a1f1f23d1080f1a68fb21018fab72c45b6d528c1a06a6391487c19a0c7aa2451

Resubmissions

04/04/2025, 01:22

250404-brjeysxwaz 10

04/04/2025, 01:20

250404-bqbcyszlz2 10

04/04/2025, 01:18

250404-bnzyjaxvgs 10

Analysis

max time kernel
40s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20250314-ja
resource tags

arch:x64arch:x86image:win10v2004-20250314-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
04/04/2025, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solaris.exe
Size

7.2MB
MD5

54259a70a86ba3add0d89979e62854cd
SHA1

7e4045edace566fbf9a0260d57b0f682f06a7e6b
SHA256

b0433f33e6ff471fb357941a07d5262e61ed6999d8d025031c2029092f4bfacc
SHA512

c553fc6aaacfc6d8bfce08e8636fd42fd98a40d6ff2c671e8ae82635894aed5c14eb50ce0fe811da89f8bc5a2a885d2a911ca086bf9a1dce290b75985d4b235d
SSDEEP

196608:WRhEG05ltetqEG/gGhj8aAkF8BpM8koCeIXFark6i9y8z:WRhG5lsqP4Yj8keBBkOIXFGk638z

Score

10^/10

bootkit discovery execution persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A807.tmp\\LOCK.exe"	LOCK.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A807.tmp\\LOCK.exe"	LOCK.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	Solaris.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	qqq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 7 IoCs

pid	Process
3540	qqq.exe
5404	fleeg2.0.exe
4604	Maltoolkit.exe
5036	FlargOnDesktop.exe
5816	qw.exe
1860	LOCK.exe
5408	LOCK.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5980	icacls.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fleeg2.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\userini = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A807.tmp\\LOCK.exe"	LOCK.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\userini = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A807.tmp\\LOCK.exe"	LOCK.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	LOCK.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x004a000000023766-25.dat	upx
behavioral1/memory/3540-26-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/3540-112-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
6068	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qqq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FlargOnDesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LOCK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	label.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	help.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fleeg2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solaris.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LOCK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maltoolkit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2840	timeout.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	label.exe

Kills process with taskkill 3 IoCs

defense_evasion

pid	Process
1144	taskkill.exe
4636	taskkill.exe
3740	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "173"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-805952410-2104024357-1716932545-1000\{F7D58E15-63AF-44B4-BDF2-380523A4063E}	WScript.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4016	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
6068	powershell.exe
6068	powershell.exe
6068	powershell.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
5408	LOCK.exe
5408	LOCK.exe
5408	LOCK.exe
5408	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
5408	LOCK.exe
5408	LOCK.exe
5408	LOCK.exe
5408	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
5408	LOCK.exe
5408	LOCK.exe
5408	LOCK.exe
5408	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
5408	LOCK.exe
5408	LOCK.exe
5408	LOCK.exe
5408	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	6068	powershell.exe
Token: SeIncreaseQuotaPrivilege	6128	WMIC.exe
Token: SeSecurityPrivilege	6128	WMIC.exe
Token: SeTakeOwnershipPrivilege	6128	WMIC.exe
Token: SeLoadDriverPrivilege	6128	WMIC.exe
Token: SeSystemProfilePrivilege	6128	WMIC.exe
Token: SeSystemtimePrivilege	6128	WMIC.exe
Token: SeProfSingleProcessPrivilege	6128	WMIC.exe
Token: SeIncBasePriorityPrivilege	6128	WMIC.exe
Token: SeCreatePagefilePrivilege	6128	WMIC.exe
Token: SeBackupPrivilege	6128	WMIC.exe
Token: SeRestorePrivilege	6128	WMIC.exe
Token: SeShutdownPrivilege	6128	WMIC.exe
Token: SeDebugPrivilege	6128	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6128	WMIC.exe
Token: SeRemoteShutdownPrivilege	6128	WMIC.exe
Token: SeUndockPrivilege	6128	WMIC.exe
Token: SeManageVolumePrivilege	6128	WMIC.exe
Token: 33	6128	WMIC.exe
Token: 34	6128	WMIC.exe
Token: 35	6128	WMIC.exe
Token: 36	6128	WMIC.exe
Token: SeShutdownPrivilege	3076	WScript.exe
Token: SeCreatePagefilePrivilege	3076	WScript.exe
Token: 33	4108	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4108	AUDIODG.EXE
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeShutdownPrivilege	3076	WScript.exe
Token: SeCreatePagefilePrivilege	3076	WScript.exe
Token: SeDebugPrivilege	4636	taskkill.exe
Token: SeDebugPrivilege	3740	taskkill.exe
Token: SeShutdownPrivilege	1860	LOCK.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1860	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe
5408	LOCK.exe
1860	LOCK.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5436	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5652 wrote to memory of 2080	5652	Solaris.exe	99
PID 5652 wrote to memory of 2080	5652	Solaris.exe	99
PID 5652 wrote to memory of 2080	5652	Solaris.exe	99
PID 2080 wrote to memory of 3540	2080	cmd.exe	102
PID 2080 wrote to memory of 3540	2080	cmd.exe	102
PID 2080 wrote to memory of 3540	2080	cmd.exe	102
PID 2080 wrote to memory of 2840	2080	cmd.exe	103
PID 2080 wrote to memory of 2840	2080	cmd.exe	103
PID 2080 wrote to memory of 2840	2080	cmd.exe	103
PID 3540 wrote to memory of 5392	3540	qqq.exe	104
PID 3540 wrote to memory of 5392	3540	qqq.exe	104
PID 3540 wrote to memory of 5392	3540	qqq.exe	104
PID 5392 wrote to memory of 6068	5392	cmd.exe	106
PID 5392 wrote to memory of 6068	5392	cmd.exe	106
PID 5392 wrote to memory of 6068	5392	cmd.exe	106
PID 2080 wrote to memory of 1292	2080	cmd.exe	110
PID 2080 wrote to memory of 1292	2080	cmd.exe	110
PID 2080 wrote to memory of 1292	2080	cmd.exe	110
PID 2080 wrote to memory of 2148	2080	cmd.exe	112
PID 2080 wrote to memory of 2148	2080	cmd.exe	112
PID 2080 wrote to memory of 2148	2080	cmd.exe	112
PID 2080 wrote to memory of 6128	2080	cmd.exe	114
PID 2080 wrote to memory of 6128	2080	cmd.exe	114
PID 2080 wrote to memory of 6128	2080	cmd.exe	114
PID 2080 wrote to memory of 748	2080	cmd.exe	116
PID 2080 wrote to memory of 748	2080	cmd.exe	116
PID 2080 wrote to memory of 748	2080	cmd.exe	116
PID 2080 wrote to memory of 5980	2080	cmd.exe	117
PID 2080 wrote to memory of 5980	2080	cmd.exe	117
PID 2080 wrote to memory of 5980	2080	cmd.exe	117
PID 2080 wrote to memory of 5344	2080	cmd.exe	119
PID 2080 wrote to memory of 5344	2080	cmd.exe	119
PID 2080 wrote to memory of 5344	2080	cmd.exe	119
PID 2080 wrote to memory of 5404	2080	cmd.exe	121
PID 2080 wrote to memory of 5404	2080	cmd.exe	121
PID 2080 wrote to memory of 5404	2080	cmd.exe	121
PID 5404 wrote to memory of 5752	5404	fleeg2.0.exe	122
PID 5404 wrote to memory of 5752	5404	fleeg2.0.exe	122
PID 5404 wrote to memory of 5752	5404	fleeg2.0.exe	122
PID 2080 wrote to memory of 3076	2080	cmd.exe	126
PID 2080 wrote to memory of 3076	2080	cmd.exe	126
PID 2080 wrote to memory of 3076	2080	cmd.exe	126
PID 2080 wrote to memory of 4980	2080	cmd.exe	127
PID 2080 wrote to memory of 4980	2080	cmd.exe	127
PID 2080 wrote to memory of 4980	2080	cmd.exe	127
PID 5752 wrote to memory of 4604	5752	cmd.exe	128
PID 5752 wrote to memory of 4604	5752	cmd.exe	128
PID 5752 wrote to memory of 4604	5752	cmd.exe	128
PID 2080 wrote to memory of 5036	2080	cmd.exe	129
PID 2080 wrote to memory of 5036	2080	cmd.exe	129
PID 2080 wrote to memory of 5036	2080	cmd.exe	129
PID 3600 wrote to memory of 1812	3600	cmd.exe	130
PID 3600 wrote to memory of 1812	3600	cmd.exe	130
PID 2080 wrote to memory of 5816	2080	cmd.exe	131
PID 2080 wrote to memory of 5816	2080	cmd.exe	131
PID 2080 wrote to memory of 5816	2080	cmd.exe	131
PID 2080 wrote to memory of 5144	2080	cmd.exe	133
PID 2080 wrote to memory of 5144	2080	cmd.exe	133
PID 2080 wrote to memory of 5144	2080	cmd.exe	133
PID 2080 wrote to memory of 4016	2080	cmd.exe	134
PID 2080 wrote to memory of 4016	2080	cmd.exe	134
PID 2080 wrote to memory of 4016	2080	cmd.exe	134
PID 2080 wrote to memory of 1860	2080	cmd.exe	135
PID 2080 wrote to memory of 1860	2080	cmd.exe	135

C:\Users\Admin\AppData\Local\Temp\Solaris.exe
"C:\Users\Admin\AppData\Local\Temp\Solaris.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A807.tmp\main.cmd" "
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\A807.tmp\qqq.exe
    qqq.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D14A.tmp\msg.cmd" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5392
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-Type -AssemblyName PresentationFramework; [System.Windows.MessageBox]::Show('You stepped into the wrong executable', 'lmao', [System.Windows.MessageBoxButton]::OK, [System.Windows.MessageBoxImage]::Error)"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6068
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K time
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1292
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2148
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6128
- - C:\Windows\SysWOW64\help.exe
    help
    3⤵
    - System Location Discovery: System Language Discovery
    PID:748
- - C:\Windows\SysWOW64\icacls.exe
    icacls
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:5980
- - C:\Windows\SysWOW64\label.exe
    label qqqqqqqq
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:5344
- - C:\Users\Admin\AppData\Local\Temp\A807.tmp\fleeg2.0.exe
    fleeg2.0
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5404
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c Maltoolkit.exe --shreadinggdipayloadrainbowgdipayloadtunnelgdipayloadscreeninvertingpayloadpixelatedgdiglitchesinversegdipayload500
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5752
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Maltoolkit.exe
        
        Maltoolkit.exe --shreadinggdipayloadrainbowgdipayloadtunnelgdipayloadscreeninvertingpayloadpixelatedgdiglitchesinversegdipayload500
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4604
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A807.tmp\flarg.vbs"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:3076
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A807.tmp\z.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4980
- - C:\Users\Admin\AppData\Local\Temp\A807.tmp\FlargOnDesktop.exe
    FlargOnDesktop
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5036
- - C:\Users\Admin\AppData\Local\Temp\A807.tmp\qw.exe
    qw
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5816
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A807.tmp\speech.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5144
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\A807.tmp\can.txt
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:4016
- - C:\Users\Admin\AppData\Local\Temp\A807.tmp\LOCK.exe
    LOCK
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1860
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM tm.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4636
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:1812

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x4e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\A807.tmp\LOCK.exe
1⤵
PID:3212
- C:\Users\Admin\AppData\Local\Temp\A807.tmp\LOCK.exe
  C:\Users\Admin\AppData\Local\Temp\A807.tmp\LOCK.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:5408

