17ba67b2b5ec20c5fec06a580e293eefc665fc89f8bfc00d6b9b715bffa2d845

Analysis

max time kernel
111s
max time network
120s
platform
windows10_x64
resource
win10v20210408
submitted
10/06/2021, 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchosts.exe
Size

13KB
MD5

43859f9a480451304b2efb0e2bc5ba72
SHA1

c05a69cfa4bede3a58f48ff09de4f49aa988faee
SHA256

17ba67b2b5ec20c5fec06a580e293eefc665fc89f8bfc00d6b9b715bffa2d845
SHA512

22e3da706a0b5e4e360c97f3bc80c4ab55e4ffff62aab92adc13e5c2ee2d06f93178504049a3a620a88d30c57b7cf3a53c9ef9166804a1115c4b821f9d092afe

Score

10^/10

evasion ransomware spyware stealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\#Decrypt#.txt

Ransom Note

Hello my dear friend! All your files have been encrypted due to a security problem with your PC! If you want to restore them, install ICQ software on your PC https://icq.com/windows/ or on your mobile phone search in Appstore / Google market ICQ Write to our ICQ @xhamster2020 https://icq.im/xhamster2020 Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Price depends on how fast you contact us. We give all guarantees of your files decryption. IF WE DONT SEE MESSAGE FROM YOU IN 48 HOURS - ALL IMPORTANT INFORMATION FROM YOUR SERVERS (DATABASES, COMPANY DOCUMENTS, ACCESS DATA ETC) WILL BE UPLOADED TO THE DARKNET tell your unique ID 4qK0tmnmSbOyvfB8jNcIKBxvCx1USG5k9ug23BPRNbq9aRQflrKH9vhr8r17zSizQhl01ZYvTOEl8lZLmJWWopgXIdKJSn09HJd02s4hmGx4liHBYKlG/+5bSVERBWcTf3WkasbUGy6x8qOBPe5XU2J/I4nkKmr6nHdVS1NzuewewbUaP0IT+ZCDjeMlEf2egS0TOBN5gH1Tzq/nkU6CD7pVPB/2STa7+JugCpgDzNjABPvmXzHjNCx7YECkZXE+4l/rjwIupd0ouw3dfY7667QE8YOUERIi4RXtkeChNoIfZwEWPc/m+bgy+RKEptLhs4sIaHUOdo32RZYVD2pdqZtQk2x1awkoGGrFChhYK+7KuOCjFVC6ll6SUixHWat2UzdAZXjALnvzNiArXtWYmqoYFBuVgTOHt1kOwOgjedZH5jbkqjd/+1A2mrwkb8SI/MzZHOGhC7idtJfqv31xS4XOdR6lTsVJuKF+bkCmHtE1r1Q0rhh2YxeEdGBT7Xmib6QYawr96QMbTlQgwhlEEPh5/C/DHLiBqoDRLpfsbTWgpQ05Op7f1bc+Es2hyQI2NxkrJvW2JwYBb+2tjquw/jr58m6hCy2J4IyCvEqYbMdRQrktjwgYAQczaS/cf6BoxbOdGPgP31/FrWaK+3XYwsB8UR/ncCngJ/+Ay9Hx1IN49+Z0EAZHg5UH7EeEJG2YUZCtYwG0zQFcVnAQou08uMVnv1o55Jmpt+fl0bMVL+cGrk99UpdSlbx8QN9mfrYppdiwLjUmQgKiJeI+C8Tc/fb6D/4AvfKwcsR2Nu8r4XHLFcNe5btQ3bjexIPPjpztaHT88wG069GBBHASiyuBqs7Z5by/O2p4cXdOazVmQApGWaCPTjQ4NeYA/QUKJ50SuX6wd3BiR1z7aGOhQFT+vAlmjGA7U5+ulejxIcGZTfUJ28tEIIAqG46jj8ZHETr9sauSI/8uR4bC+qUgWotEFRI3E/vJ4ISBdQC2qz6IQsCaADeuivOmcYl7Mc1v6TFDVmV+hpQb1C1qORKjrPlYv56L6M32eu2zJ00oCH/S3NroLyKQeYd9qgxBEQCjNhLo/cN9126o4CTWNEFFOTNBV3+uAUuGmsRAzTLJWLx7BhIttBenQVGFgGy2yfunHPcrYlW/G1efIb53jToAvcw6vt98E4a+wlYpru929C6eOTmbxJeGIISSOa39q/WIlT102ChC3Ygg0QOvrq/fyF9D/sJhTfWkYnApW5vPDbV4GHkQQmdxzwHVtwIQ1KYvvkTZtJhdXtaA0n843/iGlWds6r/za5HfEa6rT381r0ObbMkPOmFcRx7gLnfvvSd8cb3gyqjkEAB+4oi2WpxASMsMHg==

URLs

https://icq.com/windows/

https://icq.im/xhamster2020

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3664	bcdedit.exe
1504	bcdedit.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\CloseResume.tif => C:\Users\Admin\Pictures\CloseResume.tif.XHAMSTER	svchosts.exe
File renamed	C:\Users\Admin\Pictures\PingInvoke.png => C:\Users\Admin\Pictures\PingInvoke.png.XHAMSTER	svchosts.exe
File renamed	C:\Users\Admin\Pictures\ReceiveUnpublish.tiff => C:\Users\Admin\Pictures\ReceiveUnpublish.tiff.XHAMSTER	svchosts.exe
File renamed	C:\Users\Admin\Pictures\ResetExport.raw => C:\Users\Admin\Pictures\ResetExport.raw.XHAMSTER	svchosts.exe
File renamed	C:\Users\Admin\Pictures\RestartUse.raw => C:\Users\Admin\Pictures\RestartUse.raw.XHAMSTER	svchosts.exe
File renamed	C:\Users\Admin\Pictures\ApproveOptimize.tif => C:\Users\Admin\Pictures\ApproveOptimize.tif.XHAMSTER	svchosts.exe
File renamed	C:\Users\Admin\Pictures\CompareRename.tif => C:\Users\Admin\Pictures\CompareRename.tif.XHAMSTER	svchosts.exe
File renamed	C:\Users\Admin\Pictures\ReadResize.crw => C:\Users\Admin\Pictures\ReadResize.crw.XHAMSTER	svchosts.exe
File opened for modification	C:\Users\Admin\Pictures\ReceiveUnpublish.tiff	svchosts.exe
File renamed	C:\Users\Admin\Pictures\ResetRepair.png => C:\Users\Admin\Pictures\ResetRepair.png.XHAMSTER	svchosts.exe
File opened for modification	C:\Users\Admin\Pictures\ResumeConvertFrom.tiff	svchosts.exe
File renamed	C:\Users\Admin\Pictures\ResumeConvertFrom.tiff => C:\Users\Admin\Pictures\ResumeConvertFrom.tiff.XHAMSTER	svchosts.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\#Decrypt#.txt	svchosts.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 33 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Public\desktop.ini	svchosts.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchosts.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	svchosts.exe
File opened for modification	C:\Program Files\desktop.ini	svchosts.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchosts.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	svchosts.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	svchosts.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchosts.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchosts.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\F3E6.tmp.jpg"	svchosts.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-125_contrast-white.png	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\24.png	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_ClipAndAdd_RTL_Tablet.mp4	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\offsymxl.ttf	svchosts.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblendbench_plugin.dll	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.1.25002.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\desktop\en-GB\toc.xml	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d0.png	svchosts.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\files_icons2x.png	svchosts.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\RECOVR32.CNV	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80_altform-unplated.png	svchosts.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Addons\#Decrypt#.txt	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\new_collection_available.png	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	svchosts.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\ui-strings.js	svchosts.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\#Decrypt#.txt	svchosts.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\ui-strings.js	svchosts.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-fr\#Decrypt#.txt	svchosts.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ppd.xrm-ms	svchosts.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-oob.xrm-ms	svchosts.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\wmpnetwk.exe.mui	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireAppList.scale-200.png	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\3416_40x40x32.png	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-white\Movie-TVStoreLogo.scale-200_contrast-white.png	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupWideTile.scale-150.png	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\mv_60x42.png	svchosts.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\COPYRIGHT	svchosts.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\#Decrypt#.txt	svchosts.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libes_plugin.dll	svchosts.exe
File created	C:\Program Files\Windows Mail\en-US\#Decrypt#.txt	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\WideTile.scale-125.png	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\2.jpg	svchosts.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\#Decrypt#.txt	svchosts.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview_selected-hover.svg	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Preview.png	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleWideTile.scale-200.png	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\happy.png	svchosts.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-sl\#Decrypt#.txt	svchosts.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldExist.snippets.ps1xml	svchosts.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui	svchosts.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYMB.TTF	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\resources.pri	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-30_altform-unplated.png	svchosts.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\es-es\#Decrypt#.txt	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireLargeTile.scale-125.jpg	svchosts.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms	svchosts.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OART.DLL	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\shape_torus.png	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\freecell\Get_Out_Of_Jail_Free_Unearned_small.png	svchosts.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\uk-ua\ui-strings.js	svchosts.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif	svchosts.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\ARROW.WAV	svchosts.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsfsstorage_plugin.dll	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.html	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-100_contrast-white.png	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-256.png	svchosts.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_pt_BR.properties	svchosts.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-black_scale-125.png	svchosts.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\ui-strings.js	svchosts.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-24_altform-unplated.png	svchosts.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_xd.svg	svchosts.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	svchosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
280	timeout.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1900	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
812	svchosts.exe
812	svchosts.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	696	vssvc.exe
Token: SeRestorePrivilege	696	vssvc.exe
Token: SeAuditPrivilege	696	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 1900	812	svchosts.exe	74
PID 812 wrote to memory of 1900	812	svchosts.exe	74
PID 812 wrote to memory of 208	812	svchosts.exe	79
PID 812 wrote to memory of 208	812	svchosts.exe	79
PID 812 wrote to memory of 188	812	svchosts.exe	81
PID 812 wrote to memory of 188	812	svchosts.exe	81
PID 812 wrote to memory of 2300	812	svchosts.exe	83
PID 812 wrote to memory of 2300	812	svchosts.exe	83
PID 208 wrote to memory of 3664	208	cmd.exe	85
PID 208 wrote to memory of 3664	208	cmd.exe	85
PID 188 wrote to memory of 1504	188	cmd.exe	86
PID 188 wrote to memory of 1504	188	cmd.exe	86
PID 2300 wrote to memory of 3444	2300	cmd.exe	87
PID 2300 wrote to memory of 3444	2300	cmd.exe	87
PID 812 wrote to memory of 3484	812	svchosts.exe	89
PID 812 wrote to memory of 3484	812	svchosts.exe	89
PID 812 wrote to memory of 3484	812	svchosts.exe	89
PID 3484 wrote to memory of 280	3484	cmd.exe	91
PID 3484 wrote to memory of 280	3484	cmd.exe	91
PID 3484 wrote to memory of 280	3484	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\svchosts.exe
"C:\Users\Admin\AppData\Local\Temp\svchosts.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:812
- C:\Windows\System32\vssadmin.exe
  delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1900
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3664
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:188
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1504
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c netsh advfirewall set allprofiles state off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    PID:3444
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\svchosts.exe" >> NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:280