a1f1f23d1080f1a68fb21018fab72c45b6d528c1a06a6391487c19a0c7aa2451

Resubmissions

04/04/2025, 01:22

250404-brjeysxwaz 10

04/04/2025, 01:20

250404-bqbcyszlz2 10

04/04/2025, 01:18

250404-bnzyjaxvgs 10

Analysis

max time kernel
40s
max time network
42s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-ja
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-jalocale:ja-jpos:windows10-ltsc_2021-x64systemwindows
submitted
04/04/2025, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solaris.exe
Size

7.2MB
MD5

54259a70a86ba3add0d89979e62854cd
SHA1

7e4045edace566fbf9a0260d57b0f682f06a7e6b
SHA256

b0433f33e6ff471fb357941a07d5262e61ed6999d8d025031c2029092f4bfacc
SHA512

c553fc6aaacfc6d8bfce08e8636fd42fd98a40d6ff2c671e8ae82635894aed5c14eb50ce0fe811da89f8bc5a2a885d2a911ca086bf9a1dce290b75985d4b235d
SSDEEP

196608:WRhEG05ltetqEG/gGhj8aAkF8BpM8koCeIXFark6i9y8z:WRhG5lsqP4Yj8keBBkOIXFGk638z

Score

10^/10

bootkit discovery execution persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8F40.tmp\\LOCK.exe"	LOCK.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8F40.tmp\\LOCK.exe"	LOCK.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation	Solaris.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation	qqq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 7 IoCs

pid	Process
2872	qqq.exe
4004	fleeg2.0.exe
4888	Maltoolkit.exe
2896	FlargOnDesktop.exe
520	qw.exe
4636	LOCK.exe
2084	LOCK.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2424	icacls.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fleeg2.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\userini = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8F40.tmp\\LOCK.exe"	LOCK.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\userini = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8F40.tmp\\LOCK.exe"	LOCK.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\D:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	LOCK.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001d00000002764f-28.dat	upx
behavioral1/memory/2872-29-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2872-111-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3696	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qqq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solaris.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	label.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	help.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fleeg2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maltoolkit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FlargOnDesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LOCK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LOCK.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1344	timeout.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	label.exe

Kills process with taskkill 3 IoCs

defense_evasion

pid	Process
412	taskkill.exe
4784	taskkill.exe
704	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "176"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3174447216-2582055397-1659630574-1000\{6FACFE39-5C8E-4E85-810E-F86776B0BCCD}	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3174447216-2582055397-1659630574-1000_Classes\Local Settings	cmd.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2592	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3696	powershell.exe
3696	powershell.exe
1352	WMIC.exe
1352	WMIC.exe
1352	WMIC.exe
1352	WMIC.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
2084	LOCK.exe
2084	LOCK.exe
2084	LOCK.exe
2084	LOCK.exe
2084	LOCK.exe
2084	LOCK.exe
2084	LOCK.exe
2084	LOCK.exe
2084	LOCK.exe
2084	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
2084	LOCK.exe
2084	LOCK.exe
2084	LOCK.exe
2084	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
2084	LOCK.exe
2084	LOCK.exe
2084	LOCK.exe
2084	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeIncreaseQuotaPrivilege	1352	WMIC.exe
Token: SeSecurityPrivilege	1352	WMIC.exe
Token: SeTakeOwnershipPrivilege	1352	WMIC.exe
Token: SeLoadDriverPrivilege	1352	WMIC.exe
Token: SeSystemProfilePrivilege	1352	WMIC.exe
Token: SeSystemtimePrivilege	1352	WMIC.exe
Token: SeProfSingleProcessPrivilege	1352	WMIC.exe
Token: SeIncBasePriorityPrivilege	1352	WMIC.exe
Token: SeCreatePagefilePrivilege	1352	WMIC.exe
Token: SeBackupPrivilege	1352	WMIC.exe
Token: SeRestorePrivilege	1352	WMIC.exe
Token: SeShutdownPrivilege	1352	WMIC.exe
Token: SeDebugPrivilege	1352	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1352	WMIC.exe
Token: SeRemoteShutdownPrivilege	1352	WMIC.exe
Token: SeUndockPrivilege	1352	WMIC.exe
Token: SeManageVolumePrivilege	1352	WMIC.exe
Token: 33	1352	WMIC.exe
Token: 34	1352	WMIC.exe
Token: 35	1352	WMIC.exe
Token: 36	1352	WMIC.exe
Token: SeShutdownPrivilege	3760	WScript.exe
Token: SeCreatePagefilePrivilege	3760	WScript.exe
Token: 33	232	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	232	AUDIODG.EXE
Token: SeShutdownPrivilege	3760	WScript.exe
Token: SeCreatePagefilePrivilege	3760	WScript.exe
Token: SeDebugPrivilege	412	taskkill.exe
Token: SeDebugPrivilege	4784	taskkill.exe
Token: SeDebugPrivilege	704	taskkill.exe
Token: SeShutdownPrivilege	2084	LOCK.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4636	LOCK.exe
4636	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe
2084	LOCK.exe
4636	LOCK.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2948	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 5080	1416	Solaris.exe	88
PID 1416 wrote to memory of 5080	1416	Solaris.exe	88
PID 1416 wrote to memory of 5080	1416	Solaris.exe	88
PID 5080 wrote to memory of 2872	5080	cmd.exe	91
PID 5080 wrote to memory of 2872	5080	cmd.exe	91
PID 5080 wrote to memory of 2872	5080	cmd.exe	91
PID 5080 wrote to memory of 1344	5080	cmd.exe	92
PID 5080 wrote to memory of 1344	5080	cmd.exe	92
PID 5080 wrote to memory of 1344	5080	cmd.exe	92
PID 2872 wrote to memory of 3008	2872	qqq.exe	93
PID 2872 wrote to memory of 3008	2872	qqq.exe	93
PID 2872 wrote to memory of 3008	2872	qqq.exe	93
PID 3008 wrote to memory of 3696	3008	cmd.exe	95
PID 3008 wrote to memory of 3696	3008	cmd.exe	95
PID 3008 wrote to memory of 3696	3008	cmd.exe	95
PID 5080 wrote to memory of 2528	5080	cmd.exe	97
PID 5080 wrote to memory of 2528	5080	cmd.exe	97
PID 5080 wrote to memory of 2528	5080	cmd.exe	97
PID 5080 wrote to memory of 1080	5080	cmd.exe	99
PID 5080 wrote to memory of 1080	5080	cmd.exe	99
PID 5080 wrote to memory of 1080	5080	cmd.exe	99
PID 5080 wrote to memory of 1352	5080	cmd.exe	101
PID 5080 wrote to memory of 1352	5080	cmd.exe	101
PID 5080 wrote to memory of 1352	5080	cmd.exe	101
PID 5080 wrote to memory of 3352	5080	cmd.exe	103
PID 5080 wrote to memory of 3352	5080	cmd.exe	103
PID 5080 wrote to memory of 3352	5080	cmd.exe	103
PID 5080 wrote to memory of 2424	5080	cmd.exe	104
PID 5080 wrote to memory of 2424	5080	cmd.exe	104
PID 5080 wrote to memory of 2424	5080	cmd.exe	104
PID 5080 wrote to memory of 1248	5080	cmd.exe	106
PID 5080 wrote to memory of 1248	5080	cmd.exe	106
PID 5080 wrote to memory of 1248	5080	cmd.exe	106
PID 5080 wrote to memory of 4004	5080	cmd.exe	108
PID 5080 wrote to memory of 4004	5080	cmd.exe	108
PID 5080 wrote to memory of 4004	5080	cmd.exe	108
PID 4004 wrote to memory of 3888	4004	fleeg2.0.exe	109
PID 4004 wrote to memory of 3888	4004	fleeg2.0.exe	109
PID 4004 wrote to memory of 3888	4004	fleeg2.0.exe	109
PID 5080 wrote to memory of 3760	5080	cmd.exe	113
PID 5080 wrote to memory of 3760	5080	cmd.exe	113
PID 5080 wrote to memory of 3760	5080	cmd.exe	113
PID 4780 wrote to memory of 1884	4780	cmd.exe	114
PID 4780 wrote to memory of 1884	4780	cmd.exe	114
PID 5080 wrote to memory of 3128	5080	cmd.exe	116
PID 5080 wrote to memory of 3128	5080	cmd.exe	116
PID 5080 wrote to memory of 3128	5080	cmd.exe	116
PID 5080 wrote to memory of 2896	5080	cmd.exe	117
PID 5080 wrote to memory of 2896	5080	cmd.exe	117
PID 5080 wrote to memory of 2896	5080	cmd.exe	117
PID 5080 wrote to memory of 520	5080	cmd.exe	118
PID 5080 wrote to memory of 520	5080	cmd.exe	118
PID 5080 wrote to memory of 520	5080	cmd.exe	118
PID 5080 wrote to memory of 1088	5080	cmd.exe	120
PID 5080 wrote to memory of 1088	5080	cmd.exe	120
PID 5080 wrote to memory of 1088	5080	cmd.exe	120
PID 5080 wrote to memory of 2592	5080	cmd.exe	121
PID 5080 wrote to memory of 2592	5080	cmd.exe	121
PID 5080 wrote to memory of 2592	5080	cmd.exe	121
PID 5080 wrote to memory of 4636	5080	cmd.exe	122
PID 5080 wrote to memory of 4636	5080	cmd.exe	122
PID 5080 wrote to memory of 4636	5080	cmd.exe	122
PID 5080 wrote to memory of 412	5080	cmd.exe	123
PID 5080 wrote to memory of 412	5080	cmd.exe	123

