f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093

Resubmissions

19/11/2020, 14:39

201119-59epbrqadx 10

19/11/2020, 14:22

201119-ff99dc42e6 10

19/11/2020, 14:16

201119-298y5e8ncj 9

Analysis

max time kernel
144s
max time network
149s
platform
windows7_x64
resource
win7v20201028
submitted
19/11/2020, 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
Size

1.8MB
MD5

10d7151b9ee53b8da8ee6f85001ffb20
SHA1

76d33ef58ea7b012342d975d871db64840da9675
SHA256

f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093
SHA512

1c6d2d7f509b462b5d48db61817ee42a7204d10141c59394eb190d0dba733b831a6344bb85197dfac358939379e640c9f38732d376e28f92e187806ca574d10f

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS.html

Ransom Note

Critical Error! Your files have been corrupted! Follow these directions to easily restore them: 1. Purchase around $200 in Bitcoin (BTC). To learn more about Bitcoin, visit https://bitcoin.org/en/buy or https://buy.bitcoin.com 2. Send the new Bitcoin to the following address: 14BfVG4vH71NLmhu7vFKi9EMmeZFoiAsYP 3. Contact our Tech Support team at [email protected] and explain your issue. 4. After confirming your Bitcoin transfer, we will send you a file-repair tool to fix your entire system. 5. Run our file-cleaner and wait... Your data will be restored. To test our services, you may send up to 2 files for repairing before making the Bitcoin transfer. Estimated repair time after Bitcoin transfer: 24 hours

Emails

[email protected]

Wallets

14BfVG4vH71NLmhu7vFKi9EMmeZFoiAsYP

URLs

https://bitcoin.org/en/buy

https://buy.bitcoin.com

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\RestoreApprove.tiff	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File created	C:\Users\Admin\Pictures\DenySuspend.tif.REDROMAN	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File created	C:\Users\Admin\Pictures\SetUnblock.crw.REDROMAN	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\DenyLock.tiff	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File created	C:\Users\Admin\Pictures\DenyLock.tiff.REDROMAN	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File created	C:\Users\Admin\Pictures\RestartClear.tif.REDROMAN	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\PushSet.tiff	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File created	C:\Users\Admin\Pictures\SetRegister.crw.REDROMAN	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File created	C:\Users\Admin\Pictures\PushSet.tiff.REDROMAN	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File created	C:\Users\Admin\Pictures\RestoreApprove.tiff.REDROMAN	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\InvokeRename.tiff	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File created	C:\Users\Admin\Pictures\InvokeRename.tiff.REDROMAN	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File created	C:\Users\Admin\Pictures\MeasureTrace.crw.REDROMAN	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File created	C:\Users\Admin\Pictures\MountHide.raw.REDROMAN	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS.html	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1608	vssadmin.exe
2620	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 63 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000119fbac049cd1aae4ae6eb8d0eb019f3cb83240910b7965ac722c8c9e80e3a49000000000e800000000200002000000027ac2e8b9578c42e785227aed7d0f7019900a303fa49ba82e140beab5c1d4f1490000000c25374b8a459d7a4f172c60557364ae7cffa70efc7ce93911ed52637e6eb57c1a50d33cd4d363c5ffbf73173565e07d7ee41f845805177ae38e84895039245d31530492ba06a667a297080241713e4a9ae8fffd15847f9bae8f7d94a2ffa5b7ed079437bfb03d071b4e5a9bd371f308d374706b2aca40d02cc0ee28d82e29143f6fd010ab7db146ca38d91e436cae8b440000000fa4658d71739ead8d08639a26e4a739e09e1b3db4efc0f3211fa6e63da844e8a64f75662a7bdc4318acecc7c7b53123b0ba8c3834cae83342d133b02b603b6fa	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C98E5C71-2A74-11EB-B97E-C2515532CB8E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40fe0e6881bed601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a600000000002000000000010660000000100002000000005f7b184b5300c8a71b07c9202c5a9fe8a3e3ead9cbc51643c14f06e3610ed4b000000000e80000000020000200000003f38e62b67502e68d6509db9b85cb9ad39fde61b0d83ca5275f7d21cb4ab6ec52000000044d8eed28c07bc6e614d5b366eb64468207104a636b493cc114ac58a09cd92a140000000835ecdb04f00cab1aec836d1384f8e462d932f1acb29d0cbe090172dbd4f14816342dee0c3b36371038aa2ad3754ba814c7b737636e2779c85eabe1cd1a316ae	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9B58AE01-2A74-11EB-B97E-C2515532CB8E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 7e003100000000005c51db98110050726f6772616d730000660008000400efbe5c51a6965c51db982a000000d70100000000020000000000000000003c0000000000500072006f006700720061006d007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003200000018000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = 7a003100000000007351787411005374617274757000640008000400efbe5c51ac96735178742a000000de3d00000000030000000000000000003a00000000005300740061007200740075007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003700000016000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c004346534616003100000000005c51a696122041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe5c51a6965c51a6962a000000d10100000000020000000000000000000000000000004100700070004400610074006100000042000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 58003100000000005c51939914204d4943524f537e310000400008000400efbe5c51a6965c5193992a000000d30100000000020000000000000000000000000000004d006900630072006f0073006f0066007400000018000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 82003100000000005c51ad96110053544152544d7e3100006a0008000400efbe5c51a6965c51ac962a000000d60100000000020000000000000000004000000000005300740061007200740020004d0065006e007500000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003600000018000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 52003100000000005c51a59a1020526f616d696e67003c0008000400efbe5c51a6965c51a59a2a000000d201000000000200000000000000000000000000000052006f0061006d0069006e006700000016000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 52003100000000005c51dd98102057696e646f7773003c0008000400efbe5c51a6965c51dd982a000000d4010000000002000000000000000000000000000000570069006e0064006f0077007300000016000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
928	powershell.exe
344	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeBackupPrivilege	816	vssvc.exe
Token: SeRestorePrivilege	816	vssvc.exe
Token: SeAuditPrivilege	816	vssvc.exe
Token: 33	2164	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2164	AUDIODG.EXE
Token: 33	2164	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2164	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2772	iexplore.exe
2300	iexplore.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2772	iexplore.exe
2772	iexplore.exe
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2772	iexplore.exe
2324	IEXPLORE.EXE
2324	IEXPLORE.EXE
2300	iexplore.exe
2300	iexplore.exe
324	IEXPLORE.EXE
324	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 928	1360	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe	26
PID 1360 wrote to memory of 928	1360	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe	26
PID 1360 wrote to memory of 928	1360	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe	26
PID 1360 wrote to memory of 344	1360	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe	32
PID 1360 wrote to memory of 344	1360	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe	32
PID 1360 wrote to memory of 344	1360	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe	32
PID 344 wrote to memory of 308	344	powershell.exe	34
PID 344 wrote to memory of 308	344	powershell.exe	34
PID 344 wrote to memory of 308	344	powershell.exe	34
PID 308 wrote to memory of 1608	308	cmd.exe	36
PID 308 wrote to memory of 1608	308	cmd.exe	36
PID 308 wrote to memory of 1608	308	cmd.exe	36
PID 308 wrote to memory of 2620	308	cmd.exe	40
PID 308 wrote to memory of 2620	308	cmd.exe	40
PID 308 wrote to memory of 2620	308	cmd.exe	40
PID 308 wrote to memory of 2652	308	cmd.exe	41
PID 308 wrote to memory of 2652	308	cmd.exe	41
PID 308 wrote to memory of 2652	308	cmd.exe	41
PID 2652 wrote to memory of 2664	2652	net.exe	42
PID 2652 wrote to memory of 2664	2652	net.exe	42
PID 2652 wrote to memory of 2664	2652	net.exe	42
PID 308 wrote to memory of 2692	308	cmd.exe	43
PID 308 wrote to memory of 2692	308	cmd.exe	43
PID 308 wrote to memory of 2692	308	cmd.exe	43
PID 2692 wrote to memory of 2704	2692	net.exe	44
PID 2692 wrote to memory of 2704	2692	net.exe	44
PID 2692 wrote to memory of 2704	2692	net.exe	44
PID 2772 wrote to memory of 2880	2772	iexplore.exe	47
PID 2772 wrote to memory of 2880	2772	iexplore.exe	47
PID 2772 wrote to memory of 2880	2772	iexplore.exe	47
PID 2772 wrote to memory of 2880	2772	iexplore.exe	47
PID 2772 wrote to memory of 2324	2772	iexplore.exe	50
PID 2772 wrote to memory of 2324	2772	iexplore.exe	50
PID 2772 wrote to memory of 2324	2772	iexplore.exe	50
PID 2772 wrote to memory of 2324	2772	iexplore.exe	50
PID 2300 wrote to memory of 324	2300	iexplore.exe	55
PID 2300 wrote to memory of 324	2300	iexplore.exe	55
PID 2300 wrote to memory of 324	2300	iexplore.exe	55
PID 2300 wrote to memory of 324	2300	iexplore.exe	55

C:\Users\Admin\AppData\Local\Temp\f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -WindowStyle Hidden get-wmiobject win32_computersystem | "fl model"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Start-Process C:\ProgramData\amdkey.bat -Verb runas
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\amdkey.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:308
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:1608
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB
      4⤵
      Interacts with shadow copies
      PID:2620
  - - C:\Windows\system32\net.exe
      net user /add RedROMAN p4zzaub71h
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user /add RedROMAN p4zzaub71h
        5⤵
        
        PID:2664
  - - C:\Windows\system32\net.exe
      net localgroup administrators RedROMAN /add
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators RedROMAN /add
        5⤵
        
        PID:2704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS.html
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2880
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:406541 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2324

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x488
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\ProgramData\RR_README.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2300 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/344-17-0x000000001AB40000-0x000000001AB41000-memory.dmp

Filesize
4KB

Download
memory/344-15-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/344-11-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/344-12-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/344-13-0x000000001AC70000-0x000000001AC71000-memory.dmp

Filesize
4KB

Download
memory/344-14-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/928-3-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/928-4-0x000000001AAC0000-0x000000001AAC1000-memory.dmp

Filesize
4KB

Download
memory/928-8-0x000000001C670000-0x000000001C671000-memory.dmp

Filesize
4KB

Download
memory/928-5-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/928-6-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/928-2-0x000007FEF5560000-0x000007FEF5F4C000-memory.dmp

Filesize
9.9MB

Download
memory/928-7-0x000000001B430000-0x000000001B431000-memory.dmp

Filesize
4KB

Download
memory/1360-0-0x000000013FB60000-0x000000013FD31000-memory.dmp

Filesize
1.8MB

Download
memory/2784-26-0x000007FEF60B0000-0x000007FEF632A000-memory.dmp

Filesize
2.5MB

Download
memory/2880-38-0x00000000061F0000-0x0000000006213000-memory.dmp

Filesize
140KB

Download