ragnarok | ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1

General

Target

ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
Size

211KB
MD5

32ed52d918a138ddad24dd3a84e20e56
SHA1

11f455b32e8473353febc5995cef63497c5404a1
SHA256

ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1
SHA512

13e49bb04813598ef5ab1e40a0a657091182bf8ec7b9d4a24bb6d162bfc01b232c910e6e85fdefc13dcded49438e5e6d996ca21a13ec2cd7a0d5f5a40c16a446

Score

10^/10

ransomware evasion ragnarok persistence

Malware Config

Extracted

Path

C:\How_To_Decrypt_My_Files.txt

Family

ragnarok

Ransom Note

#what happend? Unfortunately your files are encrypted, To decrypt your files follow the instructions 1. you need a decrypt tool so that you can decrypt all of your files 2. contact with us for our btc address if you want decrypt your files or you can do nothing just wait your files gona be deleted 3. you can provide a file which size less than 3M for us to prove that we can decrypt your files after you paid 4. it is wise to pay in the first time it wont cause you more losses you can send your DEVICE ID to mail address below [email protected] [email protected] [email protected] DEVICE ID: AwCLF5UTCV0RI5EL3UURzEURGZUN5YzN1AzN2UkMGZDRCZTOzUTRzIUQyYTMERjNxY0MFlDNyAzM5E0QGdTMyUzQwQkQ3I0N0gTQwcDMFNkN0kDR2YUO2YTODVjNCJjMxETMwQzM3YzQEljN4MTNxkjRDZkRyUTQBJTN1EjN2kzM2I0N0gDRDRkM3MTREdDR4QkRCdDMycjREJDMyYkRDlDRCN0QFZjN1UEODNUNDlDRBREN3MjRCNUMDFURyYEM3QEO4cDRChTMDVTRBZDNDNkQyEEMBFEMyMDRGJEMBNDNygTR0QUOyETQGVUMzcDMDNEN2UDNFVER2Q0MENzQ5kTOBJERygDN1YkNxE0MxkzQ0IUN1cjMGF0MzAzQ2ADRwQ0NxMkQCN0Q5QkQ0QTQBV0MyUzNDNTRBRUQzEDR0IzM4AjRwYUNFRERzQkMyYzQBdzMFNTNGhjM3QENBhjN0UDOEZzQxYzNzQjRwEUQ4EjM5M0QycTQ0Q0MFV0MzMEOFVTOyUDO0MDMGJjRGJTNzMTQ2YDO3ITM3IkRwQTNzMkM3IkRBREMCZERwYzMxYzQ5QDO5ATR0IUOGljRCR0MxMkM3AjM1UEMzE0M2UTNzkzMyMERyMERFNER0EkNEVTM5AzMBFUMwIkM4YUN2AzQ5YkMCNUOBZDN3cTNxYDOBJENGRTR2QjQyQ0MCJEM5IDRERjNyQDM4kDO1EzNGJ0QCRzM3MEN2YjMBFzNyETR4MkNxgjQ5MjMBNzQ3YkRwIzMwUUOGFDRGFUMzIDNGlzQFdzNxgzMCVzMzMjM4YjQFFUN3IkN0EjNyEERyEUNFlzMzQDN3YTQ1YDNyMjRzU0QClTQEJ0N1MjREJUN2YkMFZDN2UjQFljNBFjM5IzMEJEOClDO3MkM5ETOxEkM1UTN3MER2YEMyQEN2IjN3IjN1UDRDVjNyMEN5YDN2EEMwIUN4MTM2kDMBBTOxUENDBTMzQURxkTQwEjQ2kjRCVEOzQjNxYjRyEERzETMChTNDhTMBRkQyMEMGlzN5YTO1MDR1YzQ4QjMBVjQygTRDZTOwMTM5EDOwIDM1QkNxEjMFZTRycjQ2QUM2IDO1YDO1UjN2QDN3kTOCBjM2EUM0IEO2cDNBR0M3YkQ3UzNzMUR0MjR2MDN2UERCVDMGdDR0kzNEZjRCFTNGJDNBRTN4EENFJTOyYUQ5MzQBBTNxYDN5MDO5IDNBNzNwgjRBNERGRkQGNjREZERGJjQ3YkMDFzM1kTODFUOwYDNzITQCFEODRDRwYUNBVDOEdTR4EUM0EzQ2UDM2UzN0EUMwI0N5MUNxMkQxQDOxYEMCVERBJTQwgTMzEUN2YTQBNkNCR0NBZDMxMTO4UkQDFzQ5ATR2wiR1kDOwQDR2UUMxIDNFRTMDJURyEkQxETNyYzQ3cDR3EDOGhjNElTN5MjRBZkQ5MERBJTM2QkQFFTMFZ0MBRTMwUER1cDMBhzNDFjMCJjRCZ0NCJjQGRURFZTMGV0MGFjNxQjNwUDNxMzN2QTOBdTM2EkMyIzMyUDNEN0NFNjM0YDRFVDMFVjREFUQyQzNxkzQBVjQ3IzMCVTQ1UEN5UDOChjM3EENGlDREFDNFFzM3ATQGRERzADODREOwUENGZkQzcjQ2czN1IUQDRTOxQzNCFjR3QjQ3YkQwcjM3UTMElDRxMDRzMTM4cTO1QURxATRCFUMDdjQ5QDRFVTQzQ0QGJTN4YTQCNER1MER2EzN2UTN0cTQCJ0Q1MzN1UDO2QkRFNUMFNkQGNUO2gzMwUEM4QERyQkM3YTRCFTR1UjMEN0Q3MDOzUEO3QkRDJTMBlTQxIURBJkQycjNwQTQ0QDOygzN3EEN3cjR0QENxMEO3gDRzQUQykzN3YzNxY0QxITMzIDNzUUNxEDMzgTR0MUNzYUNxgjR5QjMFN0QyQkQxAjQyQzQCBjNDBDOBRUN0cjRDR0NyQ0M2czQ3IEOCF0QGVTR0MkM3gjM3kjRCZDMCNERCZERDJzN5EUQzAjNBdzMzUENFRjQxYEM1EkQ4kzQzMUM0MzNEBzMDhjM5gjQFlTO2I0M0QkQDVTQGhTREVzMEdDRFNkR3IkMEVERycTRzgTRxMUM4QTQ1QUN3gzQGhjRDRER1YEM1gzNGRDODN0QDBjQzkTMBdTQBJEM3QEO4QjRxITQyYUNyUTN5kjNGZEN2EENwcDN2UzNwQUQGRTQ4YTQ2IUM2YkM4UkQyYERENURFFjRwIzNwIDN1kTR2cDM5cTQEJDR2cTRFJjM5I0MFZkNwAzNFR0M0ETMEVUMFZENFNUNxgjMzM0N4YUNykDMyQkMDZUNxkDMCZ0NwEDMERDNBJEO1kzQBlTREZjR5IUO3kjN5ATR4MDNFhTO1YzMzIUQ4kDMFJEMDFDR2EzMwEENBZDNxMkQBRDNyITQGlTNDVTQxgDO1QDMFVjM3E0NEBjMFJkQDhjMDljQEFEOFNTOwUjN1YER3MjQ4ITO1AjQDJ0MzATOwUER1M0N1QzQwIEOGhjNBZTN2UERFREOxMEOykjR2UTQ2QDREVDMBZEMykjNENURBVTO1EUR0YDO0EkNzETOENERGZEO2EEO5UDOCR0MFR0MDNkNFBjM5IzMyIUOxUzMwQjRCRkMBFDODVkM2UTM3gjR4UjR4EUM1EEMxI0QDFkQER0NFFTOBNzQwYkQDNTOxU0MEJDRFNjQFV0N3ITQ5IENyYjMxgTN3MERFBTOCVDO1kDOzY0N

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\296333\How_To_Decrypt_My_Files.txt

Family

ragnarok

Ransom Note

#what happend? Unfortunately your files are encrypted, To decrypt your files follow the instructions 1. you need a decrypt tool so that you can decrypt all of your files 2. contact with us for our btc address if you want decrypt your files or you can do nothing just wait your files gona be deleted 3. you can provide a file which size less than 3M for us to prove that we can decrypt your files after you paid 4. it is wise to pay in the first time it wont cause you more losses you can send your DEVICE ID to mail address below [email protected] [email protected] [email protected] DEVICE ID: AwCLF5UTCV0RI5EL3UURzEURGZUN5YzN1AzN2UkMGZDRCZTOzUTRzIUQyYTMERjNxY0MFlDNyAzM5E0QGdTMyUzQwQkQ3I0N0gTQwcDMFNkN0kDR2YUO2YTODVjNCJjMxETMwQzM3YzQEljN4MTNxkjRDZkRyUTQBJTN1EjN2kzM2I0N0gDRDRkM3MTREdDR4QkRCdDMycjREJDMyYkRDlDRCN0QFZjN1UEODNUNDlDRBREN3MjRCNUMDFURyYEM3QEO4cDRChTMDVTRBZDNDNkQyEEMBFEMyMDRGJEMBNDNygTR0QUOyETQGVUMzcDMDNEN2UDNFVER2Q0MENzQ5kTOBJERygDN1YkNxE0MxkzQ0IUN1cjMGF0MzAzQ2ADRwQ0NxMkQCN0Q5QkQ0QTQBV0MyUzNDNTRBRUQzEDR0IzM4AjRwYUNFRERzQkMyYzQBdzMFNTNGhjM3QENBhjN0UDOEZzQxYzNzQjRwEUQ4EjM5M0QycTQ0Q0MFV0MzMEOFVTOyUDO0MDMGJjRGJTNzMTQ2YDO3ITM3IkRwQTNzMkM3IkRBREMCZERwYzMxYzQ5QDO5ATR0IUOGljRCR0MxMkM3AjM1UEMzE0M2UTNzkzMyMERyMERFNER0EkNEVTM5AzMBFUMwIkM4YUN2AzQ5YkMCNUOBZDN3cTNxYDOBJENGRTR2QjQyQ0MCJEM5IDRERjNyQDM4kDO1EzNGJ0QCRzM3MEN2YjMBFzNyETR4MkNxgjQ5MjMBNzQ3YkRwIzMwUUOGFDRGFUMzIDNGlzQFdzNxgzMCVzMzMjM4YjQFFUN3IkN0EjNyEERyEUNFlzMzQDN3YTQ1YDNyMjRzU0QClTQEJ0N1MjREJUN2YkMFZDN2UjQFljNBFjM5IzMEJEOClDO3MkM5ETOxEkM1UTN3MER2YEMyQEN2IjN3IjN1UDRDVjNyMEN5YDN2EEMwIUN4MTM2kDMBBTOxUENDBTMzQURxkTQwEjQ2kjRCVEOzQjNxYjRyEERzETMChTNDhTMBRkQyMEMGlzN5YTO1MDR1YzQ4QjMBVjQygTRDZTOwMTM5EDOwIDM1QkNxEjMFZTRycjQ2QUM2IDO1YDO1UjN2QDN3kTOCBjM2EUM0IEO2cDNBR0M3YkQ3UzNzMUR0MjR2MDN2UERCVDMGdDR0kzNEZjRCFTNGJDNBRTN4EENFJTOyYUQ5MzQBBTNxYDN5MDO5IDNBNzNwgjRBNERGRkQGNjREZERGJjQ3YkMDFzM1kTODFUOwYDNzITQCFEODRDRwYUNBVDOEdTR4EUM0EzQ2UDM2UzN0EUMwI0N5MUNxMkQxQDOxYEMCVERBJTQwgTMzEUN2YTQBNkNCR0NBZDMxMTO4UkQDFzQ5ATR2wiR1kDOwQDR2UUMxIDNFRTMDJURyEkQxETNyYzQ3cDR3EDOGhjNElTN5MjRBZkQ5MERBJTM2QkQFFTMFZ0MBRTMwUER1cDMBhzNDFjMCJjRCZ0NCJjQGRURFZTMGV0MGFjNxQjNwUDNxMzN2QTOBdTM2EkMyIzMyUDNEN0NFNjM0YDRFVDMFVjREFUQyQzNxkzQBVjQ3IzMCVTQ1UEN5UDOChjM3EENGlDREFDNFFzM3ATQGRERzADODREOwUENGZkQzcjQ2czN1IUQDRTOxQzNCFjR3QjQ3YkQwcjM3UTMElDRxMDRzMTM4cTO1QURxATRCFUMDdjQ5QDRFVTQzQ0QGJTN4YTQCNER1MER2EzN2UTN0cTQCJ0Q1MzN1UDO2QkRFNUMFNkQGNUO2gzMwUEM4QERyQkM3YTRCFTR1UjMEN0Q3MDOzUEO3QkRDJTMBlTQxIURBJkQycjNwQTQ0QDOygzN3EEN3cjR0QENxMEO3gDRzQUQykzN3YzNxY0QxITMzIDNzUUNxEDMzgTR0MUNzYUNxgjR5QjMFN0QyQkQxAjQyQzQCBjNDBDOBRUN0cjRDR0NyQ0M2czQ3IEOCF0QGVTR0MkM3gjM3kjRCZDMCNERCZERDJzN5EUQzAjNBdzMzUENFRjQxYEM1EkQ4kzQzMUM0MzNEBzMDhjM5gjQFlTO2I0M0QkQDVTQGhTREVzMEdDRFNkR3IkMEVERycTRzgTRxMUM4QTQ1QUN3gzQGhjRDRER1YEM1gzNGRDODN0QDBjQzkTMBdTQBJEM3QEO4QjRxITQyYUNyUTN5kjNGZEN2EENwcDN2UzNwQUQGRTQ4YTQ2IUM2YkM4UkQyYERENURFFjRwIzNwIDN1kTR2cDM5cTQEJDR2cTRFJjM5I0MFZkNwAzNFR0M0ETMEVUMFZENFNUNxgjMzM0N4YUNykDMyQkMDZUNxkDMCZ0NwEDMERDNBJEO1kzQBlTREZjR5IUO3kjN5ATR4MDNFhTO1YzMzIUQ4kDMFJEMDFDR2EzMwEENBZDNxMkQBRDNyITQGlTNDVTQxgDO1QDMFVjM3E0NEBjMFJkQDhjMDljQEFEOFNTOwUjN1YER3MjQ4ITO1AjQDJ0MzATOwUER1M0N1QzQwIEOGhjNBZTN2UERFREOxMEOykjR2UTQ2QDREVDMBZEMykjNENURBVTO1EUR0YDO0EkNzETOENERGZEO2EEO5UDOCR0MFR0MDNkNFBjM5IzMyIUOxUzMwQjRCRkMBFDODVkM2UTM3gjR4UjR4EUM1EEMxI0QDFkQER0NFFTOBNzQwYkQDNTOxU0MEJDRFNjQFV0N3ITQ5IENyYjMxgTN3MERFBTOCVDO1kDOzY0N#what happend? Unfortunately your files are encrypted, To decrypt your files follow the instructions 1. you need a decrypt tool so that you can decrypt all of your files 2. contact with us for our btc address if you want decrypt your files or you can do nothing just wait your files gona be deleted 3. you can provide a file which size less than 3M for us to prove that we can decrypt your files after you paid 4. it is wise to pay in the first time it wont cause you more losses you can send your DEVICE ID to mail address below [email protected] [email protected] [email protected] DEVICE ID: AwCLF5UTCV0RI5EL3UURzEURGZUN5YzN1AzN2UkMGZDRCZTOzUTRzIUQyYTMERjNxY0MFlDNyAzM5E0QGdTMyUzQwQkQ3I0N0gTQwcDMFNkN0kDR2YUO2YTODVjNCJjMxETMwQzM3YzQEljN4MTNxkjRDZkRyUTQBJTN1EjN2kzM2I0N0gDRDRkM3MTREdDR4QkRCdDMycjREJDMyYkRDlDRCN0QFZjN1UEODNUNDlDRBREN3MjRCNUMDFURyYEM3QEO4cDRChTMDVTRBZDNDNkQyEEMBFEMyMDRGJEMBNDNygTR0QUOyETQGVUMzcDMDNEN2UDNFVER2Q0MENzQ5kTOBJERygDN1YkNxE0MxkzQ0IUN1cjMGF0MzAzQ2ADRwQ0NxMkQCN0Q5QkQ0QTQBV0MyUzNDNTRBRUQzEDR0IzM4AjRwYUNFRERzQkMyYzQBdzMFNTNGhjM3QENBhjN0UDOEZzQxYzNzQjRwEUQ4EjM5M0QycTQ0Q0MFV0MzMEOFVTOyUDO0MDMGJjRGJTNzMTQ2YDO3ITM3IkRwQTNzMkM3IkRBREMCZERwYzMxYzQ5QDO5ATR0IUOGljRCR0MxMkM3AjM1UEMzE0M2UTNzkzMyMERyMERFNER0EkNEVTM5AzMBFUMwIkM4YUN2AzQ5YkMCNUOBZDN3cTNxYDOBJENGRTR2QjQyQ0MCJEM5IDRERjNyQDM4kDO1EzNGJ0QCRzM3MEN2YjMBFzNyETR4MkNxgjQ5MjMBNzQ3YkRwIzMwUUOGFDRGFUMzIDNGlzQFdzNxgzMCVzMzMjM4YjQFFUN3IkN0EjNyEERyEUNFlzMzQDN3YTQ1YDNyMjRzU0QClTQEJ0N1MjREJUN2YkMFZDN2UjQFljNBFjM5IzMEJEOClDO3MkM5ETOxEkM1UTN3MER2YEMyQEN2IjN3IjN1UDRDVjNyMEN5YDN2EEMwIUN4MTM2kDMBBTOxUENDBTMzQURxkTQwEjQ2kjRCVEOzQjNxYjRyEERzETMChTNDhTMBRkQyMEMGlzN5YTO1MDR1YzQ4QjMBVjQygTRDZTOwMTM5EDOwIDM1QkNxEjMFZTRycjQ2QUM2IDO1YDO1UjN2QDN3kTOCBjM2EUM0IEO2cDNBR0M3YkQ3UzNzMUR0MjR2MDN2UERCVDMGdDR0kzNEZjRCFTNGJDNBRTN4EENFJTOyYUQ5MzQBBTNxYDN5MDO5IDNBNzNwgjRBNERGRkQGNjREZERGJjQ3YkMDFzM1kTODFUOwYDNzITQCFEODRDRwYUNBVDOEdTR4EUM0EzQ2UDM2UzN0EUMwI0N5MUNxMkQxQDOxYEMCVERBJTQwgTMzEUN2YTQBNkNCR0NBZDMxMTO4UkQDFzQ5ATR2wiR1kDOwQDR2UUMxIDNFRTMDJURyEkQxETNyYzQ3cDR3EDOGhjNElTN5MjRBZkQ5MERBJTM2QkQFFTMFZ0MBRTMwUER1cDMBhzNDFjMCJjRCZ0NCJjQGRURFZTMGV0MGFjNxQjNwUDNxMzN2QTOBdTM2EkMyIzMyUDNEN0NFNjM0YDRFVDMFVjREFUQyQzNxkzQBVjQ3IzMCVTQ1UEN5UDOChjM3EENGlDREFDNFFzM3ATQGRERzADODREOwUENGZkQzcjQ2czN1IUQDRTOxQzNCFjR3QjQ3YkQwcjM3UTMElDRxMDRzMTM4cTO1QURxATRCFUMDdjQ5QDRFVTQzQ0QGJTN4YTQCNER1MER2EzN2UTN0cTQCJ0Q1MzN1UDO2QkRFNUMFNkQGNUO2gzMwUEM4QERyQkM3YTRCFTR1UjMEN0Q3MDOzUEO3QkRDJTMBlTQxIURBJkQycjNwQTQ0QDOygzN3EEN3cjR0QENxMEO3gDRzQUQykzN3YzNxY0QxITMzIDNzUUNxEDMzgTR0MUNzYUNxgjR5QjMFN0QyQkQxAjQyQzQCBjNDBDOBRUN0cjRDR0NyQ0M2czQ3IEOCF0QGVTR0MkM3gjM3kjRCZDMCNERCZERDJzN5EUQzAjNBdzMzUENFRjQxYEM1EkQ4kzQzMUM0MzNEBzMDhjM5gjQFlTO2I0M0QkQDVTQGhTREVzMEdDRFNkR3IkMEVERycTRzgTRxMUM4QTQ1QUN3gzQGhjRDRER1YEM1gzNGRDODN0QDBjQzkTMBdTQBJEM3QEO4QjRxITQyYUNyUTN5kjNGZEN2EENwcDN2UzNwQUQGRTQ4YTQ2IUM2YkM4UkQyYERENURFFjRwIzNwIDN1kTR2cDM5cTQEJDR2cTRFJjM5I0MFZkNwAzNFR0M0ETMEVUMFZENFNUNxgjMzM0N4YUNykDMyQkMDZUNxkDMCZ0NwEDMERDNBJEO1kzQBlTREZjR5IUO3kjN5ATR4MDNFhTO1YzMzIUQ4kDMFJEMDFDR2EzMwEENBZDNxMkQBRDNyITQGlTNDVTQxgDO1QDMFVjM3E0NEBjMFJkQDhjMDljQEFEOFNTOwUjN1YER3MjQ4ITO1AjQDJ0MzATOwUER1M0N1QzQwIEOGhjNBZTN2UERFREOxMEOykjR2UTQ2QDREVDMBZEMykjNENURBVTO1EUR0YDO0EkNzETOENERGZEO2EEO5UDOCR0MFR0MDNkNFBjM5IzMyIUOxUzMwQjRCRkMBFDODVkM2UTM3gjR4UjR4EUM1EEMxI0QDFkQER0NFFTOBNzQwYkQDNTOxU0MEJDRFNjQFV0N3ITQ5IENyYjMxgTN3MERFBTOCVDO1kDOzY0N

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4004	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2548	OpenWith.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
344	vssadmin.exe

Ragnarok
Ransomware family deployed from Citrix servers infected via CVE-2019-19781.
ransomware ragnarok

Makes http(s) request 2 IoCs

Contacts server via http/https, possibly for C2 communication.

description	flow	ioc
HTTP URL	1	http:///START_
HTTP URL	4	http:///NHGEBMNE&pub_ip=&prv_ip=&.doc0009.txt0060.xls0007.ppt0002.sql0000.pdf0000

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File created	C:\Users\Admin\Saved Games\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\AccountPictures\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Documents\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Music\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Desktop\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Favorites\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Downloads\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Desktop\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Downloads\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Contacts\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Libraries\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Documents\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Videos\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\OneDrive\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Pictures\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Music\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Searches\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Public\Videos\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Links\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
File created	C:\Users\Admin\Pictures\desktop.ini	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2132	vssvc.exe
Token: SeRestorePrivilege	2132	vssvc.exe
Token: SeAuditPrivilege	2132	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4068	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
4068	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000_Classes\Local Settings	OpenWith.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 4036	4068	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	68
PID 4068 wrote to memory of 4036	4068	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	68
PID 4068 wrote to memory of 4048	4068	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	69
PID 4068 wrote to memory of 4048	4068	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	69
PID 4068 wrote to memory of 4032	4068	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	70
PID 4068 wrote to memory of 4032	4068	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	70
PID 4068 wrote to memory of 4052	4068	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	71
PID 4068 wrote to memory of 4052	4068	ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe	71

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1016	bcdedit.exe
4008	bcdedit.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4004	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe
"C:\Users\Admin\AppData\Local\Temp\ee7221f0d74d03a613ca334aa6cacbcff381a10a1d0ded8a485c3ad1ba8530e1.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c vssadmin delete shadows /all /quiet
  2⤵
  PID:4036
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:344
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
  2⤵
  PID:4048
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1016
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c bcdedit /set {current} recoveryenabled no
  2⤵
  PID:4032
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4008
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c netsh advfirewall set allprofiles state off
  2⤵
  PID:4052
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    PID:3832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:2132

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\How_To_Decrypt_My_Files.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:4004

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Modifies registry class
PID:2548