17ba67b2b5ec20c5fec06a580e293eefc665fc89f8bfc00d6b9b715bffa2d845

Analysis

max time kernel
68s
max time network
36s
platform
windows7_x64
resource
win7v20210410
submitted
10/06/2021, 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchosts.exe
Size

13KB
MD5

43859f9a480451304b2efb0e2bc5ba72
SHA1

c05a69cfa4bede3a58f48ff09de4f49aa988faee
SHA256

17ba67b2b5ec20c5fec06a580e293eefc665fc89f8bfc00d6b9b715bffa2d845
SHA512

22e3da706a0b5e4e360c97f3bc80c4ab55e4ffff62aab92adc13e5c2ee2d06f93178504049a3a620a88d30c57b7cf3a53c9ef9166804a1115c4b821f9d092afe

Score

10^/10

evasion ransomware spyware stealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2513283230-931923277-594887482-1000\#Decrypt#.txt

Ransom Note

Hello my dear friend! All your files have been encrypted due to a security problem with your PC! If you want to restore them, install ICQ software on your PC https://icq.com/windows/ or on your mobile phone search in Appstore / Google market ICQ Write to our ICQ @xhamster2020 https://icq.im/xhamster2020 Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Price depends on how fast you contact us. We give all guarantees of your files decryption. IF WE DONT SEE MESSAGE FROM YOU IN 48 HOURS - ALL IMPORTANT INFORMATION FROM YOUR SERVERS (DATABASES, COMPANY DOCUMENTS, ACCESS DATA ETC) WILL BE UPLOADED TO THE DARKNET tell your unique ID yvh+ByG+XJwc1Rko33QInRj9bY+AyOorsAOmB9SNHfwbYxzHkfl6XYNSvjevEfs0MkZk1dMqceNMqOXOHpB4s3yvpWzmyTxgJY6mkz9TjuOcP+lU128mB7bbPnY391/KhHSb0RiKwkZR9w/A4jOARWLeY1ncfh1eUuUfbdjru+InsjxuzmVrhnOY0oDH/5QAbyyrhB73PUrksoidZu5NqIaKUgkVA4NTKHuSu2yYyfid3skCa7R1MpOKaZgTHWNayAuP5wroY/8T/of81qEqspHkvJ1xqRkSl8dp7VEaou2sQZEdvpN6OLFV5pzpc6Jd92eHHy4OvD8+eLO6lGN0po2Ms6QPU3RSzrn/5G3Ww4FeEZGz02DZzxcG4knzJU8XUGBVBoDO34QJGQbX2OASI8HABGD3cHYtUw7XP9MYMowIB8tv67lVBV3b0ibsSrOI+3YHTark8VNG2+AkxRWkV+LD6B0lRXDA36SPKM7j30+BGQKqOSDqRDoke4FIbab06RJQez1UzGcAW5qCeLYRB86jjtpsqzdqzdmUXbjtDst/v2MZ8/a/sd0smUxFh3s9zZQ5qNboTfZLVsURmqGjOY3w2A0TayWhdCL9icoQCDHX2BslQwUtZOst/VWNRVy2uXnzoCQ84vUuOIvMJBqSb5uv9DEWw+klevQRV+ylxnFGSsRKUaDv4chjd+CMAh2r9RFxs31Ezd2P8S9KwEy8PJvWRcXOOOZlYldZflmv95HnNd+T9akBHtgIxUQXZ76hYZ8T336sz1ynNj0z+zF81odUY9wAzSz4ZmMqGRCKNnXWakub4CXyqtIALKv5+9fFBJ+jkwGugYGKTm1tfcqwEiVd8ECOM/3ulYUX9n8NDoiePE5qxb1nmd9Dgp49QG3Q2hGa/kbk5tXJtMQycPcMcDdPh5HpwBFsEtlFJDaWMzTCxibDGgg37IswpVtSYL44SGuOYhv46anov8jKO3pjFNvFdykTFILYz8IObft9rnWxAhFfZFdG1lNH77wHQAlA77p2RQPVXApJS9R2rxdnW9GRID6opStsSK/FKiwYePE+0MsaLgVKsWrsblcVOlB4CKimwH7tdbH0euMaxzhWm83w06Nl/j4Cg3X6BXqkGr/5h308EK1PXE0XW2RZx3joKde3bHaM02XTL+8ZCcmdm3tfjptTWt/rwaAG3immBVn/Qy5LnEsuZe+iNf4q2UMmj8boL9ZkUj67QL2n4K/Iz4NHfJP8Un1T7nYaiTk2fZhmcEb7YXc+oUqif2rwx7XOsEqvzSnpUYYXNP90zSTXbnVfWhM3jjxsuRM0jurWNF9YTCZ2FFjAMoXZCAmz81KApB5dvTUtFTeZuU2ZuawmNw==

URLs

https://icq.com/windows/

https://icq.im/xhamster2020

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1792	bcdedit.exe
1708	bcdedit.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ExitEnter.png => C:\Users\Admin\Pictures\ExitEnter.png.XHAMSTER	svchosts.exe
File renamed	C:\Users\Admin\Pictures\GroupInstall.raw => C:\Users\Admin\Pictures\GroupInstall.raw.XHAMSTER	svchosts.exe
File opened for modification	C:\Users\Admin\Pictures\TestGet.tiff	svchosts.exe
File renamed	C:\Users\Admin\Pictures\TestGet.tiff => C:\Users\Admin\Pictures\TestGet.tiff.XHAMSTER	svchosts.exe

Deletes itself 1 IoCs

pid	Process
1628	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 41 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchosts.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	svchosts.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MLS6OOW4\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	svchosts.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\93PHUZFG\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XVLP3GFJ\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Public\desktop.ini	svchosts.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	svchosts.exe
File opened for modification	C:\Program Files\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VLFEZDK1\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	svchosts.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchosts.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7159.tmp.jpg"	svchosts.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\Wallpaper.jpg"	svchosts.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar	svchosts.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_vc1_plugin.dll	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00224_.WMF	svchosts.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_elf.dll	svchosts.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javaws.policy	svchosts.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Port_Moresby	svchosts.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar	svchosts.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\#Decrypt#.txt	svchosts.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libnsv_plugin.dll	svchosts.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\27.png	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right.gif	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\OliveGreen.css	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01015_.WMF	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200467.WMF	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\macroprogress.gif	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mscss7cm_es.dub	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN105.XML	svchosts.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	svchosts.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\#Decrypt#.txt	svchosts.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Knox	svchosts.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\#Decrypt#.txt	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Thatch.xml	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	svchosts.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_down.png	svchosts.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar	svchosts.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-loaders.jar	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00246_.WMF	svchosts.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\#Decrypt#.txt	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME43.CSS	svchosts.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\prism-d3d.dll	svchosts.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Metlakatla	svchosts.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\VisioCustom.propdesc	svchosts.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll	svchosts.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_down.png	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00163_.GIF	svchosts.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-docked.png	svchosts.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png	svchosts.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\#Decrypt#.txt	svchosts.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\BLUEPRNT.INF	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00157_.GIF	svchosts.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml	svchosts.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png	svchosts.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\tipresx.dll.mui	svchosts.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chihuahua	svchosts.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POST.CFG	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ACCSBAR.POC	svchosts.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp	svchosts.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository_2.3.0.v20131211-1531.jar	svchosts.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ACEWSTR.DLL	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00723_.WMF	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01300_.GIF	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR29F.GIF	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OMML2MML.XSL	svchosts.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONBttnPPT.dll	svchosts.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\RSSFeeds.js	svchosts.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	svchosts.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll	svchosts.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv	svchosts.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png	svchosts.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Routing.dll	svchosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1900	timeout.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2004	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
540	svchosts.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeBackupPrivilege	1772	vssvc.exe
Token: SeRestorePrivilege	1772	vssvc.exe
Token: SeAuditPrivilege	1772	vssvc.exe
Token: 33	216	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	216	AUDIODG.EXE
Token: 33	216	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	216	AUDIODG.EXE

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 2004	540	svchosts.exe	26
PID 540 wrote to memory of 2004	540	svchosts.exe	26
PID 540 wrote to memory of 2004	540	svchosts.exe	26
PID 540 wrote to memory of 2004	540	svchosts.exe	26
PID 540 wrote to memory of 2032	540	svchosts.exe	28
PID 540 wrote to memory of 2032	540	svchosts.exe	28
PID 540 wrote to memory of 2032	540	svchosts.exe	28
PID 540 wrote to memory of 2032	540	svchosts.exe	28
PID 540 wrote to memory of 1172	540	svchosts.exe	30
PID 540 wrote to memory of 1172	540	svchosts.exe	30
PID 540 wrote to memory of 1172	540	svchosts.exe	30
PID 540 wrote to memory of 1172	540	svchosts.exe	30
PID 540 wrote to memory of 1780	540	svchosts.exe	31
PID 540 wrote to memory of 1780	540	svchosts.exe	31
PID 540 wrote to memory of 1780	540	svchosts.exe	31
PID 540 wrote to memory of 1780	540	svchosts.exe	31
PID 2032 wrote to memory of 1792	2032	cmd.exe	33
PID 2032 wrote to memory of 1792	2032	cmd.exe	33
PID 2032 wrote to memory of 1792	2032	cmd.exe	33
PID 1172 wrote to memory of 1708	1172	cmd.exe	36
PID 1172 wrote to memory of 1708	1172	cmd.exe	36
PID 1172 wrote to memory of 1708	1172	cmd.exe	36
PID 1780 wrote to memory of 1776	1780	cmd.exe	37
PID 1780 wrote to memory of 1776	1780	cmd.exe	37
PID 1780 wrote to memory of 1776	1780	cmd.exe	37
PID 540 wrote to memory of 1628	540	svchosts.exe	42
PID 540 wrote to memory of 1628	540	svchosts.exe	42
PID 540 wrote to memory of 1628	540	svchosts.exe	42
PID 540 wrote to memory of 1628	540	svchosts.exe	42
PID 1628 wrote to memory of 1900	1628	cmd.exe	44
PID 1628 wrote to memory of 1900	1628	cmd.exe	44
PID 1628 wrote to memory of 1900	1628	cmd.exe	44
PID 1628 wrote to memory of 1900	1628	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\svchosts.exe
"C:\Users\Admin\AppData\Local\Temp\svchosts.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\system32\vssadmin.exe
  delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2004
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1792
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1708
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c netsh advfirewall set allprofiles state off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    PID:1776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\svchosts.exe" >> NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\#Decrypt#.txt
1⤵
PID:552

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/540-60-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1776-68-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmp

Filesize
8KB

Download