8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe

General
Target

8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe

Filesize

835KB

Completed

07-05-2020 11:14

Score
10 /10
MD5

2cc70c4beed0ba6db11c63bf435c6bf2

SHA1

18348a70148e1424ba4c30298b05f3f8820313cd

SHA256

8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8

Malware Config

Extracted

Path C:\_readme.txt
Ransom Note
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-xcn1Dtzak4 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: helpmanager@mail.ch Reserve e-mail address to contact us: restoremanager@firemail.cc Your personal ID: 0224yiuduy6S5dcnlKQ98kXDvxgsXzukMEM5f3xFKfqIWvhqUxfWVb
Emails

helpmanager@mail.ch

restoremanager@firemail.cc

URLs

https://we.tl/t-xcn1Dtzak4

Signatures 21

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • Executes dropped EXE
    updatewin1.exeupdatewin2.exeupdatewin1.exe5.exe8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe

    Reported IOCs

    pidprocess
    1836updatewin1.exe
    1260updatewin2.exe
    308updatewin1.exe
    15805.exe
    14688dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
  • Checks for installed software on the system
    5.exe

    Tags

    TTPs

    Query Registry

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName5.exe
    Key opened\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName5.exe
    Key enumerated\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName5.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName5.exe
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    21ip-api.com
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Suspicious behavior: EnumeratesProcesses
    8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exepowershell.exe5.exepowershell.exepowershell.exe8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe

    Reported IOCs

    pidprocess
    13048dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
    16728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
    820powershell.exe
    820powershell.exe
    15805.exe
    15805.exe
    15805.exe
    820powershell.exe
    1064powershell.exe
    1064powershell.exe
    15805.exe
    1596powershell.exe
    14688dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
    14688dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
    16728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
  • Loads dropped DLL
    8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeupdatewin1.exeupdatewin1.exe5.exe

    Reported IOCs

    pidprocess
    16728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
    1836updatewin1.exe
    1836updatewin1.exe
    1836updatewin1.exe
    1836updatewin1.exe
    16728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
    1836updatewin1.exe
    308updatewin1.exe
    308updatewin1.exe
    308updatewin1.exe
    16728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
    16728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
    15805.exe
    15805.exe
    15805.exe
    15805.exe
  • Checks processor information in registry
    5.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\05.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString5.exe
  • Disables Task Manager via registry modification

    Tags

  • Drops file in Drivers directory
    updatewin2.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\System32\drivers\etc\hostsupdatewin2.exe
  • Opens file in notepad (likely ransom note)
    NOTEPAD.EXE

    Tags

    Reported IOCs

    pidprocess
    964NOTEPAD.EXE
  • Suspicious use of WriteProcessMemory
    8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeupdatewin1.exeupdatewin1.exepowershell.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1304 wrote to memory of 110013048dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeicacls.exe
    PID 1304 wrote to memory of 110013048dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeicacls.exe
    PID 1304 wrote to memory of 110013048dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeicacls.exe
    PID 1304 wrote to memory of 110013048dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeicacls.exe
    PID 1304 wrote to memory of 167213048dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
    PID 1304 wrote to memory of 167213048dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
    PID 1304 wrote to memory of 167213048dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
    PID 1304 wrote to memory of 167213048dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
    PID 1672 wrote to memory of 183616728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeupdatewin1.exe
    PID 1672 wrote to memory of 183616728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeupdatewin1.exe
    PID 1672 wrote to memory of 183616728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeupdatewin1.exe
    PID 1672 wrote to memory of 183616728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeupdatewin1.exe
    PID 1672 wrote to memory of 183616728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeupdatewin1.exe
    PID 1672 wrote to memory of 183616728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeupdatewin1.exe
    PID 1672 wrote to memory of 183616728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeupdatewin1.exe
    PID 1836 wrote to memory of 3081836updatewin1.exeupdatewin1.exe
    PID 1836 wrote to memory of 3081836updatewin1.exeupdatewin1.exe
    PID 1836 wrote to memory of 3081836updatewin1.exeupdatewin1.exe
    PID 1836 wrote to memory of 3081836updatewin1.exeupdatewin1.exe
    PID 1836 wrote to memory of 3081836updatewin1.exeupdatewin1.exe
    PID 1836 wrote to memory of 3081836updatewin1.exeupdatewin1.exe
    PID 1672 wrote to memory of 126016728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeupdatewin2.exe
    PID 1672 wrote to memory of 126016728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeupdatewin2.exe
    PID 1672 wrote to memory of 126016728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeupdatewin2.exe
    PID 1672 wrote to memory of 126016728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeupdatewin2.exe
    PID 1672 wrote to memory of 126016728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeupdatewin2.exe
    PID 1672 wrote to memory of 126016728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeupdatewin2.exe
    PID 1672 wrote to memory of 126016728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exeupdatewin2.exe
    PID 1836 wrote to memory of 3081836updatewin1.exeupdatewin1.exe
    PID 308 wrote to memory of 820308updatewin1.exepowershell.exe
    PID 308 wrote to memory of 820308updatewin1.exepowershell.exe
    PID 308 wrote to memory of 820308updatewin1.exepowershell.exe
    PID 308 wrote to memory of 820308updatewin1.exepowershell.exe
    PID 308 wrote to memory of 820308updatewin1.exepowershell.exe
    PID 308 wrote to memory of 820308updatewin1.exepowershell.exe
    PID 308 wrote to memory of 820308updatewin1.exepowershell.exe
    PID 1672 wrote to memory of 158016728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe5.exe
    PID 1672 wrote to memory of 158016728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe5.exe
    PID 1672 wrote to memory of 158016728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe5.exe
    PID 1672 wrote to memory of 158016728dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe5.exe
    PID 308 wrote to memory of 1064308updatewin1.exepowershell.exe
    PID 308 wrote to memory of 1064308updatewin1.exepowershell.exe
    PID 308 wrote to memory of 1064308updatewin1.exepowershell.exe
    PID 308 wrote to memory of 1064308updatewin1.exepowershell.exe
    PID 308 wrote to memory of 1064308updatewin1.exepowershell.exe
    PID 308 wrote to memory of 1064308updatewin1.exepowershell.exe
    PID 308 wrote to memory of 1064308updatewin1.exepowershell.exe
    PID 1064 wrote to memory of 15961064powershell.exepowershell.exe
    PID 1064 wrote to memory of 15961064powershell.exepowershell.exe
    PID 1064 wrote to memory of 15961064powershell.exepowershell.exe
    PID 1064 wrote to memory of 15961064powershell.exepowershell.exe
    PID 1064 wrote to memory of 15961064powershell.exepowershell.exe
    PID 1064 wrote to memory of 15961064powershell.exepowershell.exe
    PID 1064 wrote to memory of 15961064powershell.exepowershell.exe
    PID 308 wrote to memory of 1360308updatewin1.exempcmdrun.exe
    PID 308 wrote to memory of 1360308updatewin1.exempcmdrun.exe
    PID 308 wrote to memory of 1360308updatewin1.exempcmdrun.exe
    PID 308 wrote to memory of 1360308updatewin1.exempcmdrun.exe
    PID 308 wrote to memory of 1648308updatewin1.execmd.exe
    PID 308 wrote to memory of 1648308updatewin1.execmd.exe
    PID 308 wrote to memory of 1648308updatewin1.execmd.exe
    PID 308 wrote to memory of 1648308updatewin1.execmd.exe
    PID 308 wrote to memory of 1648308updatewin1.execmd.exe
    PID 308 wrote to memory of 1648308updatewin1.execmd.exe
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run entry to start application
    8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\64f06f71-f1ea-4bc2-9e1c-73eea48b1772\\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe\" --AutoStart"8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
  • Office loads VBA resources, possible macro or embedded object present
  • Makes http(s) request

    Description

    Contacts server via http/https, possibly for C2 communication.

    Reported IOCs

    descriptionflowioc
    HTTP URL20http://chumashpeople.com/freebl3.dll
    HTTP URL20http://chumashpeople.com/mozglue.dll
    HTTP URL20http://chumashpeople.com/softokn3.dll
    HTTP URL20http://chumashpeople.com/
    HTTP URL30http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    HTTP URL6http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    HTTP URL12http://akbz.top/ydtftysdtyftysdfsdpen3/get.php?pid=ADD92632311B7FBC9E7C4B15A8803926&first=true
    HTTP URL14http://akbz.top/files/penelop/updatewin.exe
    HTTP URL20http://chumashpeople.com/msvcp140.dll
    HTTP URL20http://chumashpeople.com/vcruntime140.dll
    HTTP URL9http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    HTTP URL11http://akbz.top/files/penelop/updatewin1.exe
    HTTP URL13http://akbz.top/files/penelop/updatewin2.exe
    HTTP URL15http://akbz.top/files/penelop/3.exe
    HTTP URL16http://akbz.top/files/penelop/4.exe
    HTTP URL17http://akbz.top/files/penelop/5.exe
    HTTP URL20http://chumashpeople.com/517
    HTTP URL20http://chumashpeople.com/nss3.dll
    HTTP URL22http://ip-api.com/line/
  • Modifies file permissions
    icacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    1100icacls.exe
  • Modifies registry class
    rundll32.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_Classes\Local Settingsrundll32.exe
    Key created\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCacherundll32.exe
    Key created\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\sqpc_auto_filerundll32.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\sqpc_auto_file\rundll32.exe
    Key created\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\.sqpcrundll32.exe
    Key created\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\sqpc_auto_file\shellrundll32.exe
    Key created\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\sqpc_auto_file\shell\edit\commandrundll32.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\sqpc_auto_file\shell\edit\command\ = "\"C:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""rundll32.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\sqpc_auto_file\shell\edit\ = "&Edit"rundll32.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\.sqpc\ = "sqpc_auto_file"rundll32.exe
    Key created\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\sqpc_auto_file\shell\editrundll32.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exepowershell.exepowershell.exetaskkill.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege820powershell.exe
    Token: SeDebugPrivilege1064powershell.exe
    Token: SeDebugPrivilege1596powershell.exe
    Token: SeDebugPrivilege1532taskkill.exe
  • Suspicious use of SetWindowsHookEx
    WINWORD.EXE

    Reported IOCs

    pidprocess
    1920WINWORD.EXE
    1920WINWORD.EXE
  • Suspicious behavior: AddClipboardFormatListener
    WINWORD.EXE

    Reported IOCs

    pidprocess
    1920WINWORD.EXE
  • Kills process with taskkill
    taskkill.exe

    Tags

    Reported IOCs

    pidprocess
    1532taskkill.exe
Processes 20
  • C:\Users\Admin\AppData\Local\Temp\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
    "C:\Users\Admin\AppData\Local\Temp\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    Adds Run entry to start application
    PID:1304
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\64f06f71-f1ea-4bc2-9e1c-73eea48b1772" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      Modifies file permissions
      PID:1100
    • C:\Users\Admin\AppData\Local\Temp\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
      "C:\Users\Admin\AppData\Local\Temp\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe" --Admin IsNotAutoStart IsNotTask
      Suspicious behavior: EnumeratesProcesses
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe
        "C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe"
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe
          "C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe" --Admin
          Executes dropped EXE
          Loads dropped DLL
          Suspicious use of WriteProcessMemory
          PID:308
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of AdjustPrivilegeToken
            PID:820
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of WriteProcessMemory
            Suspicious use of AdjustPrivilegeToken
            PID:1064
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
              Suspicious behavior: EnumeratesProcesses
              Suspicious use of AdjustPrivilegeToken
              PID:1596
          • C:\Program Files\Windows Defender\mpcmdrun.exe
            "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
            PID:1360
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
            PID:1648
      • C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin2.exe
        "C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin2.exe"
        Executes dropped EXE
        Drops file in Drivers directory
        PID:1260
      • C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\5.exe
        "C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\5.exe"
        Executes dropped EXE
        Checks for installed software on the system
        Suspicious behavior: EnumeratesProcesses
        Loads dropped DLL
        Checks processor information in registry
        PID:1580
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\5.exe & exit
          PID:472
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im 5.exe /f
            Suspicious use of AdjustPrivilegeToken
            Kills process with taskkill
            PID:1532
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {65C496CB-191E-440E-97FC-7685B6CEC89D} S-1-5-21-910373003-3952921535-3480519689-1000:DJRWGDLZ\Admin:Interactive:[1]
    PID:1480
    • C:\Users\Admin\AppData\Local\64f06f71-f1ea-4bc2-9e1c-73eea48b1772\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe
      C:\Users\Admin\AppData\Local\64f06f71-f1ea-4bc2-9e1c-73eea48b1772\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe --Task
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1468
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    PID:1552
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\vcredist2010_x64.log.html.sqpc
    Modifies registry class
    PID:1944
    • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\vcredist2010_x64.log.html.sqpc"
      Suspicious use of SetWindowsHookEx
      Suspicious behavior: AddClipboardFormatListener
      PID:1920
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\_readme.txt
    Opens file in notepad (likely ransom note)
    PID:964
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                • C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\5.exe

                • C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\5.exe

                • C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe

                • C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe

                • C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe

                • C:\Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin2.exe

                • C:\Users\Admin\AppData\Local\64f06f71-f1ea-4bc2-9e1c-73eea48b1772\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe

                • C:\Users\Admin\AppData\Local\64f06f71-f1ea-4bc2-9e1c-73eea48b1772\8dad2f78f4ac3756165293666361a157ecaf50e2c2c8344cccd09f018912f3a8.exe

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f8f6cc7-ae83-4f79-b06e-2b9a49e06c5b

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3f934678-4276-4d7d-9a2b-7ccacecf398b

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_670419ca-9b90-4e9d-a6c5-f73b7563d382

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9065e065-05e7-4eaa-bb93-1db6da178e99

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3b7b651-7089-41b5-9155-3fb877609508

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b7a807a3-f6b6-4397-972a-e9e81988f869

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e331f9c7-6ec8-40f5-b318-7a4a05eb497d

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

                • C:\Users\Admin\AppData\Local\Temp\delself.bat

                • C:\Users\Admin\AppData\Local\script.ps1

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                • C:\_readme.txt

                • C:\vcredist2010_x64.log.html.sqpc

                • \ProgramData\mozglue.dll

                • \ProgramData\msvcp140.dll

                • \ProgramData\nss3.dll

                • \ProgramData\vcruntime140.dll

                • \Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\5.exe

                • \Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\5.exe

                • \Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe

                • \Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe

                • \Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe

                • \Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe

                • \Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe

                • \Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe

                • \Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe

                • \Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe

                • \Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin1.exe

                • \Users\Admin\AppData\Local\41b5f5f8-32b5-41f5-b7f3-7b21be66616a\updatewin2.exe

                • memory/308-23-0x0000000001EB0000-0x0000000001EC1000-memory.dmp

                • memory/308-25-0x00000000005D2000-0x00000000005D3000-memory.dmp

                • memory/1260-18-0x0000000001DF0000-0x0000000001E01000-memory.dmp

                • memory/1260-24-0x00000000005EF000-0x00000000005F0000-memory.dmp

                • memory/1304-1-0x0000000001EE0000-0x0000000001EF1000-memory.dmp

                • memory/1304-0-0x0000000000220000-0x00000000002B1000-memory.dmp

                • memory/1468-55-0x0000000000310000-0x00000000003A1000-memory.dmp

                • memory/1468-56-0x0000000001E40000-0x0000000001E51000-memory.dmp

                • memory/1580-29-0x0000000002FC8000-0x0000000002FD9000-memory.dmp

                • memory/1580-30-0x00000000030C0000-0x00000000030D1000-memory.dmp

                • memory/1672-4-0x0000000001FC0000-0x0000000001FD1000-memory.dmp

                • memory/1672-3-0x0000000000220000-0x00000000002B1000-memory.dmp

                • memory/1672-58-0x00000000039D0000-0x00000000039E1000-memory.dmp

                • memory/1672-59-0x0000000003DE0000-0x0000000003DF1000-memory.dmp

                • memory/1672-60-0x00000000039D0000-0x00000000039E1000-memory.dmp

                • memory/1836-12-0x0000000001E70000-0x0000000001E81000-memory.dmp

                • memory/1836-13-0x00000000002E0000-0x00000000002E1000-memory.dmp