C:\Users\Admin\AppData\Local\Temp\Solaris.exe
"C:\Users\Admin\AppData\Local\Temp\Solaris.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8F40.tmp\main.cmd" "
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Users\Admin\AppData\Local\Temp\8F40.tmp\qqq.exe
    qqq.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BB61.tmp\msg.cmd" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -AssemblyName PresentationFramework; [System.Windows.MessageBox]::Show('You stepped into the wrong executable', 'lmao', [System.Windows.MessageBoxButton]::OK, [System.Windows.MessageBoxImage]::Error)"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3696
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K time
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2528
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1080
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1352
- - C:\Windows\SysWOW64\help.exe
    help
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3352
- - C:\Windows\SysWOW64\icacls.exe
    icacls
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2424
- - C:\Windows\SysWOW64\label.exe
    label qqqqqqqq
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:1248
- - C:\Users\Admin\AppData\Local\Temp\8F40.tmp\fleeg2.0.exe
    fleeg2.0
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4004
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c Maltoolkit.exe --shreadinggdipayloadrainbowgdipayloadtunnelgdipayloadscreeninvertingpayloadpixelatedgdiglitchesinversegdipayload500
      4⤵
      System Location Discovery: System Language Discovery
      PID:3888
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Maltoolkit.exe
        
        Maltoolkit.exe --shreadinggdipayloadrainbowgdipayloadtunnelgdipayloadscreeninvertingpayloadpixelatedgdiglitchesinversegdipayload500
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4888
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8F40.tmp\flarg.vbs"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:3760
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8F40.tmp\z.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3128
- - C:\Users\Admin\AppData\Local\Temp\8F40.tmp\FlargOnDesktop.exe
    FlargOnDesktop
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2896
- - C:\Users\Admin\AppData\Local\Temp\8F40.tmp\qw.exe
    qw
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:520
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8F40.tmp\speech.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1088
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\8F40.tmp\can.txt
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:2592
- - C:\Users\Admin\AppData\Local\Temp\8F40.tmp\LOCK.exe
    LOCK
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:4636
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:412
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM tm.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4784
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:1884

