Analysis
-
max time kernel
103s -
max time network
104s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
21/04/2025, 06:45
Behavioral task
behavioral1
Sample
27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe
Resource
win11-20250410-en
General
-
Target
27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe
-
Size
147KB
-
MD5
714b31629c37dee57038ca4e52ef65ac
-
SHA1
f9aa5b2dc359f3173ab555944b2fb5a914b45848
-
SHA256
27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd
-
SHA512
05f15b7609b862450ddd56181e1f7350d24a81486a7a2d9265e809b1577ee44b65c23c966b9efd3c3c1f836dde47c201c3239132ad921bb1727c5f402bed2187
-
SSDEEP
3072:k6glyuxE4GsUPnliByocWepMf11O4OgfJCCrPPl8rzd:k6gDBGpvEByocWeu1RJpPN6
Malware Config
Extracted
C:\KUsfyVlDo.README.txt
braincipher
http://vkvsgl7lhipjirmz6j5ubp3w3bwvxgcdbpi3fsbqngfynetqtw4w5hyd.onion
http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion
Signatures
-
Brain Cipher
Ransomware family based on Lockbit that was first observed in June 2024.
-
Braincipher family
-
Deletes itself 1 IoCs
pid Process 5112 74C2.tmp -
Executes dropped EXE 1 IoCs
pid Process 5112 74C2.tmp -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-1492919288-2219487354-2015056034-1000\desktop.ini 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1492919288-2219487354-2015056034-1000\desktop.ini 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 5112 74C2.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 74C2.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp 5112 74C2.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeDebugPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: 36 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeImpersonatePrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeIncBasePriorityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeIncreaseQuotaPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: 33 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeManageVolumePrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeProfSingleProcessPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeRestorePrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSystemProfilePrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeTakeOwnershipPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeShutdownPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeDebugPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeBackupPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe Token: SeSecurityPrivilege 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1180 wrote to memory of 5112 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 85 PID 1180 wrote to memory of 5112 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 85 PID 1180 wrote to memory of 5112 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 85 PID 1180 wrote to memory of 5112 1180 27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe 85 PID 5112 wrote to memory of 4680 5112 74C2.tmp 86 PID 5112 wrote to memory of 4680 5112 74C2.tmp 86 PID 5112 wrote to memory of 4680 5112 74C2.tmp 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe"C:\Users\Admin\AppData\Local\Temp\27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\ProgramData\74C2.tmp"C:\ProgramData\74C2.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\74C2.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:4680
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD571608e63322ec8b5a74a6bd3880fa3c9
SHA10b00cc4b0d81bd3c2ccca0637ac2b26704560049
SHA25697e8538fdd81e7754321eb462682f966396794a2d139ce6010467bd62ea93626
SHA51227f5a1d7b2954cb41a413cda0d68933f57482d1460b2c14bc128b7f600964965dd18fc175f4eb0c6126190f328b47f1d9969a0d31bd2fb1fbd5f726cddf96173
-
Filesize
1KB
MD582046584dff98337c32ac7117e05387b
SHA161c5022e6a5f00b4b0164ecf090b0c863d7df84e
SHA2569b90c3d076d429fdf9ea0606d6d19fee56b3202715157da0ac8ad88ef0b06399
SHA51259e49ede5ed8e9769b28d56d4d03f2f28f33088282d0070b834adb30c639c2d93c72ed222aff9f18d973a2f965858f93b895d6282062ee551c9ec04d5ba54ecf
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize147KB
MD5ce4b570255a46d7e4311dd20954ac96e
SHA1ce9301b32db6d79ba1fdeeb961c2dc4268d7e441
SHA256e3661eed8ab72d43aa42d5a36c2c83e3e9bda5f55076565ca1d83d6499927432
SHA5126eb591c7398ae47232c200d59cc8059b7ff8a0ef53fcec0585347298f70800099bd5bdafc6636af6f7323c393ffc8162466e0cb3b002f5990aae5fcab79d92c1
-
Filesize
129B
MD5ff3b657effb49dbc70067995023a71c0
SHA1c605a7973bfd647f2e3bed9807317a7d091ae5c5
SHA256b2b165d4b5946fb0b29656d53627677dfa279fb31a2e6a40ec3a4389f506fca9
SHA5125d1ee7ce5b0fdc5e90b73eed79ebdcd18182e5cf0c5f37de2ab14d79f44417a02a44ce8eb0c778b2e3fe99c2c31547e8d212bc2bcc30e274c1e69c533b0f9521