Analysis
-
max time kernel
113s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system -
submitted
26/02/2025, 23:13
Behavioral task
behavioral1
Sample
4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe
Resource
win7-20250207-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
17 signatures
150 seconds
General
-
Target
4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe
-
Size
49KB
-
MD5
f3f1c4b0746b99a513876f5c61e2ad47
-
SHA1
e9851fdcdbe37ed4d8fabedd02862e5fe1edea5a
-
SHA256
4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0
-
SHA512
b1105d997db5563464610fa29e5cf7769978188a70c137f305cbf12d189c3309cc5b8dcf5c5b3c270859e138533897920a1c6cdd1a20575b7b1a4f37731e4a73
-
SSDEEP
768:NAxPvARD1ayCt3LSUS6QCA3KlRDsKeqRO8785F7HyFj6cBCE2fje0YADpnsTqFoN:NnD183dAalnudHyFj6cBSfdYOJU5Xo
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (8319) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2424 wbadmin.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 iplogger.com 5 iplogger.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\F588.tmp.bmp" 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215210.WMF 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18252_.WMF 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\it-IT\Solitaire.exe.mui 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\Windows Sidebar\it-IT\Sidebar.exe.mui 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00306_.WMF 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Pushpin.xml 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR17F.GIF 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File created C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\+README-WARNING+.txt 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santarem 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Ceuta 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\Microsoft Games\More Games\ja-JP\MoreGames.dll.mui 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\highDpiImageSwap.js 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\+README-WARNING+.txt 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\localizedStrings.js 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02369_.WMF 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18237_.WMF 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR30F.GIF 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterNotificationDescriptors.xml 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153514.WMF 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\OFFICE10.MMW 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImagesMask.bmp 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CHECKER.POC 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPUNCT.DPV 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfont.properties.ja 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_ja.jar 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\eula.rtf 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08808_.WMF 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\redStateIcon.png 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-1 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195320.WMF 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONGuide.onepkg 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_TexturedBlue.gif 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02417_.WMF 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21318_.GIF 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePageBlank.gif 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfigInternal.zip 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Merida 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\http.luac 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\TAB_OFF.GIF 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_ja.jar 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\LINEAR_RGB.pf 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105298.WMF 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_left_over.gif 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Shades of Blue.htm 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\INDUST.INF 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2488 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1900 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeBackupPrivilege 2528 vssvc.exe Token: SeRestorePrivilege 2528 vssvc.exe Token: SeAuditPrivilege 2528 vssvc.exe Token: SeBackupPrivilege 2716 wbengine.exe Token: SeRestorePrivilege 2716 wbengine.exe Token: SeSecurityPrivilege 2716 wbengine.exe Token: SeIncreaseQuotaPrivilege 2860 WMIC.exe Token: SeSecurityPrivilege 2860 WMIC.exe Token: SeTakeOwnershipPrivilege 2860 WMIC.exe Token: SeLoadDriverPrivilege 2860 WMIC.exe Token: SeSystemProfilePrivilege 2860 WMIC.exe Token: SeSystemtimePrivilege 2860 WMIC.exe Token: SeProfSingleProcessPrivilege 2860 WMIC.exe Token: SeIncBasePriorityPrivilege 2860 WMIC.exe Token: SeCreatePagefilePrivilege 2860 WMIC.exe Token: SeBackupPrivilege 2860 WMIC.exe Token: SeRestorePrivilege 2860 WMIC.exe Token: SeShutdownPrivilege 2860 WMIC.exe Token: SeDebugPrivilege 2860 WMIC.exe Token: SeSystemEnvironmentPrivilege 2860 WMIC.exe Token: SeRemoteShutdownPrivilege 2860 WMIC.exe Token: SeUndockPrivilege 2860 WMIC.exe Token: SeManageVolumePrivilege 2860 WMIC.exe Token: 33 2860 WMIC.exe Token: 34 2860 WMIC.exe Token: 35 2860 WMIC.exe Token: SeIncreaseQuotaPrivilege 2860 WMIC.exe Token: SeSecurityPrivilege 2860 WMIC.exe Token: SeTakeOwnershipPrivilege 2860 WMIC.exe Token: SeLoadDriverPrivilege 2860 WMIC.exe Token: SeSystemProfilePrivilege 2860 WMIC.exe Token: SeSystemtimePrivilege 2860 WMIC.exe Token: SeProfSingleProcessPrivilege 2860 WMIC.exe Token: SeIncBasePriorityPrivilege 2860 WMIC.exe Token: SeCreatePagefilePrivilege 2860 WMIC.exe Token: SeBackupPrivilege 2860 WMIC.exe Token: SeRestorePrivilege 2860 WMIC.exe Token: SeShutdownPrivilege 2860 WMIC.exe Token: SeDebugPrivilege 2860 WMIC.exe Token: SeSystemEnvironmentPrivilege 2860 WMIC.exe Token: SeRemoteShutdownPrivilege 2860 WMIC.exe Token: SeUndockPrivilege 2860 WMIC.exe Token: SeManageVolumePrivilege 2860 WMIC.exe Token: 33 2860 WMIC.exe Token: 34 2860 WMIC.exe Token: 35 2860 WMIC.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1900 wrote to memory of 1884 1900 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe 28 PID 1900 wrote to memory of 1884 1900 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe 28 PID 1900 wrote to memory of 1884 1900 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe 28 PID 1900 wrote to memory of 1884 1900 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe 28 PID 1884 wrote to memory of 2488 1884 cmd.exe 30 PID 1884 wrote to memory of 2488 1884 cmd.exe 30 PID 1884 wrote to memory of 2488 1884 cmd.exe 30 PID 1884 wrote to memory of 2424 1884 cmd.exe 33 PID 1884 wrote to memory of 2424 1884 cmd.exe 33 PID 1884 wrote to memory of 2424 1884 cmd.exe 33 PID 1884 wrote to memory of 2860 1884 cmd.exe 37 PID 1884 wrote to memory of 2860 1884 cmd.exe 37 PID 1884 wrote to memory of 2860 1884 cmd.exe 37 PID 1900 wrote to memory of 2004 1900 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe 43 PID 1900 wrote to memory of 2004 1900 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe 43 PID 1900 wrote to memory of 2004 1900 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe 43 PID 1900 wrote to memory of 2004 1900 4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe 43 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe"C:\Users\Admin\AppData\Local\Temp\4d5368ea6488cedce01f8b2c1ed77e45d37dc2adf1ed0bada3932412bc0732f0.exe"1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2488
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:2424
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+README-WARNING+.txt2⤵
- System Location Discovery: System Language Discovery
PID:2004
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2776
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2724
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:2744
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
554B
MD5243b6dfb104005bdae867b699a0055bb
SHA11d7b0e112a8169e06c603ac00d8cb35f8fc620c6
SHA2565310e274260e28a575743161eec7d698ede1974398955737ae1534f035bc7873
SHA512d2e4c5731e1605b666b61a506679dc2fad77a25768c260aed6fad2fed24a51cbce27a769c9a41c736dead6faa3d7d7c85cdd0c6fe16bb87e287d79e1657b23a9