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa393b055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
768KB

MD5
668c885b88b815358e76bd0cdf149890

SHA1
02925f50e3f3a055dc43f1c143b92ee483bb5580

SHA256
d2a15367ce9dd9787de829b5f2f6999554a971a19b836bb8ed71c87d79d0a3dd

SHA512
8e6dad818d8471e4b04bff8726b1f715c5f1f75d7dc6a5e739a195db617a31d8d373d96166822b371b8bbeb5a196e8ec197ba7ec6027c8384f170a68cbd5c4ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A807.tmp\FlargOnDesktop.exe

Filesize
1.1MB

MD5
6c8df8f1fcaedb5b286b0e737f338a39

SHA1
efc745fe9e385bb0eaaf63ab1158bcdd85645816

SHA256
65fda63c738c3a5a97a023cc2e73d5c7ffcbefce406ec65b9a7e65f62f32cdb7

SHA512
fe03b91b21588b98a699016fefb49f32a624f4729b7e8ec3a3cc37b627eafda3020934affba3f73d0d3b80abcf4511f409e0e25be857a362f9c52e57a17df35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A807.tmp\LOCK.exe

Filesize
436KB

MD5
e9a942cf4bcd733d5679aac39588157c

SHA1
42aa229d3903dd28b60eeef67024e0e01d81eacd

SHA256
4ede23ec10bbab66b8ce2f86d7f11dbe44f16b86885eed44b17c2908453b64d9

SHA512
b489eae39aa305e3de733ec1866b80c12a2e0abacc58cff225a0bc52dc170d4bc63783b3eab881910d2382b0a33742bf5b5f5e685375cab73df20cfafce2df52

Download Submit
C:\Users\Admin\AppData\Local\Temp\A807.tmp\can.txt

Filesize
25B

MD5
401de424470ac4e20c7abba02ff9fecf

SHA1
2f9cb2cf54f9445a2f6d488ecf6aa4586dea985a

SHA256
16cfd3079338d4cc392e8a024bbbb3112782e3b80dc135a4b25bed9a1444e3c5

SHA512
463e5c0cebfa6046302ae9e46d436580ee1f40e16e79266f2e91403f0e45bb0819694037026ada1fe89c13cd3121384f4201684d80f5bef2b610e105508f347f

Download Submit
C:\Users\Admin\AppData\Local\Temp\A807.tmp\flarg.mp3

Filesize
4.5MB

MD5
a432a5d232380da0e958ebf33bd29487

SHA1
b2c215807614da9ef51088a5f182050a6a467981

SHA256
da25c8c729131d2d644d8c70e19a1e5c26aaf87877525a57f3d3d23bd0e7009b

SHA512
3572f37d087d202fdb3a1ce7f9e945c280bc6481b8c765dc5f641bdfa5d3d5c5a34c4e076182e6b3fb57e90e6434da5c083c3cb69b737482bcc30bda68994194

Download Submit
C:\Users\Admin\AppData\Local\Temp\A807.tmp\flarg.vbs

Filesize
210B

MD5
e0820a415681528513a1b9d1ac270666

SHA1
bc923c6dcecb782bccd11e791d189ae127704974

SHA256
4f51b27a5bafbba078ff27c86ad1da68f830caf6b74165deb3b5a974ddc53198

SHA512
1ad8a6d2c4924607ba36a47d65d0b9dbec050d612c30633f8dc28bb5c37b0886f9e4b2ac410c08fc1e5534c4743d0def1ac0592e4e141e37b435eeb3df3c90e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\A807.tmp\fleeg2.0.exe

Filesize
672KB

MD5
ba50cddfee7f588f4459a92e13cd003a

SHA1
939eddf430071cf857c1a2fbca4d233db0a28f9a

SHA256
8c7890605137fa302db210882508074030b4d6919dcc2c7247e7c6e995201682

SHA512
a90814ea833f7d30b9678190f2ff50023644a323891bb8fa4609dc5d956e493cf0d5cbed511c52a60fadbe16bb96990661bd26b4d922205c2a304ecf3510bc53

Download Submit
C:\Users\Admin\AppData\Local\Temp\A807.tmp\main.cmd

Filesize
327B

MD5
7d7f9229dcef2075732eb132378adb7e

SHA1
cda7b85e6f2847dfdf5a2aa5a203369e4d68f126

SHA256
58215e2a988edd8554dac257f44e3ca4bc956b4bb2d5fb8e8fb04577bd96effb

SHA512
24bc65cb4691794401d86d1e066cc5eae181be7ec3de50957746ab5539c637885f848fcc7113725be5b2ac02e1bded9fcc1caa8a9ff550b431d99e27c9df9505

Download Submit
C:\Users\Admin\AppData\Local\Temp\A807.tmp\qqq.exe

Filesize
21KB

MD5
27b6d2f4c468208ff87638c76ea38c62

SHA1
216a697bac98db88d1734521e48398417c247e53

SHA256
b78f81ab0e49f98ad8f607c6e9ad111a87a60fef471873c6bef2546fe28c953c

SHA512
620fdb01ee3a3d40fd112c1df8dfa319c895f696c11a176466a14c0cb2545c226e50859d36174f3548728c5d3a5f8ec43a961a8fbf182f38effd630a0cd4e036

Download Submit
C:\Users\Admin\AppData\Local\Temp\A807.tmp\qw.exe

Filesize
461KB

MD5
1cd26deb7230d7573199eaf6766573b9

SHA1
ea019ff0c8a538aa979a49ab8432bfc55485036b

SHA256
bf77b3f707ca602c647d8052bdb1a35ac58b30e46abe38887e3d7f75578a3fc6

SHA512
432a057eae64807428d4a20390be8a79eb195bc78d55bfc1804c681da898b73a17502ecc3ef4191c9577b90b0991f9ba0d6bd39db079d39f629233977237713d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A807.tmp\speech.vbs

Filesize
278B

MD5
b2096d95195af08f640c47f3b9e03d38

SHA1
999aac238a62a9d2f6387c1eede5df59a2d0577f

SHA256
060d61d1ee7e65da381fdcbd1e35e0f6688b823018348081df0f78923cab6769

SHA512
564bdbe0e9acd1e8406330b7daed6067ea04fab4a9fc93868dc1e30983b46971fbf62caae1ee09876744fcc19df5adb93c4034e407b0e17e717efaba765f5e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\A807.tmp\z.vbs

Filesize
31B

MD5
4aada262983b85642a5ff90733594485

SHA1
7fbd7f09f16a82f6cd137d7e6adcb63de0706987

SHA256
a4d005bfff2eea789d1ccf419cfbf8e5c243fea0135e09631a2c268b4b8805c9

SHA512
43e0be9d5409b3eaff499d6d370f76cf6cf0d2fc7a1ab7d41825033cb4b4f6542676b964c0aecc6c755d5a1773d973810ebdb98ba05f387d9d2dbbdadece94ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\D14A.tmp\msg.cmd

Filesize
232B

MD5
a9e4467ccb1cfc8e041b75047f985c8d

SHA1
6755cb4209b4d26c0b7adc066b25de3cb7175dfb

SHA256
481527e9562d29c7e8a372f0f3806a46f9bdd7173cded7e60d5755248bdcef56

SHA512
e1c691386d59eea1fc63ba0df21b88fe0a6953c4d01ef709a72a8edbe05879c1131248ecf8b89e4c03c19c7619aad006ae2bc767adccb343212961ceec2a69f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Maltoolkit.exe

Filesize
599KB

MD5
d4163d85ba71a09b181dea459744698c

SHA1
002efbdaf3b87a486cd1b577b219a36995a66489

SHA256
1fd51d6dd83f903b81c2fe5ee5811a32f4eeddae97b02c89659e6f0e7da16b1e

SHA512
f6740689391249a5a123cc2184b3b20bca15662d4b35f0158dfbb61a926f8d3d86f19cfadf2f411a5f43a904566a2b236f8fa6c1c30e2b7edeb29eb615e4dd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_42vza03g.03i.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\FlargOnDesktop\flarg.png

Filesize
34KB

MD5
5144c96662a803704aceeb2620f0bbcb

SHA1
8f211f9ee8739b4c94b249075f4c7277a6326817

SHA256
611b0f0f79493ae5a191e96749bc021684e348f80af363b85e18e8857a765f0b

SHA512
196626d94af55b9fa66c663d617b1ff8ea7693c209622e10b1d2caf0cbc12ad076cdd7937bbc979d30bd9f2f43c17ca976ca180d358bf342458bbd88cfe33944

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_42F6859BB01B4FB0A1619F10A61C70A7.dat

Filesize
940B

MD5
f25cd8d4b59f0c124324f40a62353938

SHA1
4f6b5185ac39e6fc4181d364002ae1d6e4ef6b47

SHA256
aea65b01e283471a000bd1f848eca598eca83997c5253390895234c0ace66af9

SHA512
61629a6f76fdfd89af84dac3f05297b49542023bbdfb1a5eb97b7dd0edcba1f7f4508113ed3658034710955b07c0758ae22d60fe9a48105a9efaa7c7554dbb2a

Download Submit
memory/1860-133-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1860-127-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3076-95-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/3076-96-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/3076-101-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/3076-97-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/3076-94-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/3076-102-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/3540-112-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3540-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4604-68-0x00000000007E0000-0x000000000087A000-memory.dmp

Filesize
616KB

Download
memory/4604-98-0x00000000063F0000-0x000000000649A000-memory.dmp

Filesize
680KB

Download
memory/4604-92-0x00000000051F0000-0x00000000051FA000-memory.dmp

Filesize
40KB

Download
memory/4604-80-0x0000000005230000-0x00000000052C2000-memory.dmp

Filesize
584KB

Download
memory/4604-74-0x0000000005740000-0x0000000005CE4000-memory.dmp

Filesize
5.6MB

Download
memory/4604-78-0x00000000050D0000-0x00000000050FC000-memory.dmp

Filesize
176KB

Download
memory/5408-134-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/5408-129-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/5816-91-0x0000000000040000-0x00000000000B8000-memory.dmp

Filesize
480KB

Download
memory/6068-49-0x0000000006340000-0x000000000644E000-memory.dmp

Filesize
1.1MB

Download
memory/6068-50-0x00000000064D0000-0x00000000064EE000-memory.dmp

Filesize
120KB

Download
memory/6068-51-0x00000000064F0000-0x000000000653C000-memory.dmp

Filesize
304KB

Download
memory/6068-48-0x0000000005CC0000-0x0000000005CD0000-memory.dmp

Filesize
64KB

Download
memory/6068-47-0x0000000005EB0000-0x0000000006204000-memory.dmp

Filesize
3.3MB

Download
memory/6068-36-0x0000000005CD0000-0x0000000005D36000-memory.dmp

Filesize
408KB

Download
memory/6068-37-0x0000000005D40000-0x0000000005DA6000-memory.dmp

Filesize
408KB

Download
memory/6068-35-0x0000000005A30000-0x0000000005A52000-memory.dmp

Filesize
136KB

Download
memory/6068-34-0x0000000005230000-0x00000000052C2000-memory.dmp

Filesize
584KB

Download
memory/6068-52-0x0000000007B20000-0x000000000819A000-memory.dmp

Filesize
6.5MB

Download
memory/6068-33-0x0000000005400000-0x0000000005A28000-memory.dmp

Filesize
6.2MB

Download
memory/6068-32-0x0000000002D10000-0x0000000002D46000-memory.dmp

Filesize
216KB

Download
memory/6068-53-0x00000000069F0000-0x0000000006A0A000-memory.dmp

Filesize
104KB

Download