badrabbit | 72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503

Analysis

max time kernel
7s
max time network
34s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
05/03/2025, 20:01

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe
Size

148KB
MD5

6ed3e3327246cc457d22bb92bd3bba8b
SHA1

1329a6af26f16bb371782ff404d526eec1af9d22
SHA256

72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503
SHA512

f6c5428adffc10294204e0b068510d91fced02bbe02158a21294ebd5baf249aff0264021cbf7b2b9b37533b1db4daa09113abaa84435f4aa7660849f9b9257f7
SSDEEP

3072:gqMedjZ064qkGda5bFxs0ZUfBpfF6Mq6qUbHlVexC6exvLsBB16UVsh8iSd:+A0rAda5bFxvYptdHl4xV+Efuh

Score

10^/10

badrabbit mimikatz defense_evasion discovery persistence privilege_escalation ransomware upx

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1qebq3hf.iim\\[email protected]"	[email protected]

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000027e76-76.dat	mimikatz

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4972	netsh.exe
2484	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000\Control Panel\International\Geo\Nation	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe

Executes dropped EXE 6 IoCs

pid	Process
2148	[email protected]
4032	[email protected]
2400	CD43.tmp
100	[email protected]
2836	[email protected]
1464	Fantom.exe

Impair Defenses: Safe Mode Boot 1 TTPs 7 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	[email protected]
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	[email protected]
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	[email protected]
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	[email protected]
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	[email protected]
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	[email protected]
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	[email protected]

Loads dropped DLL 1 IoCs

pid	Process
3640	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1qebq3hf.iim\\[email protected]"	[email protected]

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\u:	[email protected]
File opened (read-only)	\??\b:	[email protected]
File opened (read-only)	\??\h:	[email protected]
File opened (read-only)	\??\o:	[email protected]
File opened (read-only)	\??\v:	[email protected]
File opened (read-only)	\??\y:	[email protected]
File opened (read-only)	\??\k:	[email protected]
File opened (read-only)	\??\l:	[email protected]
File opened (read-only)	\??\n:	[email protected]
File opened (read-only)	\??\t:	[email protected]
File opened (read-only)	\??\x:	[email protected]
File opened (read-only)	\??\d:	[email protected]
File opened (read-only)	\??\m:	[email protected]
File opened (read-only)	\??\p:	[email protected]
File opened (read-only)	\??\r:	[email protected]
File opened (read-only)	\??\s:	[email protected]
File opened (read-only)	\??\w:	[email protected]
File opened (read-only)	\??\z:	[email protected]
File opened (read-only)	\??\a:	[email protected]
File opened (read-only)	\??\g:	[email protected]
File opened (read-only)	\??\i:	[email protected]
File opened (read-only)	\??\j:	[email protected]
File opened (read-only)	\??\q:	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000027e7c-52.dat	upx
behavioral1/memory/4032-53-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/4032-54-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/4032-587-0x0000000000400000-0x0000000000438000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\CD43.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
4844	taskkill.exe

Modifies registry key 1 TTPs 6 IoCs

Modify Registry

T1112

pid	Process
4756	reg.exe
4880	reg.exe
2552	reg.exe
3036	reg.exe
2664	reg.exe
5048	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3724	schtasks.exe
1508	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3640	rundll32.exe
3640	rundll32.exe
3640	rundll32.exe
3640	rundll32.exe
2400	CD43.tmp
2400	CD43.tmp
2400	CD43.tmp
2400	CD43.tmp
2400	CD43.tmp
2400	CD43.tmp