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec 0x4a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8F40.tmp\LOCK.exe
1⤵
PID:1980
- C:\Users\Admin\AppData\Local\Temp\8F40.tmp\LOCK.exe
  C:\Users\Admin\AppData\Local\Temp\8F40.tmp\LOCK.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2084

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a35055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
2e801465c684e05734303c4c1104947d

SHA1
88c75a1dd8bedefd997972937fb6e3e3348c72be

SHA256
fbd1f435575f9a774a7c9aa68194c3b91b95fb04480d16a1e266fec1426d9098

SHA512
aeced539767468c759570a0c4cc2d7228103ca095884bc46b2b7a562697fb4900518f20e571f781c615c8bd43eedf0d701587e776f8ef648f9dcb068eeaf1b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F40.tmp\FlargOnDesktop.exe

Filesize
1.1MB

MD5
6c8df8f1fcaedb5b286b0e737f338a39

SHA1
efc745fe9e385bb0eaaf63ab1158bcdd85645816

SHA256
65fda63c738c3a5a97a023cc2e73d5c7ffcbefce406ec65b9a7e65f62f32cdb7

SHA512
fe03b91b21588b98a699016fefb49f32a624f4729b7e8ec3a3cc37b627eafda3020934affba3f73d0d3b80abcf4511f409e0e25be857a362f9c52e57a17df35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F40.tmp\LOCK.exe

Filesize
436KB

MD5
e9a942cf4bcd733d5679aac39588157c

SHA1
42aa229d3903dd28b60eeef67024e0e01d81eacd

SHA256
4ede23ec10bbab66b8ce2f86d7f11dbe44f16b86885eed44b17c2908453b64d9

SHA512
b489eae39aa305e3de733ec1866b80c12a2e0abacc58cff225a0bc52dc170d4bc63783b3eab881910d2382b0a33742bf5b5f5e685375cab73df20cfafce2df52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F40.tmp\can.txt

Filesize
25B

MD5
401de424470ac4e20c7abba02ff9fecf

SHA1
2f9cb2cf54f9445a2f6d488ecf6aa4586dea985a

SHA256
16cfd3079338d4cc392e8a024bbbb3112782e3b80dc135a4b25bed9a1444e3c5

SHA512
463e5c0cebfa6046302ae9e46d436580ee1f40e16e79266f2e91403f0e45bb0819694037026ada1fe89c13cd3121384f4201684d80f5bef2b610e105508f347f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F40.tmp\flarg.mp3

Filesize
4.5MB

MD5
a432a5d232380da0e958ebf33bd29487

SHA1
b2c215807614da9ef51088a5f182050a6a467981

SHA256
da25c8c729131d2d644d8c70e19a1e5c26aaf87877525a57f3d3d23bd0e7009b

SHA512
3572f37d087d202fdb3a1ce7f9e945c280bc6481b8c765dc5f641bdfa5d3d5c5a34c4e076182e6b3fb57e90e6434da5c083c3cb69b737482bcc30bda68994194

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F40.tmp\flarg.vbs

Filesize
210B

MD5
e0820a415681528513a1b9d1ac270666

SHA1
bc923c6dcecb782bccd11e791d189ae127704974

SHA256
4f51b27a5bafbba078ff27c86ad1da68f830caf6b74165deb3b5a974ddc53198

SHA512
1ad8a6d2c4924607ba36a47d65d0b9dbec050d612c30633f8dc28bb5c37b0886f9e4b2ac410c08fc1e5534c4743d0def1ac0592e4e141e37b435eeb3df3c90e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F40.tmp\fleeg2.0.exe

Filesize
672KB

MD5
ba50cddfee7f588f4459a92e13cd003a

SHA1
939eddf430071cf857c1a2fbca4d233db0a28f9a

SHA256
8c7890605137fa302db210882508074030b4d6919dcc2c7247e7c6e995201682

SHA512
a90814ea833f7d30b9678190f2ff50023644a323891bb8fa4609dc5d956e493cf0d5cbed511c52a60fadbe16bb96990661bd26b4d922205c2a304ecf3510bc53

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F40.tmp\main.cmd

Filesize
327B

MD5
7d7f9229dcef2075732eb132378adb7e

SHA1
cda7b85e6f2847dfdf5a2aa5a203369e4d68f126

SHA256
58215e2a988edd8554dac257f44e3ca4bc956b4bb2d5fb8e8fb04577bd96effb

SHA512
24bc65cb4691794401d86d1e066cc5eae181be7ec3de50957746ab5539c637885f848fcc7113725be5b2ac02e1bded9fcc1caa8a9ff550b431d99e27c9df9505

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F40.tmp\qqq.exe

Filesize
21KB

MD5
27b6d2f4c468208ff87638c76ea38c62

SHA1
216a697bac98db88d1734521e48398417c247e53

SHA256
b78f81ab0e49f98ad8f607c6e9ad111a87a60fef471873c6bef2546fe28c953c

SHA512
620fdb01ee3a3d40fd112c1df8dfa319c895f696c11a176466a14c0cb2545c226e50859d36174f3548728c5d3a5f8ec43a961a8fbf182f38effd630a0cd4e036

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F40.tmp\qw.exe

Filesize
461KB

MD5
1cd26deb7230d7573199eaf6766573b9

SHA1
ea019ff0c8a538aa979a49ab8432bfc55485036b

SHA256
bf77b3f707ca602c647d8052bdb1a35ac58b30e46abe38887e3d7f75578a3fc6

SHA512
432a057eae64807428d4a20390be8a79eb195bc78d55bfc1804c681da898b73a17502ecc3ef4191c9577b90b0991f9ba0d6bd39db079d39f629233977237713d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F40.tmp\speech.vbs

Filesize
278B

MD5
b2096d95195af08f640c47f3b9e03d38

SHA1
999aac238a62a9d2f6387c1eede5df59a2d0577f

SHA256
060d61d1ee7e65da381fdcbd1e35e0f6688b823018348081df0f78923cab6769

SHA512
564bdbe0e9acd1e8406330b7daed6067ea04fab4a9fc93868dc1e30983b46971fbf62caae1ee09876744fcc19df5adb93c4034e407b0e17e717efaba765f5e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F40.tmp\z.vbs

Filesize
31B

MD5
4aada262983b85642a5ff90733594485

SHA1
7fbd7f09f16a82f6cd137d7e6adcb63de0706987

SHA256
a4d005bfff2eea789d1ccf419cfbf8e5c243fea0135e09631a2c268b4b8805c9

SHA512
43e0be9d5409b3eaff499d6d370f76cf6cf0d2fc7a1ab7d41825033cb4b4f6542676b964c0aecc6c755d5a1773d973810ebdb98ba05f387d9d2dbbdadece94ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB61.tmp\msg.cmd

Filesize
232B

MD5
a9e4467ccb1cfc8e041b75047f985c8d

SHA1
6755cb4209b4d26c0b7adc066b25de3cb7175dfb

SHA256
481527e9562d29c7e8a372f0f3806a46f9bdd7173cded7e60d5755248bdcef56

SHA512
e1c691386d59eea1fc63ba0df21b88fe0a6953c4d01ef709a72a8edbe05879c1131248ecf8b89e4c03c19c7619aad006ae2bc767adccb343212961ceec2a69f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Maltoolkit.exe

Filesize
599KB

MD5
d4163d85ba71a09b181dea459744698c

SHA1
002efbdaf3b87a486cd1b577b219a36995a66489

SHA256
1fd51d6dd83f903b81c2fe5ee5811a32f4eeddae97b02c89659e6f0e7da16b1e

SHA512
f6740689391249a5a123cc2184b3b20bca15662d4b35f0158dfbb61a926f8d3d86f19cfadf2f411a5f43a904566a2b236f8fa6c1c30e2b7edeb29eb615e4dd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gyuysi3z.dsj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\FlargOnDesktop\flarg.png

Filesize
34KB

MD5
5144c96662a803704aceeb2620f0bbcb

SHA1
8f211f9ee8739b4c94b249075f4c7277a6326817

SHA256
611b0f0f79493ae5a191e96749bc021684e348f80af363b85e18e8857a765f0b

SHA512
196626d94af55b9fa66c663d617b1ff8ea7693c209622e10b1d2caf0cbc12ad076cdd7937bbc979d30bd9f2f43c17ca976ca180d358bf342458bbd88cfe33944

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_5461159355794A8C905A8D6F23A6D5E2.dat

Filesize
940B

MD5
c4f389c1f0079e2b47e8f19a597d7c10

SHA1
66a0697205321feb5c2ef839ac3a50e3366c94c8

SHA256
274379d0ba39a555b3eaf25c6c3a0742e030bce271ec816eb3b7283071a388d3

SHA512
f187a7a2d3352922dd16a8563e1e4ebf9c1effdaad26a7c98c7b5678c20c6b121b6044e204b5e680d68015319ad65baa20986a52609ae9bc69f4b9280454b8fa

Download Submit
memory/520-95-0x0000000000DF0000-0x0000000000E68000-memory.dmp

Filesize
480KB

Download
memory/2084-138-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2084-132-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2084-136-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2872-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2872-111-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3696-54-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/3696-53-0x00000000059A0000-0x0000000005CF7000-memory.dmp

Filesize
3.3MB

Download
memory/3696-58-0x00000000078E0000-0x0000000007F5A000-memory.dmp

Filesize
6.5MB

Download
memory/3696-55-0x0000000006030000-0x000000000613E000-memory.dmp

Filesize
1.1MB

Download
memory/3696-43-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/3696-42-0x00000000058C0000-0x0000000005926000-memory.dmp

Filesize
408KB

Download
memory/3696-41-0x0000000005820000-0x0000000005842000-memory.dmp

Filesize
136KB

Download
memory/3696-56-0x0000000005F90000-0x0000000005FAE000-memory.dmp

Filesize
120KB

Download
memory/3696-40-0x0000000004DC0000-0x0000000004E52000-memory.dmp

Filesize
584KB

Download
memory/3696-57-0x0000000005FD0000-0x000000000601C000-memory.dmp

Filesize
304KB

Download
memory/3696-39-0x0000000005020000-0x00000000056EA000-memory.dmp

Filesize
6.8MB

Download
memory/3696-38-0x0000000002890000-0x00000000028C6000-memory.dmp

Filesize
216KB

Download
memory/3696-59-0x0000000006670000-0x000000000668A000-memory.dmp

Filesize
104KB

Download
memory/3760-97-0x0000000005BF0000-0x0000000005C00000-memory.dmp

Filesize
64KB

Download
memory/3760-105-0x0000000005BF0000-0x0000000005C00000-memory.dmp

Filesize
64KB

Download
memory/3760-104-0x0000000005BF0000-0x0000000005C00000-memory.dmp

Filesize
64KB

Download
memory/3760-99-0x0000000005BF0000-0x0000000005C00000-memory.dmp

Filesize
64KB

Download
memory/3760-100-0x0000000005BF0000-0x0000000005C00000-memory.dmp

Filesize
64KB

Download
memory/3760-98-0x0000000005BF0000-0x0000000005C00000-memory.dmp

Filesize
64KB

Download
memory/4636-135-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4636-137-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4636-131-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4888-86-0x00000000058C0000-0x00000000058CA000-memory.dmp

Filesize
40KB

Download
memory/4888-75-0x0000000005610000-0x000000000563C000-memory.dmp

Filesize
176KB

Download
memory/4888-76-0x0000000005820000-0x00000000058B2000-memory.dmp

Filesize
584KB

Download
memory/4888-74-0x0000000005EE0000-0x0000000006486000-memory.dmp

Filesize
5.6MB

Download
memory/4888-73-0x0000000000E20000-0x0000000000EBA000-memory.dmp

Filesize
616KB

Download
memory/4888-101-0x0000000007390000-0x000000000743A000-memory.dmp

Filesize
680KB

Download