0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da

Resubmissions

17-02-2021 18:00

210217-6k9bf8hnla 10

02-02-2021 09:28

210202-6r27d31vxn 10

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7v20201028
submitted
17-02-2021 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2.exe
Size

2.5MB
MD5

e63e41e15e86489a98dbeb2e6cb44e8a
SHA1

5815d349a375f5cdf090ababcff86b3946ed6c07
SHA256

0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da
SHA512

749d9580ac631916fbc1db207f0f48ed2ff9979f0cd8e352633cd86edfe7bd5bbb6da90b014e0b8ad639f8b9e567498f07353ef907ce2bd6dfa5536d3079991e

Score

10^/10

evasion persistence ransomware spyware themida trojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\Recovery_Instructions.txt

Ransom Note

## YOUR NETWORK HAS BEEN COMPROMISED ## ------------------------------------------ All your important files have been encrypted! ------------------------------------------------- Your files are safe! Only modified. ANY ATTEMPT TO RESTORE A FILE WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered data from different segment of your network. These data are currently stored on a private server and will be immediately destroyed after your payment. If you decide to not pay, we will keep your data stored and contact press or re-seller or expose it on our partner's website. We only seek money and do not want to damage your reputation or prevent your business from running. If you take wise choice to pay, all of this will be solved very soon and smoothly. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. --------------------------------------------------------- Contact us for price. felleskatalogen@protonmail.com ---------------------------------------------------------- Make contact as soon as possible. If you don't contact us within 72 hours, price will be higher.

Emails

felleskatalogen@protonmail.com

Extracted

Path

C:\Recovery_Instructions.txt

Ransom Note

##### YOUR NETWORK HAS BEEN COMPROMISED ##### --------------------------------------------- All your important files have been encrypted! --------------------------------------------- Your files are safe! Only modified. ANY ATTEMPT TO RESTORE A FILE WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered data from different segment of your network. These data are currently stored on a private server and will be immediately destroyed after your payment. If you decide to not pay, we will keep your data stored and contact press or re-seller or expose it on our partner's website. We only seek money and do not want to damage your reputation or prevent your business from running. If you take wise choice to pay, all of this will be solved very soon and smoothly. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. ----------------------------------------------------------- Contact us for price: felleskatalogen@protonmail.com ----------------------------------------------------------- Make contact as soon as possible. If you don't contact us within 72 hours, price will be higher.

Emails

felleskatalogen@protonmail.com

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1664 bcdedit.exe
1180 bcdedit.exe
Deletes System State backups 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

848 wbadmin.exe
632 wbadmin.exe

pid	process
1664	bcdedit.exe
1180	bcdedit.exe

pid	process
848	wbadmin.exe
632	wbadmin.exe

Drops file in Drivers directory 12 IoCs

Processes:

2.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\networks.ReadInstructions	2.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol	2.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.inprocess	2.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.ReadInstructions	2.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.ReadInstructions	2.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.inprocess	2.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.inprocess	2.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.inprocess	2.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.ReadInstructions	2.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks	2.exe
File opened for modification	C:\Windows\System32\drivers\etc\services	2.exe

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

2.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\UpdateGrant.crw.ReadInstructions	2.exe
File renamed	C:\Users\Admin\Pictures\MergeFormat.raw => C:\Users\Admin\Pictures\MergeFormat.raw.inprocess	2.exe
File opened for modification	C:\Users\Admin\Pictures\MergeFormat.raw.inprocess	2.exe
File renamed	C:\Users\Admin\Pictures\MergeFormat.raw.inprocess => C:\Users\Admin\Pictures\MergeFormat.raw.ReadInstructions	2.exe
File opened for modification	C:\Users\Admin\Pictures\MergeFormat.raw.ReadInstructions	2.exe
File renamed	C:\Users\Admin\Pictures\UpdateGrant.crw => C:\Users\Admin\Pictures\UpdateGrant.crw.inprocess	2.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateGrant.crw.inprocess	2.exe
File renamed	C:\Users\Admin\Pictures\UpdateGrant.crw.inprocess => C:\Users\Admin\Pictures\UpdateGrant.crw.ReadInstructions	2.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

848 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
848	cmd.exe

themida 2 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1904-2-0x000000013FD30000-0x0000000140571000-memory.dmp	themida
behavioral1/memory/1904-3-0x000000013FD30000-0x0000000140571000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2.exe\" e"	2.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

2.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

2.exe

description ioc process

File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-3825035466-2522850611-591511364-1000\desktop.ini 2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2.exe

description	ioc	process
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-3825035466-2522850611-591511364-1000\desktop.ini	2.exe

Enumerates connected drives 3 TTPs 41 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\R:	2.exe
File opened (read-only)	\??\U:	2.exe
File opened (read-only)	\??\D:	2.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\B:	2.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\G:	2.exe
File opened (read-only)	\??\H:	2.exe
File opened (read-only)	\??\M:	2.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\Y:	2.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\J:	2.exe
File opened (read-only)	\??\N:	2.exe
File opened (read-only)	\??\P:	2.exe
File opened (read-only)	\??\Q:	2.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\X:	2.exe
File opened (read-only)	\??\Z:	2.exe
File opened (read-only)	\??\I:	2.exe
File opened (read-only)	\??\T:	2.exe
File opened (read-only)	\??\E:	2.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\F:	2.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\L:	2.exe
File opened (read-only)	\??\K:	2.exe
File opened (read-only)	\??\O:	2.exe
File opened (read-only)	\??\S:	2.exe
File opened (read-only)	\??\V:	2.exe
File opened (read-only)	\??\W:	2.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\A:	2.exe

Drops file in System32 directory 64 IoCs

Processes:

2.exe

description	ioc	process
File opened for modification	C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7	2.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\41ace1b7-f27e-4c89-a6a3-a659a5dbef65.inprocess	2.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f432ef04-0dcb-4ffd-963b-c2f8117e80e7.inprocess	2.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.ReadInstructions	2.exe
File opened for modification	C:\Windows\System32\config\DEFAULT	2.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.inprocess	2.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\73343e4f-75e6-4fe3-8678-f5d69c9ef61b	2.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d.inprocess	2.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	2.exe
File opened for modification	C:\Windows\System32\config\SOFTWARE	2.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.ReadInstructions	2.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.inprocess	2.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb	2.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.inprocess	2.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	2.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	2.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS.inprocess	2.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\41ace1b7-f27e-4c89-a6a3-a659a5dbef65	2.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035.inprocess	2.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\73343e4f-75e6-4fe3-8678-f5d69c9ef61b.inprocess	2.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.ReadInstructions	2.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	2.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.inprocess	2.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.inprocess	2.exe
File opened for modification	C:\Windows\System32\config\BCD-Template.inprocess	2.exe
File opened for modification	C:\Windows\System32\config\SAM	2.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb	2.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred	2.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035	2.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d.ReadInstructions	2.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.ReadInstructions	2.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	2.exe
File opened for modification	C:\Windows\System32\config\BCD-Template	2.exe
File opened for modification	C:\Windows\System32\config\RegBack\SAM	2.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.inprocess	2.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035.ReadInstructions	2.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d	2.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.ReadInstructions	2.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.ReadInstructions	2.exe
File opened for modification	C:\Windows\System32\config\BCD-Template.ReadInstructions	2.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.ReadInstructions	2.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f432ef04-0dcb-4ffd-963b-c2f8117e80e7	2.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.ReadInstructions	2.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.ReadInstructions	2.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS	2.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.ReadInstructions	2.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor	2.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	2.exe
File opened for modification	C:\Windows\System32\config\SYSTEM	2.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.inprocess	2.exe
File opened for modification	C:\Windows\System32\config\RegBack\SOFTWARE	2.exe
File opened for modification	C:\Windows\System32\config\RegBack\SYSTEM	2.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\41ace1b7-f27e-4c89-a6a3-a659a5dbef65.ReadInstructions	2.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f432ef04-0dcb-4ffd-963b-c2f8117e80e7.ReadInstructions	2.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	2.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	2.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	2.exe
File opened for modification	C:\Windows\System32\config\RegBack\SECURITY	2.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c	2.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	2.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\73343e4f-75e6-4fe3-8678-f5d69c9ef61b.ReadInstructions	2.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred	2.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	2.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS.ReadInstructions	2.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

2.exe

pid process

1904 2.exe

Drops file in Program Files directory 64 IoCs

Processes:

2.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Seoul.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Tehran.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Algiers.inprocess	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kuching.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Martinique.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-11.inprocess	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\YST9YDT.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Khartoum.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Novosibirsk.inprocess	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Dublin.inprocess	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Sitka	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5.inprocess	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Panama.inprocess	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santiago.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Istanbul.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Winamac	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Moncton	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Monterrey.inprocess	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Montreal.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Winnipeg.inprocess	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Athens.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Lagos.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Lindeman.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Resolute.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Pitcairn.inprocess	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\meta-index.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Chicago	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Kaliningrad	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Iqaluit.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Chuuk.inprocess	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6CDT.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\EST.inprocess	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\El_Aaiun	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Tripoli	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson.inprocess	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yakutat	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Paramaribo	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-5.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Baghdad.inprocess	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Halifax.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kuala_Lumpur	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Salta.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Khandyga.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Maceio.inprocess	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Kaliningrad.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\UCT.inprocess	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Eirunepe.inprocess	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santarem	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Sao_Paulo	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Pitcairn	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Aqtau.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+9.inprocess	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay.inprocess	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+12	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Apia.inprocess	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Adelaide.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Belize.inprocess	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Blanc-Sablon.ReadInstructions	2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay.inprocess	2.exe

Drops file in Windows directory 57 IoCs

Processes:

2.exewbadmin.exewbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\absthr_0	2.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb2	2.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2th0	2.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_2	2.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\499e9f34ae4b5b02c752dc8920c033aa\cbshandler\state.ReadInstructions	2.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess	2.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\f29b02fec13315ab58a997da84d42d39f8d01a1d.ReadInstructions	2.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th0	2.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\absthr_1	2.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\dewindow	2.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state	2.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\BCD	2.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2th1	2.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\absthr_2	2.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb1	2.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\046b70de3a2fd676d807d11bedad4dcd\cbshandler\state.ReadInstructions	2.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Panther\setupinfo.inprocess	2.exe
File opened for modification	C:\Windows\Panther\setupinfo.ReadInstructions	2.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th2	2.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.ReadInstructions	2.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\f29b02fec13315ab58a997da84d42d39f8d01a1d.inprocess	2.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6c3e7934e9e70d0fb2dfeb3af2325793\cbshandler\state.ReadInstructions	2.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb0	2.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_1	2.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\31babaaa45cee9a47acba0207c097502\cbshandler\state.ReadInstructions	2.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb2	2.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\499e9f34ae4b5b02c752dc8920c033aa\cbshandler\state	2.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\046b70de3a2fd676d807d11bedad4dcd\cbshandler\state.inprocess	2.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.ReadInstructions	2.exe
File opened for modification	C:\Windows\Boot\DVD\EFI\BCD	2.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2th2	2.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.inprocess	2.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\499e9f34ae4b5b02c752dc8920c033aa\cbshandler\state.inprocess	2.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	2.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\31babaaa45cee9a47acba0207c097502\cbshandler\state	2.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb1	2.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\enwindow	2.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\046b70de3a2fd676d807d11bedad4dcd\cbshandler\state	2.exe
File opened for modification	C:\Windows\Boot\PCAT\bootmgr	2.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th1	2.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\31babaaa45cee9a47acba0207c097502\cbshandler\state.inprocess	2.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6c3e7934e9e70d0fb2dfeb3af2325793\cbshandler\state	2.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess	2.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6c3e7934e9e70d0fb2dfeb3af2325793\cbshandler\state.inprocess	2.exe
File opened for modification	C:\Windows\Panther\setupinfo	2.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\f29b02fec13315ab58a997da84d42d39f8d01a1d	2.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_0	2.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.ReadInstructions	2.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	2.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb0	2.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_3	2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 13 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
472	vssadmin.exe
1424	vssadmin.exe
1652	vssadmin.exe
884	vssadmin.exe
1080	vssadmin.exe
1824	vssadmin.exe
340	vssadmin.exe
616	vssadmin.exe
756	vssadmin.exe
1652	vssadmin.exe
1488	vssadmin.exe
1100	vssadmin.exe
1984	vssadmin.exe

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_Classes\Local Settings	rundll32.exe

Opens file in notepad (likely ransom note) 3 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXE

pid process

1212 NOTEPAD.EXE
1020 NOTEPAD.EXE
760 NOTEPAD.EXE

pid	process
1212	NOTEPAD.EXE
1020	NOTEPAD.EXE
760	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2.exe

pid	process
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe
1904	2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

rundll32.exe

pid process

1776 rundll32.exe

pid	process
1776	rundll32.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

vssvc.exewmic.exeAUDIODG.EXE

description	pid	process
Token: SeBackupPrivilege	1960	vssvc.exe
Token: SeRestorePrivilege	1960	vssvc.exe
Token: SeAuditPrivilege	1960	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1680	wmic.exe
Token: SeSecurityPrivilege	1680	wmic.exe
Token: SeTakeOwnershipPrivilege	1680	wmic.exe
Token: SeLoadDriverPrivilege	1680	wmic.exe
Token: SeSystemProfilePrivilege	1680	wmic.exe
Token: SeSystemtimePrivilege	1680	wmic.exe
Token: SeProfSingleProcessPrivilege	1680	wmic.exe
Token: SeIncBasePriorityPrivilege	1680	wmic.exe
Token: SeCreatePagefilePrivilege	1680	wmic.exe
Token: SeBackupPrivilege	1680	wmic.exe
Token: SeRestorePrivilege	1680	wmic.exe
Token: SeShutdownPrivilege	1680	wmic.exe
Token: SeDebugPrivilege	1680	wmic.exe
Token: SeSystemEnvironmentPrivilege	1680	wmic.exe
Token: SeRemoteShutdownPrivilege	1680	wmic.exe
Token: SeUndockPrivilege	1680	wmic.exe
Token: SeManageVolumePrivilege	1680	wmic.exe
Token: 33	1680	wmic.exe
Token: 34	1680	wmic.exe
Token: 35	1680	wmic.exe
Token: 33	1672	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1672	AUDIODG.EXE
Token: 33	1672	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1672	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

NOTEPAD.EXEchrome.exe

pid process

1212 NOTEPAD.EXE
300 chrome.exe

pid	process
1212	NOTEPAD.EXE
300	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2.exerundll32.exechrome.exe

description	pid	process	target process
PID 1904 wrote to memory of 1424	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1424	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1424	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1652	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1652	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1652	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 884	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 884	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 884	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1080	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1080	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1080	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1824	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1824	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1824	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 340	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 340	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 340	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 616	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 616	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 616	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 472	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 472	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 472	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1488	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1488	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1488	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 756	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 756	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 756	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1100	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1100	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1100	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1984	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1984	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1984	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1652	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1652	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1652	1904	2.exe	vssadmin.exe
PID 1904 wrote to memory of 1664	1904	2.exe	bcdedit.exe
PID 1904 wrote to memory of 1664	1904	2.exe	bcdedit.exe
PID 1904 wrote to memory of 1664	1904	2.exe	bcdedit.exe
PID 1904 wrote to memory of 1180	1904	2.exe	bcdedit.exe
PID 1904 wrote to memory of 1180	1904	2.exe	bcdedit.exe
PID 1904 wrote to memory of 1180	1904	2.exe	bcdedit.exe
PID 1904 wrote to memory of 848	1904	2.exe	wbadmin.exe
PID 1904 wrote to memory of 848	1904	2.exe	wbadmin.exe
PID 1904 wrote to memory of 848	1904	2.exe	wbadmin.exe
PID 1904 wrote to memory of 632	1904	2.exe	wbadmin.exe
PID 1904 wrote to memory of 632	1904	2.exe	wbadmin.exe
PID 1904 wrote to memory of 632	1904	2.exe	wbadmin.exe
PID 1904 wrote to memory of 1680	1904	2.exe	wmic.exe
PID 1904 wrote to memory of 1680	1904	2.exe	wmic.exe
PID 1904 wrote to memory of 1680	1904	2.exe	wmic.exe
PID 1904 wrote to memory of 848	1904	2.exe	cmd.exe
PID 1904 wrote to memory of 848	1904	2.exe	cmd.exe
PID 1904 wrote to memory of 848	1904	2.exe	cmd.exe
PID 1776 wrote to memory of 760	1776	rundll32.exe	NOTEPAD.EXE
PID 1776 wrote to memory of 760	1776	rundll32.exe	NOTEPAD.EXE
PID 1776 wrote to memory of 760	1776	rundll32.exe	NOTEPAD.EXE
PID 300 wrote to memory of 1652	300	chrome.exe	chrome.exe
PID 300 wrote to memory of 1652	300	chrome.exe	chrome.exe
PID 300 wrote to memory of 1652	300	chrome.exe	chrome.exe
PID 300 wrote to memory of 516	300	chrome.exe	chrome.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

2.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	2.exe

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1904

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:1424

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:1652

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:884

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1080

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1824

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:340

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:616

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:472

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1488

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:756

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1100

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1984

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:1652

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
2⤵
- Modifies boot configuration data using bcdedit
PID:1664

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Modifies boot configuration data using bcdedit
PID:1180

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:848

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
2⤵
- Deletes System State backups
- Drops file in Windows directory
PID:632

C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2.exe >> NUL
2⤵
- Deletes itself
PID:848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Recovery_Instructions.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:1212

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Recovery_Instructions.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1020

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\Opened.docx.ReadInstructions
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\Opened.docx.ReadInstructions
2⤵
- Opens file in notepad (likely ransom note)
PID:760

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x56c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef5f16e00,0x7fef5f16e10,0x7fef5f16e20
2⤵
PID:1652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=988,5205067900833091657,10348175504232412472,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1016 /prefetch:2
2⤵
PID:516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=988,5205067900833091657,10348175504232412472,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1276 /prefetch:8
2⤵
PID:1768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,5205067900833091657,10348175504232412472,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1936 /prefetch:1
2⤵
PID:1608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,5205067900833091657,10348175504232412472,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1956 /prefetch:1
2⤵
PID:1260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,5205067900833091657,10348175504232412472,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2452 /prefetch:1
2⤵
PID:1328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,5205067900833091657,10348175504232412472,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:1
2⤵
PID:1872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,5205067900833091657,10348175504232412472,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2596 /prefetch:1
2⤵
PID:228

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
f2df1cb400eb8c68d332f4efe1a7041f

SHA1
e803add9f704cf5a9c42a9ab8cad9f0a841c4c0f

SHA256
be6e978642ff42c99f6d971a50d3e7955b87c7bbf9c3f0c7c11587d91d06dc6d

SHA512
63a79cd8e8b99101fc2e9bd0605de757e8b80af1fa19af97bf9e1c7c4748fa8e3686fafa4fbe099f17f4365b2f51bdc5c8baded10cc32176e51c4e68095be516

Download Submit
C:\Users\Admin\Desktop\Recovery_Instructions.txt
MD5
1c417faf805d8868ae01923118a70a5a

SHA1
399c372efe377fea5241f500cc65dcef05bdfd35

SHA256
454c2830a71762808e870931131de6fe3a5be0117e5b024b9147ef60f42f9f05

SHA512
116725646b3533d3117085835553394f6d71b833bec2f2241de5778f6947495fa55652acea57f53fdb7a0b45fdf7470bd3acec2ab064d78ad2203863215a0f37

Download Submit
C:\Users\Admin\Documents\Opened.docx.ReadInstructions
MD5
a292c264997c8dc4c39f9173231e7d85

SHA1
23a6b9e6fe84fb161a6fc8ce81b047b13ca38060

SHA256
d2c17703666a1a4634277813416abb5db13650bb242ad1b4a1deaa9047841374

SHA512
a72348a8668778a67cfc1e331e3f15bec7bae2fa200a6a8be947071b1d861d07af8573511bec2b5b80913b41d2d54f80ab32f9f4165c90378201b97220ef274f

Download Submit
\??\pipe\crashpad_300_EWMTRBKPEKXNUTPK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/228-50-0x0000000000000000-mapping.dmp

Download
memory/340-10-0x0000000000000000-mapping.dmp

Download
memory/472-12-0x0000000000000000-mapping.dmp

Download
memory/516-39-0x0000000077710000-0x0000000077711000-memory.dmp

Filesize
4KB

Download
memory/516-37-0x0000000000000000-mapping.dmp

Download
memory/616-11-0x0000000000000000-mapping.dmp

Download
memory/632-22-0x0000000000000000-mapping.dmp

Download
memory/756-14-0x0000000000000000-mapping.dmp

Download
memory/760-31-0x0000000000000000-mapping.dmp

Download
memory/848-20-0x0000000000000000-mapping.dmp

Download
memory/848-28-0x0000000000000000-mapping.dmp

Download
memory/848-21-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmp

Filesize
8KB

Download
memory/884-7-0x0000000000000000-mapping.dmp

Download
memory/1080-8-0x0000000000000000-mapping.dmp

Download
memory/1100-27-0x000007FEF7730000-0x000007FEF79AA000-memory.dmp

Filesize
2.5MB

Download
memory/1100-15-0x0000000000000000-mapping.dmp

Download
memory/1180-19-0x0000000000000000-mapping.dmp

Download
memory/1260-45-0x0000000000000000-mapping.dmp

Download
memory/1328-48-0x0000000000000000-mapping.dmp

Download
memory/1424-5-0x0000000000000000-mapping.dmp

Download
memory/1488-13-0x0000000000000000-mapping.dmp

Download
memory/1608-42-0x0000000000000000-mapping.dmp

Download
memory/1652-34-0x0000000000000000-mapping.dmp

Download
memory/1652-6-0x0000000000000000-mapping.dmp

Download
memory/1652-17-0x0000000000000000-mapping.dmp

Download
memory/1664-18-0x0000000000000000-mapping.dmp

Download
memory/1680-24-0x0000000000000000-mapping.dmp

Download
memory/1768-38-0x0000000000000000-mapping.dmp

Download
memory/1824-9-0x0000000000000000-mapping.dmp

Download
memory/1904-4-0x000000013FD31000-0x000000013FDE9000-memory.dmp

Filesize
736KB

Download
memory/1904-2-0x000000013FD30000-0x0000000140571000-memory.dmp

Filesize
8.3MB

Download
memory/1904-3-0x000000013FD30000-0x0000000140571000-memory.dmp

Filesize
8.3MB

Download
memory/1984-16-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads