732
    - - C:\Windows\SysWOW64\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp/bg.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1800
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp/bg.bmp /f
        5⤵
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        
        PID:2852
    - - C:\Windows\SysWOW64\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp/bg.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1920
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp/bg.bmp /f
        5⤵
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        
        PID:2656
    - - C:\Windows\SysWOW64\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\restart.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /f /r /t 1200
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.rubly

Filesize
160B

MD5
580ee0344b7da2786da6a433a1e84893

SHA1
60f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e

SHA256
98b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513

SHA512
356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\mtr.exe

Filesize
105KB

MD5
d124bb6a1419c81a887317e08745147c

SHA1
f23ed76aa5abae4216d9eb1b09ba7adc1e5f5a24

SHA256
8ee82ce37b327e425d74018dc6451ea2a3a52df86559e3f45ac7b8bbaf552326

SHA512
c1a1ba64836e356959f27c1e82aa142b29aece359c6a4125a049c17edd5d73b5221bc6a2db8f9e4115da58b0e647e54e08d2b01da393b8aedc91602f53aeabe0

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\mbr.exe

Filesize
47KB

MD5
e5717d5aa01c544162c615e3f2c41453

SHA1
e6179b61da625f17ee0f3aa24e89180812118893

SHA256
a1daae6000b449a8a5364dd281cd5c1bc91f31feb7ec6879eff510707eda7e67

SHA512
9c104f6f0624088e82475a215a62445bedf4b8440a3e56965714297642f4fccf9ce5d5e6d43e389d050de47cd32597783c2e0690ff7ce80c8c604ead21b7b806

Download Submit
C:\Users\Admin\AppData\Local\Temp\9270.tmp\disable_taskmgr.bat

Filesize
109B

MD5
3fc537b642d3756646715325299c6367

SHA1
0a6b4d2012d44fe631dd8bf56da001bfd04b99bb

SHA256
708511c356493e41ca103db51b8df3fb57898ddb2bb7cf4f11560facde9425ed

SHA512
7a290cd5a44ac4ba51d5b8ab6ea7bd2f2c392a1237c8b923267d524b2ab92e532e3c27dd21d96c3e89c5b84060f0e8ee2a4d9e59e21cfc8c3e15322c5334d064

Download Submit
C:\Users\Admin\AppData\Local\Temp\bg.bat

Filesize
147B

MD5
308060ff726cb2be6ee2023c1b2a401d

SHA1
e616761e6026cd0de0111c0fa1da49c248138182

SHA256
0c0760682d75388a03cc7ba621d338871fc66e17f6d82c8b5147371cb7ce9a47

SHA512
382b42ea9d652c02adf879145a897fab94d729c85b491c6099a5cd91b8bf3249ff9d5c536033263f5d78881f42776a1a5c28dd17285b830b577aaadc813355ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\bg.bmp

Filesize
37KB

MD5
889074311bf2b2985e461c4aa4971ed2

SHA1
3d89a7b1a7fd4aced01d840102bbbb6877a0702e

SHA256
1dd0f0c3dc81a7a202ab34b00fb1581d76d10d514859e9efee7701de1e5824f8

SHA512
2340fd94bedb01af0550dbc5e98bf60357c13b097d91a41f52d0ffdb5da40c21f579aad28faddbd6746846cc8a87604823411afded0cd45c7d8e7f5dc7859855

Download Submit
C:\Users\Admin\AppData\Local\Temp\dt.exe

Filesize
25KB

MD5
5e46ffab95250291c5410237340b9439

SHA1
dc2afa42285590e315bac889fdcf3e2236fe9ea5

SHA256
08373ea2c1bca3f832667dd9fa6ba51af4c5ddabbb1492b5ba887c36850ac5ee

SHA512
2a5debc880692ba90a1abbfd79faa57bdf7e2bbb11881ec677c07702cb9e34775f1516616bee3140a596d272b2e218ecda9858812a64c498033811d03b91005b

Download Submit
C:\Users\Admin\AppData\Local\Temp\run.bat

Filesize
418B

MD5
be7966cbf9d04a6300febebc0802fd36

SHA1
53d3b879f6213dc614fe777e6f91e4e944b81948

SHA256
f7bdf62e1e46336cbe0f25681a5ac643d59e6fb4cd69bf55c0b2d5da746ca59a

SHA512
2d28d835c11c46a725576371d698b96101e6be9f3a5f41ec0e88800745c5b790106e2e30fb4bfae00e24d53bdad4c9ccd70b0fcc9480ee23c3ed2d5fc1d93841

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\container.dat.rubly

Filesize
16B

MD5
8ebcc5ca5ac09a09376801ecdd6f3792

SHA1
81187142b138e0245d5d0bc511f7c46c30df3e14

SHA256
619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880

SHA512
cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650

Download Submit
C:\Users\Admin\AppData\Roaming\bg.exe

Filesize
343KB

MD5
19ed87e5bf49f790025490e8368b1ec5

SHA1
1936200fcbd3c6f9b27a5c58c5e95b76b5c46371

SHA256
372d505837d53fdf76d62aa6e1adbf2c9a30bab0efa9e2ae6248bb3bcc1f4ff9

SHA512
edfce1b54104687f00bbdb2691f3808c83d0cc5c2d9e48ef2c5931404b06094c4554b10857ea55f9dd0d6e2826713fe42aa66ed4cf363b4f688b8831883f8662

Download Submit
C:\Users\Admin\AppData\Roaming\mtrmbr.exe

Filesize
410KB

MD5
2aeb6b2b282f21a87b38989750c5271b

SHA1
2482c160b146a5a5710135497ec2218e728c4fc0

SHA256
6474f5643f4ce5e6d58daf25c90ccd3ce0149a335fc1a1e0490afb3d458478a1

SHA512
1883e705fff13fdade6bf3bfa77bb126bdf94af84c8299d18b6d7077a954a01aabd5907fa9aa02150fc46d25a90dc87a8115e812d30af375ec2b7612aa8a74d0

Download Submit
C:\Users\Admin\AppData\Roaming\restart.bat

Filesize
24B

MD5
b1e5726bd11a59cf5ab2f3a655108569

SHA1
1e2499ead1ff24d61363cdfe9d19707bfdc01f83

SHA256
77a9c6aa0dc9979f56ddaac475e1ef31462edc559b542763cf94e658be9de8ac

SHA512
4b67b8c7efa5a47a59ebbaf0cf9e8c14c6ecccd4d7cd4f6e7e9f748b89927a6cc0b739064adb29bf43131e6b2e0784f8b01c5ff894a4f598f51f6208309c7072

Download Submit
\Users\Admin\AppData\Roaming\dt.exe

Filesize
328KB

MD5
79466f9bb9e981220a43897d33e57d1e

SHA1
159af42edf25c9b1ce42a8aac06571ad4a46cc9e

SHA256
77fe524e36d99865c5c1e12ed9d8f128f3366a6772c2fdf2533821079b5422fb

SHA512
b039d46aa7e777b715d673b7d69a41dd56d16aceddcb3d0c2b9c9e81ab48fb6923517f668becedbcbf90cde1f32320994bc7051f86579f6c486c68de2d8b2d16

Download Submit
memory/1932-122-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1932-139-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2372-120-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/2872-95-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads