Analysis
-
max time kernel
144s -
max time network
143s -
platform
windows10_x64 -
resource
win10 -
submitted
18-06-2020 02:08
Static task
static1
Behavioral task
behavioral1
Sample
90a909a4508aa899b4be372e7de6f500.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
90a909a4508aa899b4be372e7de6f500.exe
Resource
win10
General
-
Target
90a909a4508aa899b4be372e7de6f500.exe
-
Size
62KB
-
MD5
90a909a4508aa899b4be372e7de6f500
-
SHA1
7bb201923d7055c149858d087c0a44ab9530536e
-
SHA256
1c83ff2394da76e6296e6ad72c40dbde107704a711bbd08b633c57587230ccf8
-
SHA512
57b732ac3827878c81ed45e26001695c42240b6eb16d4c9d0ecd34d41ede0d598983c156a5c22c8a5f79e81437ed308e0414571cda1c0725ab7b2b3ef9f683cf
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\DEAL_FOR_ACCESS_TO_YOUR_FILES.txt
l1u1t1@secmail.pro
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
Processes:
90a909a4508aa899b4be372e7de6f500.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk 90a909a4508aa899b4be372e7de6f500.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 3632 vssadmin.exe 3948 vssadmin.exe 740 vssadmin.exe 496 vssadmin.exe 476 vssadmin.exe 3940 vssadmin.exe 3924 vssadmin.exe 3824 vssadmin.exe 3796 vssadmin.exe 3820 vssadmin.exe 3584 vssadmin.exe 3928 vssadmin.exe 3448 vssadmin.exe 4008 vssadmin.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 3832 taskkill.exe 776 taskkill.exe 2960 taskkill.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
notepad.exeNOTEPAD.EXEpid process 3916 notepad.exe 3804 NOTEPAD.EXE -
Runs net.exe
-
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 2684 PING.EXE 2916 PING.EXE 3836 PING.EXE 3884 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1308 WINWORD.EXE 1308 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
90a909a4508aa899b4be372e7de6f500.exetaskkill.exetaskkill.exetaskkill.exevssvc.exedescription pid process Token: SeDebugPrivilege 2896 90a909a4508aa899b4be372e7de6f500.exe Token: SeDebugPrivilege 3832 taskkill.exe Token: SeDebugPrivilege 776 taskkill.exe Token: SeDebugPrivilege 2960 taskkill.exe Token: SeBackupPrivilege 3876 vssvc.exe Token: SeRestorePrivilege 3876 vssvc.exe Token: SeAuditPrivilege 3876 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
90a909a4508aa899b4be372e7de6f500.exepid process 2896 90a909a4508aa899b4be372e7de6f500.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
90a909a4508aa899b4be372e7de6f500.exepid process 2896 90a909a4508aa899b4be372e7de6f500.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
WINWORD.EXEpid process 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE 1308 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
90a909a4508aa899b4be372e7de6f500.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2896 wrote to memory of 3520 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2896 wrote to memory of 3520 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2896 wrote to memory of 3520 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 3520 wrote to memory of 3840 3520 net.exe net1.exe PID 3520 wrote to memory of 3840 3520 net.exe net1.exe PID 3520 wrote to memory of 3840 3520 net.exe net1.exe PID 2896 wrote to memory of 3984 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2896 wrote to memory of 3984 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2896 wrote to memory of 3984 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 3984 wrote to memory of 3828 3984 net.exe net1.exe PID 3984 wrote to memory of 3828 3984 net.exe net1.exe PID 3984 wrote to memory of 3828 3984 net.exe net1.exe PID 2896 wrote to memory of 3872 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2896 wrote to memory of 3872 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2896 wrote to memory of 3872 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 3872 wrote to memory of 3888 3872 net.exe net1.exe PID 3872 wrote to memory of 3888 3872 net.exe net1.exe PID 3872 wrote to memory of 3888 3872 net.exe net1.exe PID 2896 wrote to memory of 3868 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2896 wrote to memory of 3868 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2896 wrote to memory of 3868 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 3868 wrote to memory of 3928 3868 net.exe net1.exe PID 3868 wrote to memory of 3928 3868 net.exe net1.exe PID 3868 wrote to memory of 3928 3868 net.exe net1.exe PID 2896 wrote to memory of 2668 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2896 wrote to memory of 2668 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2896 wrote to memory of 2668 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2668 wrote to memory of 3380 2668 net.exe net1.exe PID 2668 wrote to memory of 3380 2668 net.exe net1.exe PID 2668 wrote to memory of 3380 2668 net.exe net1.exe PID 2896 wrote to memory of 3384 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2896 wrote to memory of 3384 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2896 wrote to memory of 3384 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 3384 wrote to memory of 2916 3384 net.exe net1.exe PID 3384 wrote to memory of 2916 3384 net.exe net1.exe PID 3384 wrote to memory of 2916 3384 net.exe net1.exe PID 2896 wrote to memory of 2760 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2896 wrote to memory of 2760 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2896 wrote to memory of 2760 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2760 wrote to memory of 2336 2760 net.exe net1.exe PID 2760 wrote to memory of 2336 2760 net.exe net1.exe PID 2760 wrote to memory of 2336 2760 net.exe net1.exe PID 2896 wrote to memory of 2116 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2896 wrote to memory of 2116 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2896 wrote to memory of 2116 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2116 wrote to memory of 2976 2116 net.exe net1.exe PID 2116 wrote to memory of 2976 2116 net.exe net1.exe PID 2116 wrote to memory of 2976 2116 net.exe net1.exe PID 2896 wrote to memory of 3652 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2896 wrote to memory of 3652 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2896 wrote to memory of 3652 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 3652 wrote to memory of 3840 3652 net.exe net1.exe PID 3652 wrote to memory of 3840 3652 net.exe net1.exe PID 3652 wrote to memory of 3840 3652 net.exe net1.exe PID 2896 wrote to memory of 3812 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2896 wrote to memory of 3812 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2896 wrote to memory of 3812 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 3812 wrote to memory of 3828 3812 net.exe net1.exe PID 3812 wrote to memory of 3828 3812 net.exe net1.exe PID 3812 wrote to memory of 3828 3812 net.exe net1.exe PID 2896 wrote to memory of 3816 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2896 wrote to memory of 3816 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 2896 wrote to memory of 3816 2896 90a909a4508aa899b4be372e7de6f500.exe net.exe PID 3816 wrote to memory of 3884 3816 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90a909a4508aa899b4be372e7de6f500.exe"C:\Users\Admin\AppData\Local\Temp\90a909a4508aa899b4be372e7de6f500.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"net.exe" stop avpsus /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfewc /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BMR Boot Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop DefWatch /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccEvtMgr /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccSetMgr /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SavRoam /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop RTVscan /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBFCService /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBIDPService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBCFMonitorService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooBackup /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooIT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop zhudongfangyu /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop stc_raw_agent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VSNAPVSS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop veeam /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecManagementService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sophos /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpEF13.bat2⤵
-
C:\Windows\SysWOW64\mountvol.exemountvol3⤵
-
C:\Windows\SysWOW64\find.exefind "}\"3⤵
-
C:\Windows\SysWOW64\mountvol.exemountvol !freedrive!: \\?\Volume{9563bb1f-0000-0000-0000-500600000000}\3⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\mountvol.exemountvol !freedrive!: \\?\Volume{9563bb1f-0000-0000-0000-100000000000}\3⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\mountvol.exemountvol !freedrive!: \\?\Volume{d61488bd-b008-11ea-95e4-806e6f6e6963}\3⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\DEAL_FOR_ACCESS_TO_YOUR_FILES.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\90a909a4508aa899b4be372e7de6f500.exe2⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\EnableFind.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\OptimizeRename.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpEF13.batMD5
1af2c796c268a8160d0d93e8866dc7b0
SHA16d786ee5bf9cb9b1da115ce6daffe1e7b5ef988f
SHA25694e31962442ee5f22c9ff8f6539c214dabf49e1b672a91cb042e2c0c1369abc8
SHA512af10c10ef2c7f976ebc52201d17c95cb2a5c433d39c7d722b0c1f56cb48fa27c07cf60e7de8c2d9974f6594212eb02568007da90e49ba3bca226efbe8943271e
-
C:\Users\Admin\AppData\Local\Temp\v.txtMD5
6904d06486a00b0c3633fb57180f663d
SHA15369899d14980ad49a183f3fee44631f806194c7
SHA25603bb07b5fcc7613ee9c4201647bbfab1dab2045a336813b349a2402f95b212bd
SHA5128e276de659c3209fcfdf369630b1a72c0d05fccb1406f7d28f5a2829d477a5ec0d17752e97b360964ab8a11be5bf10ce9a29f3a65c57f345291318dad2eadb30
-
C:\Users\Admin\Desktop\DEAL_FOR_ACCESS_TO_YOUR_FILES.txtMD5
6f394578305ee1978f73a0a13f021e7b
SHA13a8105811a3dc6bd29a9cbab4f9e1a1bfbec2215
SHA25670f2550ff11ddb0ed9264fbe81aff333d3b522bcf7a02b59b4b526a22deff240
SHA512a20f9c3ca19c73155b9de341b0533e4897737d597c93c2e9e7920e16bd1aefa79bc1bd8a3bd4a44ba779a43614058e26c1a48b3045c96f3a127f46d7d1c23bf6
-
C:\Users\Admin\Desktop\EnableFind.rtfMD5
c368cecdb79fc221ed59542a41c7b81a
SHA17d1d1d1d439fe4a98c28aa381ad9656600050b34
SHA256756935cfa1b55ec41420ebbe53fbcfe409c940a5709da858accf8413b3dc7e5e
SHA5122a953680fd645c13c372d501f3de89ed5cc74fe767f1d2d5f8ebdf488b54f909df51230d5a2dfc4f5251510ce261fe8daea71d931172d13871d92a0847f2c1fa
-
C:\Users\Admin\Desktop\OptimizeRename.txtMD5
cf29204f3383382863fdf280d4c808e3
SHA1f73494ba158692a2bee133a9ba949dfad53e852e
SHA256c8fd5624b181288feec1138608159210547e2353433ce577c7b2fe9919a03687
SHA512660821cacadfe75f290c9751dce5bc58ff646a28f879e441e273cdaf5801582cee8b2f1f0a08522de6f7fc12d3f2ab66c4b4c82a600cad7f1724becb03e923c6
-
C:\Users\Admin\Documents\Are.docxMD5
fc196d75b0bd76e30eaf622f6db78a9b
SHA1b1bb41b3d88382d86c040bcfd02fb19259236865
SHA2562ad99aee31977a66af3bfd49aa8cca533699255ff2c69f25379fc5ce89fa4b26
SHA5129436e5e4cbe4f5ac4d5587a688f9687cf2b93343a93538ecbc745b9829b510624ca683bcae67fc4bd3170b0096e65059cc9e7321e82bfb402a5bdc7a49a6fb0e
-
C:\Users\Admin\Documents\Files.docxMD5
c859cce4e08ffbda90de78b8484c97ff
SHA1e9c79f26816f0886038a2f7798b53c61ebe97fec
SHA256f8f601a72c9443c7348240bc64d0f2c4bbbcb64573a4c77b3059abbd80173e0d
SHA512516c4e959ba07ba4902a0e65026d5c60591535b08632036d305278f0760be1f56ab01ff7c89f19dbb599f6a46fa5423aa5044fd22aecb105972cdd8c2e586956
-
C:\Users\Admin\Documents\Opened.docxMD5
b95d7719f84df265d9053a793a93a5cd
SHA1bba9a53fa583ca228f958fdac1e40c5b14f34c48
SHA256ffaff0183082ea32765029694b94e89835654def5fb920aa7877cfc19e7b8fb3
SHA512cf8ced8c895a387ee13f9764269e112573a5a9a1b2792d234f386671ec9cc74b9154d2f0fa364327de438ff822364475dc7e5e20bbda0714db878cb2e8879ab7
-
C:\Users\Admin\Documents\Recently.docxMD5
0a6d2c367de8ce6419804527a9feb2e2
SHA18702944c041ec9cc871defe9f51fd353553a059c
SHA256d552bb2c9c1d3f8b8adb5b3d8d3396dad790da1ded93cf73a8c9337c93b1b18d
SHA512b21ba1e6311190404bd4672ee051102b44498dac7783d670da74c1798b89c5f96efa74a3ac932460f63d862382756c441d3cbe091902386fa2c49fc07749c184
-
C:\Users\Admin\Documents\These.docxMD5
c314ae79a45efd50edc459765a7a08fa
SHA1bc14d205e4e6fa0f49d3029a66279b3672eb2fb8
SHA256ba00a67665ec61c6fc084bfba4548a5281443178748194f26542db7f845dca5f
SHA51292a13c7d6223c46d09b6f640f39bfc9bc92328615366a078638747658558f5015213dc61205a52d5e3fa96f12e3eb3108fcf3967beb718176df9e3300a234245
-
memory/64-42-0x0000000000000000-mapping.dmp
-
memory/400-28-0x0000000000000000-mapping.dmp
-
memory/476-86-0x0000000000000000-mapping.dmp
-
memory/496-83-0x0000000000000000-mapping.dmp
-
memory/612-29-0x0000000000000000-mapping.dmp
-
memory/728-46-0x0000000000000000-mapping.dmp
-
memory/732-44-0x0000000000000000-mapping.dmp
-
memory/736-57-0x0000000000000000-mapping.dmp
-
memory/740-82-0x0000000000000000-mapping.dmp
-
memory/776-77-0x0000000000000000-mapping.dmp
-
memory/780-56-0x0000000000000000-mapping.dmp
-
memory/796-110-0x0000000000000000-mapping.dmp
-
memory/972-73-0x0000000000000000-mapping.dmp
-
memory/992-50-0x0000000000000000-mapping.dmp
-
memory/996-51-0x0000000000000000-mapping.dmp
-
memory/1188-109-0x0000000000000000-mapping.dmp
-
memory/1336-43-0x0000000000000000-mapping.dmp
-
memory/1656-41-0x0000000000000000-mapping.dmp
-
memory/1768-111-0x0000000000000000-mapping.dmp
-
memory/2000-96-0x0000000000000000-mapping.dmp
-
memory/2000-31-0x0000000000000000-mapping.dmp
-
memory/2044-58-0x0000000000000000-mapping.dmp
-
memory/2052-98-0x0000000000000000-mapping.dmp
-
memory/2052-45-0x0000000000000000-mapping.dmp
-
memory/2116-14-0x0000000000000000-mapping.dmp
-
memory/2288-70-0x0000000000000000-mapping.dmp
-
memory/2336-13-0x0000000000000000-mapping.dmp
-
memory/2344-100-0x0000000000000000-mapping.dmp
-
memory/2660-27-0x0000000000000000-mapping.dmp
-
memory/2668-8-0x0000000000000000-mapping.dmp
-
memory/2684-59-0x0000000000000000-mapping.dmp
-
memory/2684-99-0x0000000000000000-mapping.dmp
-
memory/2760-12-0x0000000000000000-mapping.dmp
-
memory/2888-32-0x0000000000000000-mapping.dmp
-
memory/2916-11-0x0000000000000000-mapping.dmp
-
memory/2916-101-0x0000000000000000-mapping.dmp
-
memory/2960-78-0x0000000000000000-mapping.dmp
-
memory/2976-72-0x0000000000000000-mapping.dmp
-
memory/2976-15-0x0000000000000000-mapping.dmp
-
memory/2980-30-0x0000000000000000-mapping.dmp
-
memory/3024-61-0x0000000000000000-mapping.dmp
-
memory/3024-74-0x0000000000000000-mapping.dmp
-
memory/3144-24-0x0000000000000000-mapping.dmp
-
memory/3264-25-0x0000000000000000-mapping.dmp
-
memory/3320-26-0x0000000000000000-mapping.dmp
-
memory/3376-52-0x0000000000000000-mapping.dmp
-
memory/3380-65-0x0000000000000000-mapping.dmp
-
memory/3380-9-0x0000000000000000-mapping.dmp
-
memory/3384-10-0x0000000000000000-mapping.dmp
-
memory/3388-40-0x0000000000000000-mapping.dmp
-
memory/3388-106-0x0000000000000000-mapping.dmp
-
memory/3392-67-0x0000000000000000-mapping.dmp
-
memory/3448-89-0x0000000000000000-mapping.dmp
-
memory/3520-0-0x0000000000000000-mapping.dmp
-
memory/3572-97-0x0000000000000000-mapping.dmp
-
memory/3572-33-0x0000000000000000-mapping.dmp
-
memory/3572-102-0x0000000000000000-mapping.dmp
-
memory/3572-47-0x0000000000000000-mapping.dmp
-
memory/3584-85-0x0000000000000000-mapping.dmp
-
memory/3588-68-0x0000000000000000-mapping.dmp
-
memory/3632-79-0x0000000000000000-mapping.dmp
-
memory/3640-69-0x0000000000000000-mapping.dmp
-
memory/3644-60-0x0000000000000000-mapping.dmp
-
memory/3648-48-0x0000000000000000-mapping.dmp
-
memory/3652-16-0x0000000000000000-mapping.dmp
-
memory/3764-93-0x0000000000000000-mapping.dmp
-
memory/3768-36-0x0000000000000000-mapping.dmp
-
memory/3772-54-0x0000000000000000-mapping.dmp
-
memory/3772-39-0x0000000000000000-mapping.dmp
-
memory/3776-75-0x0000000000000000-mapping.dmp
-
memory/3796-80-0x0000000000000000-mapping.dmp
-
memory/3800-22-0x0000000000000000-mapping.dmp
-
memory/3808-34-0x0000000000000000-mapping.dmp
-
memory/3812-18-0x0000000000000000-mapping.dmp
-
memory/3816-20-0x0000000000000000-mapping.dmp
-
memory/3820-84-0x0000000000000000-mapping.dmp
-
memory/3824-90-0x0000000000000000-mapping.dmp
-
memory/3828-3-0x0000000000000000-mapping.dmp
-
memory/3828-19-0x0000000000000000-mapping.dmp
-
memory/3828-35-0x0000000000000000-mapping.dmp
-
memory/3828-63-0x0000000000000000-mapping.dmp
-
memory/3832-76-0x0000000000000000-mapping.dmp
-
memory/3836-103-0x0000000000000000-mapping.dmp
-
memory/3840-17-0x0000000000000000-mapping.dmp
-
memory/3840-1-0x0000000000000000-mapping.dmp
-
memory/3856-62-0x0000000000000000-mapping.dmp
-
memory/3868-6-0x0000000000000000-mapping.dmp
-
memory/3872-4-0x0000000000000000-mapping.dmp
-
memory/3880-94-0x0000000000000000-mapping.dmp
-
memory/3884-21-0x0000000000000000-mapping.dmp
-
memory/3884-107-0x0000000000000000-mapping.dmp
-
memory/3884-64-0x0000000000000000-mapping.dmp
-
memory/3888-5-0x0000000000000000-mapping.dmp
-
memory/3908-71-0x0000000000000000-mapping.dmp
-
memory/3916-53-0x0000000000000000-mapping.dmp
-
memory/3916-66-0x0000000000000000-mapping.dmp
-
memory/3916-105-0x0000000000000000-mapping.dmp
-
memory/3924-88-0x0000000000000000-mapping.dmp
-
memory/3928-7-0x0000000000000000-mapping.dmp
-
memory/3928-91-0x0000000000000000-mapping.dmp
-
memory/3936-38-0x0000000000000000-mapping.dmp
-
memory/3936-23-0x0000000000000000-mapping.dmp
-
memory/3940-87-0x0000000000000000-mapping.dmp
-
memory/3944-37-0x0000000000000000-mapping.dmp
-
memory/3948-81-0x0000000000000000-mapping.dmp
-
memory/3984-2-0x0000000000000000-mapping.dmp
-
memory/4008-55-0x0000000000000000-mapping.dmp
-
memory/4008-92-0x0000000000000000-mapping.dmp
-
memory/4052-49-0x0000000000000000-mapping.dmp