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe
Token: SeShutdownPrivilege	3640	rundll32.exe
Token: SeDebugPrivilege	3640	rundll32.exe
Token: SeTcbPrivilege	3640	rundll32.exe
Token: SeDebugPrivilege	4844	taskkill.exe
Token: SeDebugPrivilege	2400	CD43.tmp
Token: SeDebugPrivilege	1464	Fantom.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 2148	5008	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	84
PID 5008 wrote to memory of 2148	5008	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	84
PID 5008 wrote to memory of 2148	5008	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	84
PID 2148 wrote to memory of 3640	2148	[email protected]	86
PID 2148 wrote to memory of 3640	2148	[email protected]	86
PID 2148 wrote to memory of 3640	2148	[email protected]	86
PID 5008 wrote to memory of 4032	5008	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	87
PID 5008 wrote to memory of 4032	5008	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	87
PID 5008 wrote to memory of 4032	5008	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	87
PID 3640 wrote to memory of 1220	3640	rundll32.exe	88
PID 3640 wrote to memory of 1220	3640	rundll32.exe	88
PID 3640 wrote to memory of 1220	3640	rundll32.exe	88
PID 1220 wrote to memory of 4296	1220	cmd.exe	90
PID 1220 wrote to memory of 4296	1220	cmd.exe	90
PID 1220 wrote to memory of 4296	1220	cmd.exe	90
PID 4032 wrote to memory of 4844	4032	[email protected]	91
PID 4032 wrote to memory of 4844	4032	[email protected]	91
PID 4032 wrote to memory of 4844	4032	[email protected]	91
PID 3640 wrote to memory of 2640	3640	rundll32.exe	96
PID 3640 wrote to memory of 2640	3640	rundll32.exe	96
PID 3640 wrote to memory of 2640	3640	rundll32.exe	96
PID 3640 wrote to memory of 3040	3640	rundll32.exe	98
PID 3640 wrote to memory of 3040	3640	rundll32.exe	98
PID 3640 wrote to memory of 3040	3640	rundll32.exe	98
PID 3640 wrote to memory of 2400	3640	rundll32.exe	99
PID 3640 wrote to memory of 2400	3640	rundll32.exe	99
PID 2640 wrote to memory of 3724	2640	cmd.exe	102
PID 2640 wrote to memory of 3724	2640	cmd.exe	102
PID 2640 wrote to memory of 3724	2640	cmd.exe	102
PID 3040 wrote to memory of 1508	3040	cmd.exe	103
PID 3040 wrote to memory of 1508	3040	cmd.exe	103
PID 3040 wrote to memory of 1508	3040	cmd.exe	103
PID 5008 wrote to memory of 100	5008	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	105
PID 5008 wrote to memory of 100	5008	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	105
PID 5008 wrote to memory of 100	5008	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	105
PID 5008 wrote to memory of 2836	5008	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	106
PID 5008 wrote to memory of 2836	5008	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	106
PID 5008 wrote to memory of 2836	5008	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	106
PID 5008 wrote to memory of 1464	5008	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	107
PID 5008 wrote to memory of 1464	5008	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	107
PID 5008 wrote to memory of 1464	5008	72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe	107
PID 100 wrote to memory of 4972	100	[email protected]	108
PID 100 wrote to memory of 4972	100	[email protected]	108
PID 100 wrote to memory of 4972	100	[email protected]	108

C:\Users\Admin\AppData\Local\Temp\72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe
"C:\Users\Admin\AppData\Local\Temp\72d4375c5fe2533acb5e378ddbd3c55f87c61003a492caffdcb40db988c49503.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Users\Admin\AppData\Local\Temp\xh0hy3au.nd0\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\xh0hy3au.nd0\[email protected]"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1220
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4296
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3403847140 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3403847140 && exit"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3724
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 20:20:00
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 20:20:00
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1508
  - - C:\Windows\CD43.tmp
      "C:\Windows\CD43.tmp" \\.\pipe\{4BD5990C-39E0-4A63-9B4F-AA29F790153B}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2400
- C:\Users\Admin\AppData\Local\Temp\1qebq3hf.iim\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\1qebq3hf.iim\[email protected]"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Impair Defenses: Safe Mode Boot
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- C:\Users\Admin\AppData\Local\Temp\fu1vztms.btr\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\fu1vztms.btr\[email protected]"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:100
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4972
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\system32\netsh.exe advfirewall reset
    3⤵
    - Modifies Windows Firewall
    PID:2484
- C:\Users\Admin\AppData\Local\Temp\jfk51m2u.wfm\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\jfk51m2u.wfm\[email protected]"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2836
- C:\Users\Admin\AppData\Local\Temp\ntnblgik.azh\Fantom.exe
  "C:\Users\Admin\AppData\Local\Temp\ntnblgik.azh\Fantom.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Users\Admin\AppData\Local\Temp\w1vt14xl.cy5\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\w1vt14xl.cy5\[email protected]"
  2⤵
  PID:1384
- C:\Users\Admin\AppData\Local\Temp\ervndfiv.ub3\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\ervndfiv.ub3\[email protected]"
  2⤵
  PID:4228
- C:\Users\Admin\AppData\Local\Temp\hfuypi4i.mln\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\hfuypi4i.mln\[email protected]"
  2⤵
  PID:800
- C:\Users\Admin\AppData\Local\Temp\tur1kkqm.5fh\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\tur1kkqm.5fh\[email protected]"
  2⤵
  PID:1004
- C:\Users\Admin\AppData\Local\Temp\tryhxhdu.cxv\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\tryhxhdu.cxv\[email protected]"
  2⤵
  PID:1296
- - C:\Users\Admin\xIMQAMgE\YYQYkUAE.exe
    "C:\Users\Admin\xIMQAMgE\YYQYkUAE.exe"
    3⤵
    PID:4636
- - C:\ProgramData\qKEAMAMg\veAAgkUg.exe
    "C:\ProgramData\qKEAMAMg\veAAgkUg.exe"
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tryhxhdu.cxv\Endermanch@PolyRansom"
    3⤵
    PID:3356
  - - C:\Users\Admin\AppData\Local\Temp\tryhxhdu.cxv\[email protected]
      C:\Users\Admin\AppData\Local\Temp\tryhxhdu.cxv\Endermanch@PolyRansom
      4⤵
      PID:1592
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4880
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4756
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaosYkgM.bat" "C:\Users\Admin\AppData\Local\Temp\tryhxhdu.cxv\[email protected]""
    3⤵
    PID:1072
- C:\Users\Admin\AppData\Local\Temp\mct2e2q1.tfn\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\mct2e2q1.tfn\[email protected]"
  2⤵
  PID:324
- C:\Users\Admin\AppData\Local\Temp\vgxsjcjj.v1u\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\vgxsjcjj.v1u\[email protected]"
  2⤵
  PID:556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\vgxsjcjj.v1u\Endermanch@ViraLock"
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:2552
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:2664
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\isMYsQsk.bat" "C:\Users\Admin\AppData\Local\Temp\vgxsjcjj.v1u\[email protected]""
    3⤵
    PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat.5EDB9E0F4B04409078933F6388ECB760531692A90CBD5EA231FB843E7E5B5C8E

Filesize
16B

MD5
82558f5b38bbb399a02e21b5e4690b7b

SHA1
f8de841988d4b82fe94e63f869719c8583d5d530

SHA256
542f4ab4bd25fe9948aa70c8c2b1ac0f6cb0bdd1c059de12fdf2f42bc0096a6b

SHA512
833502d38f3c8892ba64248dbe978292ad3074fb159c4424e0fa01647dac5b6cf312bd5c15f0baf238749700868742f0f35e226d9f97a515a0ef5d23e0ecf4d7

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.5EDB9E0F4B04409078933F6388ECB760531692A90CBD5EA231FB843E7E5B5C8E

Filesize
32KB

MD5
b4d221a6ac9b7860839224e21f650f3b

SHA1
d477990fb98c6b8946d784f0965dd54112e9c7c4

SHA256
2df963d90f0ae4726443fa088f8a68946d25281e4b0ccc588cac8d535dc6fe4e

SHA512
30c5bcccff6aacaea451d8f01f7ce6f99af7d49e8138e0b1436c603df5364e52c288f3de5413ab80716945acbada1554d1b119b4c1c52f23644f4ce75de66982

Download Submit
C:\ProgramData\qKEAMAMg\veAAgkUg.exe

Filesize
203KB

MD5
e140bd88d713e6593e6fd5a40b68ef57

SHA1
9a8d5cbbbedc63eb1030447cb258c819b47fd718

SHA256
a9b4dba7227655a2521f1cc0791613c496256a4c95da34ade5b7692cd07addbb

SHA512
aafe432d4487afbf62944ef6d43346bbaf6e806dcda90da2e0eddf8a496d4ae36c8933e3547b5debd2abc6e2195c51a8eb4470ab63f1cf31fa4f34caf76ef877

Download Submit
C:\Users\Admin\AppData\Local\Temp\1qebq3hf.iim\[email protected]

Filesize
116KB

MD5
41789c704a0eecfdd0048b4b4193e752

SHA1
fb1e8385691fa3293b7cbfb9b2656cf09f20e722

SHA256
b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23

SHA512
76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ervndfiv.ub3\[email protected]

Filesize
53KB

MD5
87ccd6f4ec0e6b706d65550f90b0e3c7

SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f

SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

Download Submit
C:\Users\Admin\AppData\Local\Temp\fu1vztms.btr\[email protected]

Filesize
313KB

MD5
fe1bc60a95b2c2d77cd5d232296a7fa4

SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfuypi4i.mln\[email protected]

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfk51m2u.wfm\[email protected]

Filesize
484KB

MD5
0a7b70efba0aa93d4bc0857b87ac2fcb

SHA1
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

SHA256
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

SHA512
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\mct2e2q1.tfn\[email protected]

Filesize
2.4MB

MD5
dbfbf254cfb84d991ac3860105d66fc6

SHA1
893110d8c8451565caa591ddfccf92869f96c242

SHA256
68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c

SHA512
5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntnblgik.azh\Fantom.exe

Filesize
261KB

MD5
7d80230df68ccba871815d68f016c282

SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6

SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Download Submit
C:\Users\Admin\AppData\Local\Temp\tryhxhdu.cxv\[email protected]

Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tur1kkqm.5fh\[email protected]

Filesize
225KB

MD5
af2379cc4d607a45ac44d62135fb7015

SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa

SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgxsjcjj.v1u\[email protected]

Filesize
194KB

MD5
8803d517ac24b157431d8a462302b400

SHA1
b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e

SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

SHA512
38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\w1vt14xl.cy5\[email protected]

Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh0hy3au.nd0\[email protected]

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dll

Filesize
126KB

MD5
3531cf7755b16d38d5e9e3c43280e7d2

SHA1
19981b17ae35b6e9a0007551e69d3e50aa1afffe

SHA256
76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089

SHA512
7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd

Download Submit
C:\Users\Admin\xIMQAMgE\YYQYkUAE.exe

Filesize
192KB

MD5
95d8f69dfc72ad2b5fc49bad3f364acd

SHA1
51c398d46e5265a34de6057f4e02dc55320a0841

SHA256
390e673805f3d823d2039cca9481fafdc68056d2f11b1d8b8223da7189d03849

SHA512
d159ae5e543894f8ee12cc1a3c26c80435fd5ad97d6d8d4f54a7089ab60710b8401fe1e9f45a1e327784340965d1da3af7d6d4be8418c978d4e997f90a2631ef

Download Submit
C:\Windows\CD43.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/556-647-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/556-688-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1296-612-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1296-510-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1384-281-0x0000000000600000-0x000000000063C000-memory.dmp

Filesize
240KB

Download
memory/1464-162-0x00000000024C0000-0x00000000024EB000-memory.dmp

Filesize
172KB

Download
memory/1464-136-0x0000000002360000-0x0000000002392000-memory.dmp

Filesize
200KB

Download
memory/1464-156-0x00000000024C0000-0x00000000024EB000-memory.dmp

Filesize
172KB

Download
memory/1464-140-0x00000000024C0000-0x00000000024EB000-memory.dmp

Filesize
172KB

Download
memory/1464-175-0x00000000024C0000-0x00000000024EB000-memory.dmp

Filesize
172KB

Download
memory/1464-172-0x00000000024C0000-0x00000000024EB000-memory.dmp

Filesize
172KB

Download
memory/1464-170-0x00000000024C0000-0x00000000024EB000-memory.dmp

Filesize
172KB

Download
memory/1464-168-0x00000000024C0000-0x00000000024EB000-memory.dmp

Filesize
172KB

Download
memory/1464-166-0x00000000024C0000-0x00000000024EB000-memory.dmp

Filesize
172KB

Download
memory/1464-164-0x00000000024C0000-0x00000000024EB000-memory.dmp

Filesize
172KB

Download
memory/1464-137-0x00000000024C0000-0x00000000024F2000-memory.dmp

Filesize
200KB

Download
memory/1464-160-0x00000000024C0000-0x00000000024EB000-memory.dmp

Filesize
172KB

Download
memory/1464-159-0x00000000024C0000-0x00000000024EB000-memory.dmp

Filesize
172KB

Download
memory/1464-154-0x00000000024C0000-0x00000000024EB000-memory.dmp

Filesize
172KB

Download
memory/1464-152-0x00000000024C0000-0x00000000024EB000-memory.dmp

Filesize
172KB

Download
memory/1464-150-0x00000000024C0000-0x00000000024EB000-memory.dmp

Filesize
172KB

Download
memory/1464-148-0x00000000024C0000-0x00000000024EB000-memory.dmp

Filesize
172KB

Download
memory/1464-146-0x00000000024C0000-0x00000000024EB000-memory.dmp

Filesize
172KB

Download
memory/1464-144-0x00000000024C0000-0x00000000024EB000-memory.dmp

Filesize
172KB

Download
memory/1464-142-0x00000000024C0000-0x00000000024EB000-memory.dmp

Filesize
172KB

Download
memory/1464-139-0x00000000024C0000-0x00000000024EB000-memory.dmp

Filesize
172KB

Download
memory/1592-687-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2836-219-0x0000000004F20000-0x0000000004F76000-memory.dmp

Filesize
344KB

Download
memory/2836-127-0x0000000004E20000-0x0000000004EB2000-memory.dmp

Filesize
584KB

Download
memory/2836-117-0x0000000005330000-0x00000000058D6000-memory.dmp

Filesize
5.6MB

Download
memory/2836-116-0x0000000004CC0000-0x0000000004D5C000-memory.dmp

Filesize
624KB

Download
memory/2836-115-0x0000000000440000-0x00000000004C2000-memory.dmp

Filesize
520KB

Download
memory/2836-138-0x0000000004DD0000-0x0000000004DDA000-memory.dmp

Filesize
40KB

Download
memory/2908-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-48-0x0000000003710000-0x0000000003778000-memory.dmp

Filesize
416KB

Download
memory/3640-36-0x0000000003710000-0x0000000003778000-memory.dmp

Filesize
416KB

Download
memory/3640-70-0x0000000003710000-0x0000000003778000-memory.dmp

Filesize
416KB

Download
memory/4032-587-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4032-54-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4032-53-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4636-585-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5008-509-0x00007FF93B920000-0x00007FF93C3E2000-memory.dmp

Filesize
10.8MB

Download
memory/5008-346-0x00007FF93B923000-0x00007FF93B925000-memory.dmp

Filesize
8KB

Download
memory/5008-5-0x00007FF93B920000-0x00007FF93C3E2000-memory.dmp

Filesize
10.8MB

Download
memory/5008-4-0x000001E8D9E50000-0x000001E8D9E88000-memory.dmp

Filesize
224KB

Download
memory/5008-3-0x000001E8D9DF0000-0x000001E8D9DF6000-memory.dmp

Filesize
24KB

Download
memory/5008-0-0x00007FF93B923000-0x00007FF93B925000-memory.dmp

Filesize
8KB

Download
memory/5008-2-0x000001E8D9D60000-0x000001E8D9D76000-memory.dmp

Filesize
88KB

Download
memory/5008-719-0x00007FF93B920000-0x00007FF93C3E2000-memory.dmp

Filesize
10.8MB

Download
memory/5008-1-0x000001E8D99A0000-0x000001E8D99CC000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads