locky | b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe

General

Target

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
Size

169KB
MD5

98562209465bec53327e65649a2b8829
SHA1

3a47656ed3df213bd934aa01078a863568fe9f2b
SHA256

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe
SHA512

c11ce14f9cb75df2bc9bd81971c1f8fa885815715f389eb8e796e0f657de59756b36a6f896c216a03c7be7bb3ddff9b8a47aee71146760e4f4d9c6bdc0ff2cc3

Score

10^/10

locky evasion ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\!!Read_Me.C722E.html

Ransom Note

#ALL YOUR FILES ARE ENCRYPTED AND STOLEN BY RAGNAROK Dear Sir Your files are encrypted with RSA4096 and AES encryption algorithm. But don't worry, you can return all your files!! follow the instructions to recover your files Cooperate with us and get the decrypter program as soon as possible will be your best solution. Only our software can decrypt all your encrypted files. What guarantees you have? We take our reputation seriously. We reject any form of deceptionYou can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain any valuable information. When hiring third-party negotiators or recovery companies. listen to what they tell you. try to think. Are they really interested in solving your problems or are they just thinking about their profit and ambitions? By the way.We have stolen lots of your company and your private data which includes doc,xls,pdf,jpg,mdf,sql,pst... Here we upload sample files of your company and your private data on our blog : http://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion We promise that if you don't pay within a week, we will package and publish all of your company and your data on our website. We also promise we can decrypt all of your data and delete all your files on internet after your payment. Such leaks of information lead to losses for the company. fines and lawsuits. And don't forget that information can fall into the hands of competitors! For us this is just business and to prove to you our seriousness. Our e-mail: dayt0na@tutanota.com Reserve e-mail: daytona@cock.lu potts@secmail.pro Device ID: ==AAA8FMy4CMucjLwEDLP5UTZtkQS1EL0QDM3YkNycjMDZUR3UkRxEURBVEOzAzM5EEMwMUQwQjRGZER5EzMBJUMEFTM5AjNGlTRzQUO0UTMxADMzYDN4YDOxkjQzMzMEVERBNjNFlDMGdDN1QzMyADMxgzNzEUODlzQ2Q0N4AzNENkMyADRxUkN3UkQyUTRxQDNzEjR1cDNCRjNyQTQwUUR0ITR0MkQCJTO2IjQ4IkMwMERCJUN0kzQwATNBRkQ1EkQzIERzgDOBNEREdzMxkTN3IUR3AjR4EjR3cjMDZDRwMDRGVDO4MjR2kTQBBDNGRTQ0IEM2UUQ0gzQ5czM3UkNEJjR4YjMyIDO3U0MwQUMDNEN1MDN3gTQ4QUQ4EkNGNEREFURyATQ2ITOCFURCZTRzUUQ2MkNClDOzEkNzU0N5Q0N4IjR1EUNCN0QwIjQwUTM1EUOElzQFNDN2gTMyMkNGRUMCFTNCdzMCRTM5ADMBVTNzMUOEdzQygzQDN0QyMjRxM0NxUEO0AzQzMkN0UDR0UENFFkRzITM3kjRCVkR2gjNxQERFNjNDF0QyY0N0cDO3IkNEFDODdTO5IkMCdzQwYTM1IENyEkN2EEOyIEM4MTO2MEMERDOxUkM3ADO3MUN1UUOGVENxIUM1UkN2ATRFNkN2EjMzgDRyEUOFNTO1cjNzYjQBR0M2EDR0QjQGRDRBdjMFdTM5gjRwIjMEhjQzE0Q0QTQDRjRFdTQ5EERClzM5ATOBVDO3MEOzYUMFVDRyQUO2AzMyczQwEDO1MTQ5MDMFNTMyIUQ4QkQ1UDRwETN5MkQBBTR0MEO1QjQERUQDNTN0YjR2QUQ1QkQ3gDMCNjM4gjMEBjRxEUQyITQBVUMzIDR1EkMFJkMxMDNxUkRxgzMFR0NwQEO5EjR5cDO1UTOyQER5EDOBN0MxQENwMjQER0Q1UEOygzNwIjR1IkMzQzM1UUOxMzQxQDOBR0NEVkRDRDR1gTM5EUQ3Q0QEFENFR0MyUDNFBDNFZUOzcjRyADOGlTMCBDRCJTR3EDMEJTNClTMwQzQzMDM4gzM1gjRDRjRBNUM5ATOwUENEZkNFJUOzMEM4gDRwIDOEFTOxUDM1kzMzE0QGNENyEzQ2IDOGBjM2YzQEJUOGNTO4kTO5ATR3gzQ4QUMCFTNxUkMzUUMGJDMEZDOEFzMEdjN5QjQxQkN0gTRDZkM0kjRzQzQ5YTRDdDNGNzNCJjRwUjQwI0QDNEMDJEOCFjQGJER2E0NzQTM3QjRDNkR0UjRwAzN5QkQwQEOxAjRDBTN3gTNzYENzEkM3MEO0EDR1I0M0AzMxEkM4kDMGVTN2EkQyUzQ1UENyMkNwQTNFVjMxcTQElzMzYUOwYDN2EzQ4EEMGNDOEF0Q1wSOwcjR3kzMxYjN2MUMxEjNEJTQwUjMDRUREZUM4UEO3AjMzYzQ1QjQ3QERzMEODhjRBJjN5czQwMkN2kDN4EDNChjNDFER0MEM2QTN2IERCBTMyEDN5kTQDZkMBNUMBlTN2QTOCJjMBVENxMjREVEMDFTNyEjN5EUNCNDN0MDOFdDRyETQ2UEM4cjNGZUQFJ0QERjQFZ0QxIDNxMzN3QTQ4cTOGNTRzUkQ5YDM2IkN2QjM1E0QxM0N5gzQwUTQycjR4gTQ5IUMDJTOxQTOwcDM2QjR3M0M5UjQwAzMEF0Q5UUO4ITO2cjN3EDRzMENGZUNFZjN4YjM5UUNwkjM2kzMCFENGFUQwI0N1Q0M5ITO2czMBNDNBJzQ1MkM3MDNCBDOzEUNxczMyMzM0IURCVTMDZUNCJzQCZUQxEUQGFTRxQDM1EjN2MzN2EURzY0N0UERBJDM3ATNwQ0M4cjMwcjQ4MjQ5QUQ3YUOBJDOBBjQ0gTQFZUNDR0MBJzNxkjRFFEO5YkR3UjNzITQCREMCFUQ0YkN2ATR1cjM1EURCJzMyU0Q2gjNDZjM0gzQBVURygjN5gzN3ITMyQERChzMBREM0QTMGRjR3AjMBljQGZkNFNkQ4AzQBVjM1QDRwQjQ3ETRycjQ3I0QwMERwETQyYUQ2UUNFhDOEJTM1IjQENDRDRkRzYDN0ETNEBDRGZEM0UURFZUREVkRGlzN4UzMDJEOBdTRyIDRzATR3kDOEN0Q0U0MFlTRBV0MElzN3kTMChjNBFzMyQER2MjRzUTQ1IkQwQkN2UERDFTQGNkRxEzMBJkQ2AzN5YzN1IUN4gjMwgzN5E0N3ITO3IkQ2QDMzMjN5EjMGFUM5kTNBJjRwATM0gTNxQEO2YTRzMENDBDM3QTREVTM1ADNFJEOGVDMChDMCVUMFNkQ5EEMFZENwAzMBdTOFVTOCFkQEFjNGBjN3MUQCljMDZjR4MTM3QTM4gDMwIDREZkQClzNzIzMCBTQEN0QEdzNyI0NERDRGRzQ1UTNBZDOxIURxEkQCJzNCJTRCVkR2ETMBdTO2EzNENjQDVEOFZzQzYERGBzM0EkMyMDN2YUM3QkQyQUQBljQxMkNzcDMDJTMBNUODFTODljQwITNFNENFV0NwkTQ5gTMBVjQ2Y0MxkDMyIjRCNURFVUN3MUOGR0NzYzMEFTRCR0NEJ0NGFzQ5gTRDJkM2QjMzIURBljNzATMBFTODVkNyQDOzMTRFRUR5EzQ3MUMzMUOBRUOwQ0M3EjQwEkMBFEM1AzNFFkN3MDMxMUOFJTRDJERCdTOClTNEhDM5YkQFFkQ0UzM2EERGNUNzUDOBNTR4QjR4UkQ3YER1U0QEVTQFZEM

Emails

dayt0na@tutanota.com

daytona@cock.lu

potts@secmail.pro

URLs

http://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1072 bcdedit.exe
800 bcdedit.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1072	bcdedit.exe
800	bcdedit.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\RequestApprove.crw => C:\Users\Admin\Pictures\RequestApprove.crw.C722E.thor	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
File renamed	C:\Users\Admin\Pictures\OptimizeFormat.tif => C:\Users\Admin\Pictures\OptimizeFormat.tif.C722E.thor	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
File opened for modification	C:\Users\Admin\Pictures\TraceRevoke.tiff	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
File renamed	C:\Users\Admin\Pictures\TraceRevoke.tiff => C:\Users\Admin\Pictures\TraceRevoke.tiff.C722E.thor	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2860 cmd.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1800 vssadmin.exe

pid	process
2860	cmd.exe

pid	process
1800	vssadmin.exe

Kills process with taskkill 13 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2184	taskkill.exe
2220	taskkill.exe
1640	taskkill.exe
2176	taskkill.exe
2192	taskkill.exe
2200	taskkill.exe
2228	taskkill.exe
2248	taskkill.exe
2236	taskkill.exe
844	taskkill.exe
1748	taskkill.exe
1424	taskkill.exe
2100	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f00000000020000000000106600000001000020000000d2e9cb4394b3e750aabbe7dff51e827d167b28c76d4f17d57515938b7c6a444c000000000e800000000200002000000021882d197cee3a80b2a6bb761c9d1e1c8d0aef77c73749d854ae6bc280425d03200000008c991d2fe8d87c76be462f3882cf5b355c89adeb4fe5768a61907558d787f5b940000000680b6546024e0e771b104eab61962a6cdf9635b90ebfc3495b85c7b6650d7b5eefe0457872a1ec42ab4c0c0efa63fa2f0897be4a4c74f3a76e483e98579a7383	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f00000000020000000000106600000001000020000000834bf32b01941672b318810c1d0bccbd2e6bc44f593a899aaad69beb563c856d000000000e80000000020000200000002e630cd34c7893736dadbb21199950dc860df6e9cd6ff2175c09e76237d94c04900000000237928dcae30e798879e6b847a9c65b64c3a56c5ad3364d54f0f9c3bb85943f5f0b55ed57d05160f03903a4cf122bbb208365b0085ffa839c0a28bf35bf7f73ce4c610920c7731fa792ac45d464f1ef73ffd9f205e169b22d5960d472fe3072dca3bb2f2bfff5123e2ba5f8b192b7fe31b01ca970e18dcd1fce312d92db946d655a2fd8d44b1d0bbd267269ca374112400000003cc8d825d3d14379d990b3caf05ff5475c4e8ec11bf17413e5f3aaf6f5f2db8eccea7988d3f87aab35d130b3713c71fe7ecc420b5a754ff664e819d9cc861dd0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "325163309"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{53A775A1-9D11-11EB-B48A-CE27FB294EC3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3013ee281e31d701	iexplore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2888 PING.EXE

pid	process
2888	PING.EXE

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

WMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	856	WMIC.exe
Token: SeSecurityPrivilege	856	WMIC.exe
Token: SeTakeOwnershipPrivilege	856	WMIC.exe
Token: SeLoadDriverPrivilege	856	WMIC.exe
Token: SeSystemProfilePrivilege	856	WMIC.exe
Token: SeSystemtimePrivilege	856	WMIC.exe
Token: SeProfSingleProcessPrivilege	856	WMIC.exe
Token: SeIncBasePriorityPrivilege	856	WMIC.exe
Token: SeCreatePagefilePrivilege	856	WMIC.exe
Token: SeBackupPrivilege	856	WMIC.exe
Token: SeRestorePrivilege	856	WMIC.exe
Token: SeShutdownPrivilege	856	WMIC.exe
Token: SeDebugPrivilege	856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	856	WMIC.exe
Token: SeRemoteShutdownPrivilege	856	WMIC.exe
Token: SeUndockPrivilege	856	WMIC.exe
Token: SeManageVolumePrivilege	856	WMIC.exe
Token: 33	856	WMIC.exe
Token: 34	856	WMIC.exe
Token: 35	856	WMIC.exe
Token: SeBackupPrivilege	428	vssvc.exe
Token: SeRestorePrivilege	428	vssvc.exe
Token: SeAuditPrivilege	428	vssvc.exe
Token: SeIncreaseQuotaPrivilege	856	WMIC.exe
Token: SeSecurityPrivilege	856	WMIC.exe
Token: SeTakeOwnershipPrivilege	856	WMIC.exe
Token: SeLoadDriverPrivilege	856	WMIC.exe
Token: SeSystemProfilePrivilege	856	WMIC.exe
Token: SeSystemtimePrivilege	856	WMIC.exe
Token: SeProfSingleProcessPrivilege	856	WMIC.exe
Token: SeIncBasePriorityPrivilege	856	WMIC.exe
Token: SeCreatePagefilePrivilege	856	WMIC.exe
Token: SeBackupPrivilege	856	WMIC.exe
Token: SeRestorePrivilege	856	WMIC.exe
Token: SeShutdownPrivilege	856	WMIC.exe
Token: SeDebugPrivilege	856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	856	WMIC.exe
Token: SeRemoteShutdownPrivilege	856	WMIC.exe
Token: SeUndockPrivilege	856	WMIC.exe
Token: SeManageVolumePrivilege	856	WMIC.exe
Token: 33	856	WMIC.exe
Token: 34	856	WMIC.exe
Token: 35	856	WMIC.exe
Token: SeDebugPrivilege	844	taskkill.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	1640	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	2100	taskkill.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	2220	taskkill.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	2228	taskkill.exe
Token: SeDebugPrivilege	2176	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2644 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2644 iexplore.exe
2644 iexplore.exe
2748 IEXPLORE.EXE
2748 IEXPLORE.EXE
2748 IEXPLORE.EXE
2748 IEXPLORE.EXE

pid	process
2644	iexplore.exe

pid	process
2644	iexplore.exe
2644	iexplore.exe
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2016 wrote to memory of 1176	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1176	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1176	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1176	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1940	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1940	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1940	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1940	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1612	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1612	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1612	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1612	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1776	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1776	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1776	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1776	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1696	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1696	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1696	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1696	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 1940 wrote to memory of 856	1940	cmd.exe	WMIC.exe
PID 1940 wrote to memory of 856	1940	cmd.exe	WMIC.exe
PID 1940 wrote to memory of 856	1940	cmd.exe	WMIC.exe
PID 1612 wrote to memory of 1072	1612	cmd.exe	bcdedit.exe
PID 1612 wrote to memory of 1072	1612	cmd.exe	bcdedit.exe
PID 1612 wrote to memory of 1072	1612	cmd.exe	bcdedit.exe
PID 1696 wrote to memory of 528	1696	cmd.exe	netsh.exe
PID 1696 wrote to memory of 528	1696	cmd.exe	netsh.exe
PID 1696 wrote to memory of 528	1696	cmd.exe	netsh.exe
PID 1176 wrote to memory of 1800	1176	cmd.exe	vssadmin.exe
PID 1176 wrote to memory of 1800	1176	cmd.exe	vssadmin.exe
PID 1176 wrote to memory of 1800	1176	cmd.exe	vssadmin.exe
PID 1776 wrote to memory of 800	1776	cmd.exe	bcdedit.exe
PID 1776 wrote to memory of 800	1776	cmd.exe	bcdedit.exe
PID 1776 wrote to memory of 800	1776	cmd.exe	bcdedit.exe
PID 2016 wrote to memory of 1828	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1828	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1828	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1828	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1628	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1628	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1628	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1628	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 1828 wrote to memory of 844	1828	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 844	1828	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 844	1828	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 844	1828	cmd.exe	taskkill.exe
PID 2016 wrote to memory of 788	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 788	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 788	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 788	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1392	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1392	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1392	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1392	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 216	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 216	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 216	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 216	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 228	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 228	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 228	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 228	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 2016 wrote to memory of 1608	2016	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
"C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe"
1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1800

C:\Windows\system32\cmd.exe
cmd.exe /c wmic shadowcopy delete /nointeractive
2⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\system32\bcdedit.exe
bcdedit /set {current} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:1072

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit /set {current} recoveryenabled no
2⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\system32\bcdedit.exe
bcdedit /set {current} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:800

C:\Windows\system32\cmd.exe
cmd.exe /c netsh advfirewall set allprofiles state off
2⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
3⤵
PID:528

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im note*
2⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im note*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im powerpnt*
2⤵
PID:1628

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im powerpnt*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im winword*
2⤵
PID:788

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im winword*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im excel*
2⤵
PID:1392

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im excel*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im Exchange*
2⤵
PID:216

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Exchange*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im sql*
2⤵
PID:228

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sql*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im tomcat*
2⤵
PID:1608

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im tomcat*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im apache*
2⤵
PID:1812

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im apache*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im python*
2⤵
PID:1540

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im python*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im vee*
2⤵
PID:1492

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im vee*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im post*
2⤵
PID:2060

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im post*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mys*
2⤵
PID:2088

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mys*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im java*
2⤵
PID:1764

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im java*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1>nul & del /q C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
2⤵
- Deletes itself
PID:2860

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\!!Read_Me.C722E.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2644

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0X0PXXYX.txt
MD5
b620604399e019028c0ed090313cea09

SHA1
316ea69bc58d0b73dcc488b19740c8c7a31a033c

SHA256
525f91abc48c96c427269972f2d7cd11400ae52bb398173c04ad10eadbae31b7

SHA512
bcd6b76af2f442a3acf0e52d3d54711a2e381b2606b314a8b1ac203bdeaffdc1f9cc55de57229a04c58159f9732b2b72bd33471d9c42a8eecfa5c1daa75d053f

Download Submit
C:\Users\Admin\Desktop\!!Read_Me.C722E.html
MD5
8d46bf069f39590d570f0e24c8946306

SHA1
0cfa451b6b6d3e998788aecf59015c6823c9dbf2

SHA256
1a248666c48bd31622ceead6bc07a7f513aee331f04eee723729aee2de9593d9

SHA512
df0dc51256b7520a94c556a1ece9dcf3117506a0e65c45a9225853357fbec4a99a5521fed11e27585e9996c3711a4163f27ba5293bb2adc5689819a943e6a1c2

Download Submit
memory/216-77-0x0000000000000000-mapping.dmp

Download
memory/228-78-0x0000000000000000-mapping.dmp

Download
memory/528-68-0x0000000000000000-mapping.dmp

Download
memory/528-71-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/788-75-0x0000000000000000-mapping.dmp

Download
memory/800-70-0x0000000000000000-mapping.dmp

Download
memory/844-74-0x0000000000000000-mapping.dmp

Download
memory/856-66-0x0000000000000000-mapping.dmp

Download
memory/1072-67-0x0000000000000000-mapping.dmp

Download
memory/1176-61-0x0000000000000000-mapping.dmp

Download
memory/1392-76-0x0000000000000000-mapping.dmp

Download
memory/1424-85-0x0000000000000000-mapping.dmp

Download
memory/1492-84-0x0000000000000000-mapping.dmp

Download
memory/1540-83-0x0000000000000000-mapping.dmp

Download
memory/1608-79-0x0000000000000000-mapping.dmp

Download
memory/1612-63-0x0000000000000000-mapping.dmp

Download
memory/1628-73-0x0000000000000000-mapping.dmp

Download
memory/1640-86-0x0000000000000000-mapping.dmp

Download
memory/1696-65-0x0000000000000000-mapping.dmp

Download
memory/1748-82-0x0000000000000000-mapping.dmp

Download
memory/1764-81-0x0000000000000000-mapping.dmp

Download
memory/1776-64-0x0000000000000000-mapping.dmp

Download
memory/1800-69-0x0000000000000000-mapping.dmp

Download
memory/1812-80-0x0000000000000000-mapping.dmp

Download
memory/1828-72-0x0000000000000000-mapping.dmp

Download
memory/1940-62-0x0000000000000000-mapping.dmp

Download
memory/2016-59-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2060-87-0x0000000000000000-mapping.dmp

Download
memory/2088-88-0x0000000000000000-mapping.dmp

Download
memory/2100-89-0x0000000000000000-mapping.dmp

Download
memory/2176-92-0x0000000000000000-mapping.dmp

Download
memory/2184-96-0x0000000000000000-mapping.dmp

Download
memory/2192-97-0x0000000000000000-mapping.dmp

Download
memory/2200-91-0x0000000000000000-mapping.dmp

Download
memory/2220-90-0x0000000000000000-mapping.dmp

Download
memory/2228-93-0x0000000000000000-mapping.dmp

Download
memory/2236-94-0x0000000000000000-mapping.dmp

Download
memory/2248-95-0x0000000000000000-mapping.dmp

Download
memory/2748-100-0x0000000075D41000-0x0000000075D43000-memory.dmp

Filesize
8KB

Download
memory/2748-101-0x0000000000620000-0x0000000000622000-memory.dmp

Filesize
8KB

Download
memory/2748-99-0x0000000000000000-mapping.dmp

Download
memory/2860-103-0x0000000000000000-mapping.dmp

Download
memory/2888-104-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads