f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f

Analysis

max time kernel
65s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
Size

60KB
MD5

dfac83994c43a8cba786c678f383e8f3
SHA1

e809a61e0288fd77c3bbf43f55064fd2041f1df0
SHA256

f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f
SHA512

750831e315d847ba49985908ec1ebca591e3deb93396731199e03a0091f438d65be46b1876603e23d2a6622ff12e61d65d36d3e16c739258d5c36f8a36cc7031
SSDEEP

768:b8KivX+gIMiYzTBO6d3tG4t29U4mvn+KxXWgQUfhNu5NhmncHhs50Z1Iw6Wx:bhivX0MDzTQmtG4tSd6+f+hgnh0p+Z5

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened (read-only)	\??\G:	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened (read-only)	\??\K:	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened (read-only)	\??\V:	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened (read-only)	\??\M:	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened (read-only)	\??\D:	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened (read-only)	\??\P:	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened (read-only)	\??\A:	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened (read-only)	\??\H:	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened (read-only)	\??\J:	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened (read-only)	\??\L:	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened (read-only)	\??\Z:	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened (read-only)	\??\N:	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened (read-only)	\??\S:	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened (read-only)	\??\X:	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened (read-only)	\??\B:	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened (read-only)	\??\U:	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened (read-only)	\??\I:	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened (read-only)	\??\O:	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened (read-only)	\??\F:	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened (read-only)	\??\E:	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened (read-only)	\??\T:	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0168644.WMF.c3fc3c57610f	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSYUBIN7.DLL.c37cbc57610f	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OISGRAPH.DLL.404e0d343e8c	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00170_.GIF.9678ed0a1462	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099193.GIF.79cab0152fdd	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\NOTICE.7e5b26362cfe	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXP_PDF.DLL.a4fc5b383e70	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files (x86)\Common Files\System\ado\de-DE\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090027.WMF.c723e7edeb35	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152898.WMF.3c8fb0506218	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239975.WMF.cd834da7b1ff	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AUDIOSEARCHMAIN.DLL.08707ba4aadc	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\3RDPARTY.70b7c4647e4c	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\IETAG.DLL.3c2b1450a218	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241043.WMF.4d3b7567518f	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\fr-FR\PurblePlace.exe.mui.fee21f969c4e	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files\Java\jre7\lib\jfr\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files\TracePop.m4v.cb63ab696f01	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files\DVD Maker\es-ES\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EMABLT32.DLL.50287b4c72a4	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099177.WMF.cb4088a7a97f	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153508.WMF.56386d4a54a2	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg.5a81d836386e	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\flavormap.properties.9de57b33016b	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files\InstallDeny.pcx.82f67712205a	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.log.1c4758f08228	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09031_.WMF.44f0b7e8e690	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107154.WMF.d651845a5462	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files\Microsoft Games\More Games\es-ES\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0197979.WMF.da26fffaf832	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\xul.dll.sig.ec01ee808ed8	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt.174b5f8d8b25	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Metro.thmx.593c664d4b95	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MUOPTIN.DLL.1d2a34b18379	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105328.WMF.3f576bfde335	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files\Microsoft Games\Purble Place\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL.10d7c4849e2c	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01183_.WMF.17d7c3859b2d	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\Restore-My-Files.txt	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185786.WMF.1c4956f08e38	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\PICTIM32.FLT.a0c0634c4294	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
Token: SeBackupPrivilege	2784	vssvc.exe
Token: SeRestorePrivilege	2784	vssvc.exe
Token: SeAuditPrivilege	2784	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1928	WMIC.exe
Token: SeSecurityPrivilege	1928	WMIC.exe
Token: SeTakeOwnershipPrivilege	1928	WMIC.exe
Token: SeLoadDriverPrivilege	1928	WMIC.exe
Token: SeSystemProfilePrivilege	1928	WMIC.exe
Token: SeSystemtimePrivilege	1928	WMIC.exe
Token: SeProfSingleProcessPrivilege	1928	WMIC.exe
Token: SeIncBasePriorityPrivilege	1928	WMIC.exe
Token: SeCreatePagefilePrivilege	1928	WMIC.exe
Token: SeBackupPrivilege	1928	WMIC.exe
Token: SeRestorePrivilege	1928	WMIC.exe
Token: SeShutdownPrivilege	1928	WMIC.exe
Token: SeDebugPrivilege	1928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1928	WMIC.exe
Token: SeRemoteShutdownPrivilege	1928	WMIC.exe
Token: SeUndockPrivilege	1928	WMIC.exe
Token: SeManageVolumePrivilege	1928	WMIC.exe
Token: 33	1928	WMIC.exe
Token: 34	1928	WMIC.exe
Token: 35	1928	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1928	WMIC.exe
Token: SeSecurityPrivilege	1928	WMIC.exe
Token: SeTakeOwnershipPrivilege	1928	WMIC.exe
Token: SeLoadDriverPrivilege	1928	WMIC.exe
Token: SeSystemProfilePrivilege	1928	WMIC.exe
Token: SeSystemtimePrivilege	1928	WMIC.exe
Token: SeProfSingleProcessPrivilege	1928	WMIC.exe
Token: SeIncBasePriorityPrivilege	1928	WMIC.exe
Token: SeCreatePagefilePrivilege	1928	WMIC.exe
Token: SeBackupPrivilege	1928	WMIC.exe
Token: SeRestorePrivilege	1928	WMIC.exe
Token: SeShutdownPrivilege	1928	WMIC.exe
Token: SeDebugPrivilege	1928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1928	WMIC.exe
Token: SeRemoteShutdownPrivilege	1928	WMIC.exe
Token: SeUndockPrivilege	1928	WMIC.exe
Token: SeManageVolumePrivilege	1928	WMIC.exe
Token: 33	1928	WMIC.exe
Token: 34	1928	WMIC.exe
Token: 35	1928	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1180	WMIC.exe
Token: SeSecurityPrivilege	1180	WMIC.exe
Token: SeTakeOwnershipPrivilege	1180	WMIC.exe
Token: SeLoadDriverPrivilege	1180	WMIC.exe
Token: SeSystemProfilePrivilege	1180	WMIC.exe
Token: SeSystemtimePrivilege	1180	WMIC.exe
Token: SeProfSingleProcessPrivilege	1180	WMIC.exe
Token: SeIncBasePriorityPrivilege	1180	WMIC.exe
Token: SeCreatePagefilePrivilege	1180	WMIC.exe
Token: SeBackupPrivilege	1180	WMIC.exe
Token: SeRestorePrivilege	1180	WMIC.exe
Token: SeShutdownPrivilege	1180	WMIC.exe
Token: SeDebugPrivilege	1180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1180	WMIC.exe
Token: SeRemoteShutdownPrivilege	1180	WMIC.exe
Token: SeUndockPrivilege	1180	WMIC.exe
Token: SeManageVolumePrivilege	1180	WMIC.exe
Token: 33	1180	WMIC.exe
Token: 34	1180	WMIC.exe
Token: 35	1180	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 392	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	33
PID 3064 wrote to memory of 392	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	33
PID 3064 wrote to memory of 392	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	33
PID 3064 wrote to memory of 392	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	33
PID 392 wrote to memory of 1928	392	cmd.exe	35
PID 392 wrote to memory of 1928	392	cmd.exe	35
PID 392 wrote to memory of 1928	392	cmd.exe	35
PID 3064 wrote to memory of 2968	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	36
PID 3064 wrote to memory of 2968	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	36
PID 3064 wrote to memory of 2968	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	36
PID 3064 wrote to memory of 2968	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	36
PID 2968 wrote to memory of 1180	2968	cmd.exe	38
PID 2968 wrote to memory of 1180	2968	cmd.exe	38
PID 2968 wrote to memory of 1180	2968	cmd.exe	38
PID 3064 wrote to memory of 384	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	39
PID 3064 wrote to memory of 384	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	39
PID 3064 wrote to memory of 384	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	39
PID 3064 wrote to memory of 384	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	39
PID 384 wrote to memory of 2172	384	cmd.exe	41
PID 384 wrote to memory of 2172	384	cmd.exe	41
PID 384 wrote to memory of 2172	384	cmd.exe	41
PID 3064 wrote to memory of 2524	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	42
PID 3064 wrote to memory of 2524	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	42
PID 3064 wrote to memory of 2524	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	42
PID 3064 wrote to memory of 2524	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	42
PID 2524 wrote to memory of 2112	2524	cmd.exe	44
PID 2524 wrote to memory of 2112	2524	cmd.exe	44
PID 2524 wrote to memory of 2112	2524	cmd.exe	44
PID 3064 wrote to memory of 2392	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	45
PID 3064 wrote to memory of 2392	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	45
PID 3064 wrote to memory of 2392	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	45
PID 3064 wrote to memory of 2392	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	45
PID 2392 wrote to memory of 2964	2392	cmd.exe	47
PID 2392 wrote to memory of 2964	2392	cmd.exe	47
PID 2392 wrote to memory of 2964	2392	cmd.exe	47
PID 3064 wrote to memory of 2860	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	48
PID 3064 wrote to memory of 2860	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	48
PID 3064 wrote to memory of 2860	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	48
PID 3064 wrote to memory of 2860	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	48
PID 2860 wrote to memory of 3020	2860	cmd.exe	50
PID 2860 wrote to memory of 3020	2860	cmd.exe	50
PID 2860 wrote to memory of 3020	2860	cmd.exe	50
PID 3064 wrote to memory of 2440	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	51
PID 3064 wrote to memory of 2440	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	51
PID 3064 wrote to memory of 2440	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	51
PID 3064 wrote to memory of 2440	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	51
PID 2440 wrote to memory of 2312	2440	cmd.exe	53
PID 2440 wrote to memory of 2312	2440	cmd.exe	53
PID 2440 wrote to memory of 2312	2440	cmd.exe	53
PID 3064 wrote to memory of 2992	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	54
PID 3064 wrote to memory of 2992	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	54
PID 3064 wrote to memory of 2992	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	54
PID 3064 wrote to memory of 2992	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	54
PID 2992 wrote to memory of 588	2992	cmd.exe	56
PID 2992 wrote to memory of 588	2992	cmd.exe	56
PID 2992 wrote to memory of 588	2992	cmd.exe	56
PID 3064 wrote to memory of 592	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	57
PID 3064 wrote to memory of 592	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	57
PID 3064 wrote to memory of 592	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	57
PID 3064 wrote to memory of 592	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	57
PID 592 wrote to memory of 2512	592	cmd.exe	59
PID 592 wrote to memory of 2512	592	cmd.exe	59
PID 592 wrote to memory of 2512	592	cmd.exe	59
PID 3064 wrote to memory of 2428	3064	f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe	60

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
"C:\Users\Admin\AppData\Local\Temp\f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe"
1⤵
- Deletes itself
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{096796F1-2149-464D-ACBB-03B5C167CC17}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{096796F1-2149-464D-ACBB-03B5C167CC17}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F892CD27-E23E-4515-87B3-8F8F21B9D9C9}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F892CD27-E23E-4515-87B3-8F8F21B9D9C9}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1180
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{32A7D592-2541-4316-9CBA-F77BBB019FC7}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{32A7D592-2541-4316-9CBA-F77BBB019FC7}'" delete
    3⤵
    PID:2172
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4322938B-E7D8-427C-9899-D8612A7A139D}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4322938B-E7D8-427C-9899-D8612A7A139D}'" delete
    3⤵
    PID:2112
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40688390-1826-4849-9E8B-083873315E70}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40688390-1826-4849-9E8B-083873315E70}'" delete
    3⤵
    PID:2964
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D6A7C606-A48C-4CE7-8835-04E81D7912DF}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D6A7C606-A48C-4CE7-8835-04E81D7912DF}'" delete
    3⤵
    PID:3020
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B7D60577-15EA-4C7B-BE0B-C497017039D0}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B7D60577-15EA-4C7B-BE0B-C497017039D0}'" delete
    3⤵
    PID:2312
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BB1A373F-4301-4C27-8A7E-482A72564628}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BB1A373F-4301-4C27-8A7E-482A72564628}'" delete
    3⤵
    PID:588
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1E5A9288-DEC5-4D8F-9600-23F03936D215}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1E5A9288-DEC5-4D8F-9600-23F03936D215}'" delete
    3⤵
    PID:2512
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{823E0A24-E393-468F-B11F-85124724B858}'" delete
  2⤵
  PID:2428
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{823E0A24-E393-468F-B11F-85124724B858}'" delete
    3⤵
    PID:2488
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0A4CD207-FB7C-469F-9F7A-80D1BD4DFCFA}'" delete
  2⤵
  PID:2384
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0A4CD207-FB7C-469F-9F7A-80D1BD4DFCFA}'" delete
    3⤵
    PID:2236
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F64151A7-2488-4B24-9A4D-D03E41D3CAC7}'" delete
  2⤵
  PID:1904
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F64151A7-2488-4B24-9A4D-D03E41D3CAC7}'" delete
    3⤵
    PID:1292
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A40927C3-0F96-44E1-B89A-47B10F36A0E6}'" delete
  2⤵
  PID:704
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A40927C3-0F96-44E1-B89A-47B10F36A0E6}'" delete
    3⤵
    PID:2548
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1C5B9C0E-6DDC-430F-9959-B1C7BC19DF79}'" delete
  2⤵
  PID:2024
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1C5B9C0E-6DDC-430F-9959-B1C7BC19DF79}'" delete
    3⤵
    PID:1944
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E322147-06DC-47C3-8F71-A37CFEE921A2}'" delete
  2⤵
  PID:1252
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E322147-06DC-47C3-8F71-A37CFEE921A2}'" delete
    3⤵
    PID:1920
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A273B3E7-11AE-4B3C-8748-31324B458734}'" delete
  2⤵
  PID:1652
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A273B3E7-11AE-4B3C-8748-31324B458734}'" delete
    3⤵
    PID:2076
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{41A049F0-5D90-4970-A62C-95EBA2C69DB2}'" delete
  2⤵
  PID:1692
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{41A049F0-5D90-4970-A62C-95EBA2C69DB2}'" delete
    3⤵
    PID:1204
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8E1A70E3-B89F-4CF4-95D7-7FBA75E2544E}'" delete
  2⤵
  PID:2572
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8E1A70E3-B89F-4CF4-95D7-7FBA75E2544E}'" delete
    3⤵
    PID:1924

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

F:\$RECYCLE.BIN\S-1-5-21-3692679935-4019334568-335155002-1000\Restore-My-Files.txt

Filesize
6KB

MD5
84ca17a0259396d7c74382234f55f4e0

SHA1
b5a764178ce87efe0e12c2859dd3064810f192c0

SHA256
114e28c227be2b32f48fc80a8fb17332d28e3bfd3098beb3ba9b92ad709f7762

SHA512
d6728ea917a8f6591b20149b258b9ece3bf872038fe3b2272063024d04d6db6361e777eb3e49896b8b5079393be457b369d6bd8b017d04e6f19b94de00c4aec9

Download Submit
memory/3064-0-0x0000000000A70000-0x0000000000B3A000-memory.dmp

Filesize
808KB

Download
memory/3064-1-0x0000000000A70000-0x0000000000B3A000-memory.dmp

Filesize
808KB

Download
memory/3064-491-0x0000000000A70000-0x0000000000B3A000-memory.dmp

Filesize
808KB

Download
memory/3064-1806-0x0000000000A70000-0x0000000000B3A000-memory.dmp

Filesize
808KB

Download
memory/3064-3816-0x0000000000A70000-0x0000000000B3A000-memory.dmp

Filesize
808KB

Download