Analysis
-
max time kernel
52s -
max time network
108s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
24-06-2021 06:02
Static task
static1
Behavioral task
behavioral1
Sample
SvHost-3.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
SvHost-3.exe
Resource
win10v20210408
General
-
Target
SvHost-3.exe
-
Size
1.3MB
-
MD5
6d0cefa5b7f1744aa5dbc041c50b1709
-
SHA1
023fe5cafe7f0b32bfaf1b3549785e4d36a13b63
-
SHA256
c6da46d2abe90035674272a826d1203dde07338e27e3ebefc6335cbedb389019
-
SHA512
fb3bef44b77d7d3b83c42f769236f2c7646f1642d07f3650199d6511a111b31cb917fdc9d776d0e4be5cffb374a162ce4cd09925463b94f9bf8be50501f66631
Malware Config
Extracted
C:\Users\Admin\Desktop\Decrypt-info.txt
BlackSpyro@tutanota.com
BlackSpyro@mailfence.com
Signatures
-
Ouroboros/Zeropadypt
Ransomware family based on open-source CryptoWire.
-
Drops file in Drivers directory 9 IoCs
Processes:
Windows Session Manager.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\gm.dls Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\drivers\wimmount.sys Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui Windows Session Manager.exe -
Executes dropped EXE 1 IoCs
Processes:
Windows Session Manager.exepid process 572 Windows Session Manager.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 1 IoCs
Processes:
Windows Session Manager.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Windows Session Manager.exe -
Loads dropped DLL 3 IoCs
Processes:
SvHost-3.exepid process 1036 SvHost-3.exe 1036 SvHost-3.exe 1036 SvHost-3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
Processes:
Windows Session Manager.exedescription ioc process File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Public\Documents\desktop.ini Windows Session Manager.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini Windows Session Manager.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XVLP3GFJ\desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Admin\Cookies\desktop.ini Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini Windows Session Manager.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini Windows Session Manager.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Public\Desktop\desktop.ini Windows Session Manager.exe File opened for modification C:\Windows\Web\Wallpaper\Characters\Desktop.ini Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Windows Session Manager.exe File opened for modification C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Public\Downloads\desktop.ini Windows Session Manager.exe File opened for modification C:\Windows\Media\Savanna\Desktop.ini Windows Session Manager.exe File opened for modification C:\Program Files\desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini Windows Session Manager.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Windows Session Manager.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Windows Session Manager.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini Windows Session Manager.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini Windows Session Manager.exe File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VLFEZDK1\desktop.ini Windows Session Manager.exe File opened for modification C:\Windows\Media\Landscape\Desktop.ini Windows Session Manager.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Windows Session Manager.exe File opened for modification C:\Windows\Media\Desktop.ini Windows Session Manager.exe File opened for modification C:\Windows\Media\Heritage\Desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Windows Session Manager.exe File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini Windows Session Manager.exe File opened for modification C:\Windows\Media\Quirky\Desktop.ini Windows Session Manager.exe File opened for modification C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini Windows Session Manager.exe File opened for modification C:\Windows\Web\Wallpaper\Scenes\Desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Admin\Music\desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini Windows Session Manager.exe File opened for modification C:\Windows\Media\Festival\Desktop.ini Windows Session Manager.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI Windows Session Manager.exe File opened for modification C:\Users\Public\Libraries\desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Windows Session Manager.exe File opened for modification C:\Windows\Media\Cityscape\Desktop.ini Windows Session Manager.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini Windows Session Manager.exe File opened for modification C:\Windows\Media\Characters\Desktop.ini Windows Session Manager.exe File opened for modification C:\Program Files (x86)\desktop.ini Windows Session Manager.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini Windows Session Manager.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Windows Session Manager.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini Windows Session Manager.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Windows Session Manager.exe File opened for modification C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini Windows Session Manager.exe -
Drops file in System32 directory 64 IoCs
Processes:
Windows Session Manager.exedescription ioc process File opened for modification C:\Windows\SysWOW64\migwiz\replacementmanifests\servercore-wow64-rm.man Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\wbem\ServiceModel.mof Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\structureTable.xsd Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\cryptsvc.dll Windows Session Manager.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MediaPlayer-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_neutral_ea1c8215e52777a6\display.PNF Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO2600T.GPD Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\NR2192E3.PPD Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\dhcpcsvc.dll Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmbr004.inf_amd64_neutral_ccf1bc353e588fe1\BrSerIb.sys Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\Amd64\GS2192E3.PPD Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\NR1432E3.PPD Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\dspcli.bin Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\Amd64\GS7031NL.GPD Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\WiaExtensionHost64.dll Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\avmx64c.inf_amd64_neutral_8ebb15bf548db022\c2.bin Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\sdbus.inf_amd64_neutral_735aa3b5ee832f62\sdbus.PNF Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wdmvsc.inf_amd64_neutral_a2cf745000e2ea92\wdmvsc.inf Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\en-US\qdvd.dll.mui Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\TroubleshootingPack.format.ps1xml Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\qasf.dll Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\schedcli.dll Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\brmsl07.bin Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnlx005.inf_amd64_neutral_f65eeb9bff6bd8f3\Amd64\LMT642.GPD Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ts_generic.inf_amd64_neutral_1a5c861fdb3aab0e\ts_generic.inf Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\bcryptprimitives.dll Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00b.inf_amd64_neutral_4412894f52d39895\Amd64\CNB_0335.DLL Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\en-US\gpedit.dll.mui Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\en-US\sxs.dll.mui Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\wbem\en-US\ServDeps.dll.mui Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\C_1146.NLS Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\mfc40.dll Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\brmfcmf.PNF Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\IF1401E3.PPD Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpzssw71.dll Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\migwiz\replacementmanifests\iis-powershellprovider-rm.man Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\C_20285.NLS Windows Session Manager.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnrc007.cat Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\dot4prt.inf_amd64_neutral_e7d3f62d0d4411db\dot4prt.inf Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00d.inf_amd64_neutral_0600b2ba575729f4\Amd64\CNBP_284.DLL Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hphp910t.exp Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnxx002.inf_amd64_neutral_560fdd891b24f384\prnxx002.PNF Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\el-GR\DWrite.dll.mui Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\Speech\Engines\SR\spsreng.dll Windows Session Manager.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx3-OC-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat Windows Session Manager.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WindowsFoundation-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\da-DK\msprivs.dll.mui Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_neutral_407146dba80d1566\pnrmc.sys Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\Amd64\CNBP_337.DLL Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\termmgr.dll Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\wbemcomn2.dll Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd6100t.gpd Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\en-US\megasr.inf_loc Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mstape.inf_amd64_neutral_c2bb3ef1c45cd5a1\mstape.sys Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\kom4650X.xml Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\migwiz\replacementmanifests\WSRM-Service-Replacement.man Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\imapi.dll Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\OptionalFeatures.exe Windows Session Manager.exe File opened for modification C:\Windows\System32\catroot2\edb.chk Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmrock.inf_amd64_neutral_2ec26aaad7a9d419\mdmrock.inf Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\hpo63001.icc Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\en-US\kerberos.dll.mui Windows Session Manager.exe File opened for modification C:\Windows\SysWOW64\DevicePairingProxy.dll Windows Session Manager.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00a.inf_amd64_neutral_92a4c727cdf4c2f7\Amd64\EP0NPP01.DLL Windows Session Manager.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Windows Session Manager.exedescription ioc process File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsubstx3g_plugin.dll Windows Session Manager.exe File created C:\Program Files\Java\jre7\lib\zi\Atlantic\Stanley.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15059_.GIF Windows Session Manager.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Regina.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00965_.WMF.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152628.WMF.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01618_.WMF.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.0.165303.jar.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\PREVIEW.GIF.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400002.PNG.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt Windows Session Manager.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll Windows Session Manager.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_partly-cloudy.png Windows Session Manager.exe File created C:\Program Files\Microsoft Office\Office14\BCSLaunch.dll.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\MTEXTRA.TTF.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Reunion Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.PNG.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\PREVIEW.GIF.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR4B.GIF Windows Session Manager.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\PREVIEW.GIF.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Adjacency.thmx.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini Windows Session Manager.exe File created C:\Program Files (x86)\Google\Update\1.3.35.452\psmachine_64.dll.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00603_.WMF Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF Windows Session Manager.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\gu.pak.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files\Mozilla Firefox\install.log Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00853_.WMF Windows Session Manager.exe File created C:\Program Files\Java\jre7\lib\jfr.jar.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00454_.WMF Windows Session Manager.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png Windows Session Manager.exe File created C:\Program Files\Java\jre7\bin\glib-lite.dll.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe Windows Session Manager.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe.config Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02282_.WMF Windows Session Manager.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets Windows Session Manager.exe File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFRES.CFG.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_zh_CN.jar.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\FPEXT.MSG Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RECS.ICO Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382950.JPG.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02356_.WMF.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_zh_CN.jar Windows Session Manager.exe File created C:\Program Files\Mozilla Firefox\updater.ini.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Baku.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImages.jpg.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\jli.dll.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_dummy_plugin.dll.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01065_.WMF.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152890.WMF Windows Session Manager.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_zh_CN.jar.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02886_.WMF Windows Session Manager.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieMergeLetter.dotx Windows Session Manager.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaSansRegular.ttf.[BlackSpyro@tutanota.com][4F3EE062].Spyro Windows Session Manager.exe -
Drops file in Windows directory 64 IoCs
Processes:
Windows Session Manager.exedescription ioc process File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.188dd00b#\9de2cd2a58c9f19effe0588c17b1714f\System.Web.Abstractions.ni.dll Windows Session Manager.exe File opened for modification C:\Windows\Cursors\larrow.cur Windows Session Manager.exe File opened for modification C:\Windows\IME\IMEJP10\DICTS\IMJPST.DIC Windows Session Manager.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_Code\ProvidersPage.cs Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\curl-hot.png Windows Session Manager.exe File opened for modification C:\Windows\Fonts\arial.ttf Windows Session Manager.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~zh-TW~7.1.7601.16492.mum Windows Session Manager.exe File opened for modification C:\Windows\Speech\Engines\SR\en-US\tn1033.bin Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..policy-admin-gpedit_31bf3856ad364e35_6.1.7600.16385_none_2a271e3c7e986f2c\gpedit.dll Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_609ebaed9a394a1c\nlscoremig.dll Windows Session Manager.exe File opened for modification C:\Windows\diagnostics\system\Networking\en-US\DiagPackage.dll.mui Windows Session Manager.exe File opened for modification C:\Windows\Help\Windows\en-US\games.h1s Windows Session Manager.exe File opened for modification C:\Windows\Media\Delta\Windows Navigation Start.wav Windows Session Manager.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Windows Session Manager.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\NlsLexicons0009.dll Windows Session Manager.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\EN\SqlPersistenceProviderSchema.sql Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-enhancedvideorenderer_31bf3856ad364e35_6.1.7601.17514_none_edc8831ae3260955\evr.dll Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_609ebaed9a394a1c\schannel-DL.man Windows Session Manager.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.MediaCent#\e7b8df5d803bb9bd27f63f0074775aaf\Microsoft.MediaCenter.UI.ni.dll Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-blb-grouppolicy_31bf3856ad364e35_6.1.7600.16385_none_489a9cfa1badc4c5\WindowsBackup.admx Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..gement-winproviders_31bf3856ad364e35_6.1.7601.17514_none_1573bf06bb8baa0c\UnattendProvider.dll Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-iebrowsewebdiagnostic_31bf3856ad364e35_6.1.7601.17514_none_829f3aa88408cea0\CL_Utility.ps1 Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ime-korean-commonapi_31bf3856ad364e35_6.1.7600.16385_none_358c550764e1d433\imkrapi.dll Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-driververifier_31bf3856ad364e35_6.1.7600.16385_none_1660ccbeb66c6cf1\verifier.exe Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-icm-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fab1d6e235eef7d2\ICM.adml Windows Session Manager.exe File opened for modification C:\Windows\inf\mdm3com.PNF Windows Session Manager.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.Powershell.Security.dll Windows Session Manager.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\webAdminNoNavBar.master Windows Session Manager.exe File opened for modification C:\Windows\PolicyDefinitions\WindowsConnectNow.admx Windows Session Manager.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~ja-JP~7.1.7601.16492.cat Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_arc.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0d84bbf86bc07c16\arc.inf_loc Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..ocker-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8ed8b37006b00933\DigitalLocker.adml Windows Session Manager.exe File opened for modification C:\Windows\inf\averfx2swtv_noavin_x64.inf Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_brmfcumd.inf_31bf3856ad364e35_6.1.7600.16385_none_82533c9760ae3cbc\brmfcumd.inf Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..anagement.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2260fdcdf22a8d26\dmutil.dll.mui Windows Session Manager.exe File opened for modification C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\001F\PerfCounters.ini Windows Session Manager.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Runtime.Remoting.dll Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_1394.inf_31bf3856ad364e35_6.1.7601.17514_none_59555c0e1c877c53\1394.inf Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_brmfcwia.inf_31bf3856ad364e35_6.1.7600.16385_none_11493a3982b640b7\brmsl05.bin Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-directshow-vfw-capture_31bf3856ad364e35_6.1.7601.17514_none_34a42c333d8f8d28\vfwwdm32.dll Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..mentation-migration_31bf3856ad364e35_11.2.9600.16428_none_ed889940cd85d5bf\WininetPlugin.dll Windows Session Manager.exe File opened for modification C:\Windows\Fonts\nrkis.ttf Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-eapmethods_31bf3856ad364e35_6.1.7600.16385_none_0280a5f69aef66f7\eaptlsuserpropertiesv1.xsd Windows Session Manager.exe File opened for modification C:\Windows\Media\Landscape\Windows Ding.wav Windows Session Manager.exe File opened for modification C:\Windows\Media\Landscape\Windows Information Bar.wav Windows Session Manager.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Xaml.targets Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_brmfcwia.inf_31bf3856ad364e35_6.1.7600.16385_none_11493a3982b640b7\BrmfUSB.dll Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-aerodiagnostic_31bf3856ad364e35_6.1.7600.16385_none_4734ae48c8e465f5\TS_WDDMDriver.ps1 Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-h..providers.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2c3b936d3d73e8ea\hcproviders.dll.mui Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..eplacementmanifests_31bf3856ad364e35_6.1.7601.17514_none_5a1a617d021715d4\dhcpservermigplugin-rep.man Windows Session Manager.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Collections.dll Windows Session Manager.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_perf.ini Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_mdmzoom.inf_31bf3856ad364e35_6.1.7600.16385_none_74f94081302baaad\mdmzoom.inf Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-core_31bf3856ad364e35_6.1.7601.17514_none_474e72a0a0c61a74\msoeacct.dll Windows Session Manager.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dired13b18a9#\f3e56ef4494d5d7845ad4070fd599860\System.DirectoryServices.ni.dll.aux Windows Session Manager.exe File opened for modification C:\Windows\PolicyDefinitions\PerformancePerftrack.admx Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-b..smcnative.resources_31bf3856ad364e35_6.1.7600.16385_en-us_912e40bbd6ff2a08\smcnative.dll.mui Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..e-coretipjpnprofile_31bf3856ad364e35_6.1.7601.17514_none_40000a14149c4d20\IMJPTIP.DLL Windows Session Manager.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.Drawing.dll Windows Session Manager.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.VisualBasic.Activities.Compiler.dll Windows Session Manager.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-VirtualXP-Licensing-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_hcw85b64.inf_31bf3856ad364e35_6.1.7600.16385_none_61287d00f82bbdeb\hcw85mlD.rom Windows Session Manager.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_pt-pt_2d228c23dc8c3814\fms.dll.mui Windows Session Manager.exe File opened for modification C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\ehexthost32.exe Windows Session Manager.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 6 IoCs
Processes:
Windows Session Manager.exedescription ioc process File opened for modification C:\Documents and Settings\S-1-5-21-2513283230-931923277-594887482-1000\desk\8:Ƃ\Ƃ\Ƃ\¦¨Ƃ\°²Ƃ\º¼\贠Rݕ Windows Session Manager.exe File opened for modification C:\Documents and Settings\S-1-5-21-2513283230-931923277-594887482-1000\desk\8:\\\¦¨\°²\º¼\ÄÆ훬\ÎÐ퍈\ØÚ쾤\âä찀\ìî졜\öø쒸\ĀĂ섔\ĊČ뵰\ĔĖ만\ĞĠ똨\ĨĪ늄 Windows Session Manager.exe File opened for modification C:\ProgramData\Start Menu\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\pack\8:Ţ\ Ţ\¨ªŢ\²´Ţ\¼¾\ÆÈ𑅢\ÐÒ Windows Session Manager.exe File opened for modification C:\Users\All Users\Desktop\Updater6\Adob\:<ı\LNı\VXı\`b\jl\tv횸ı\~팔ı\콰ı\쯌ı\젨ı\¦¨쒄ı\°²샠ı\º¼봼ı\ÄÆ릘ı\ÎÐ뗴ı\ØÚ뉐ı\âä꺬ı\ìîı\öøꝤı\ĀĂꏀı\ĊČꀜı\ĔĖ鱸ı\ĞĠ飔ı\秸Ŧ锰ıa\IJĴ醌ı\ļľ跨ı\ňŊ詄ı\ŒŔ蚠ı\ŜŞ苼ı\ŦŨ罘ı\ŰŲ߿\艀Ŧ砐ı\ƄƆ瑬ı\ƌƎ烈ı\ƖƘ洤ı\ƠƢ榀ı\ƪƬ旜ı\ƴƶ戸ı\ƾǀ应ı\鮨Ŧ嫰ı\ǒǔ坌ı\ǜǞ厨ı Windows Session Manager.exe File opened for modification C:\Documents and Settings\S-1-5-21-2513283230-931923277-594887482-1000\desk\8:ı\ı\ı\¦¨ı\°²ı\º¼\ÄÆ\ØÚ팔ı Windows Session Manager.exe File opened for modification C:\Documents and Settings\S-1-5-21-2513283230-931923277-594887482-1000\desk\8:Ţ\Ţ\Ţ\¦¨Ţ\°²Ţ\º¼\ÄÆ𑅢\ÎÐ𨅢\ØÚ풼Ţ\âä턘Ţ\ìî쵴Ţ\öø짐Ţ\ĀĂ올Ţ\ĊČ슈Ţ\ĔĖ뻤Ţ\ĞĠ뭀Ţ\ĨĪ랜Ţ\IJĴ돸Ţ\ļľ끔Ţ\ņň결Ţ\ŐŒꤌŢ\빐RꕨŢį Windows Session Manager.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
Windows Session Manager.exepid process 572 Windows Session Manager.exe 572 Windows Session Manager.exe 572 Windows Session Manager.exe 572 Windows Session Manager.exe 572 Windows Session Manager.exe 572 Windows Session Manager.exe 572 Windows Session Manager.exe 572 Windows Session Manager.exe 572 Windows Session Manager.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SvHost-3.exeWindows Session Manager.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 1036 wrote to memory of 572 1036 SvHost-3.exe Windows Session Manager.exe PID 1036 wrote to memory of 572 1036 SvHost-3.exe Windows Session Manager.exe PID 1036 wrote to memory of 572 1036 SvHost-3.exe Windows Session Manager.exe PID 1036 wrote to memory of 572 1036 SvHost-3.exe Windows Session Manager.exe PID 572 wrote to memory of 552 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 552 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 552 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 552 572 Windows Session Manager.exe cmd.exe PID 552 wrote to memory of 1264 552 cmd.exe net.exe PID 552 wrote to memory of 1264 552 cmd.exe net.exe PID 552 wrote to memory of 1264 552 cmd.exe net.exe PID 552 wrote to memory of 1264 552 cmd.exe net.exe PID 1264 wrote to memory of 892 1264 net.exe net1.exe PID 1264 wrote to memory of 892 1264 net.exe net1.exe PID 1264 wrote to memory of 892 1264 net.exe net1.exe PID 1264 wrote to memory of 892 1264 net.exe net1.exe PID 572 wrote to memory of 288 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 288 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 288 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 288 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 836 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 836 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 836 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 836 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 1640 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 1640 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 1640 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 1640 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 1724 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 1724 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 1724 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 1724 572 Windows Session Manager.exe cmd.exe PID 1724 wrote to memory of 1812 1724 cmd.exe net.exe PID 1724 wrote to memory of 1812 1724 cmd.exe net.exe PID 1724 wrote to memory of 1812 1724 cmd.exe net.exe PID 1724 wrote to memory of 1812 1724 cmd.exe net.exe PID 1812 wrote to memory of 1368 1812 net.exe net1.exe PID 1812 wrote to memory of 1368 1812 net.exe net1.exe PID 1812 wrote to memory of 1368 1812 net.exe net1.exe PID 1812 wrote to memory of 1368 1812 net.exe net1.exe PID 572 wrote to memory of 1852 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 1852 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 1852 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 1852 572 Windows Session Manager.exe cmd.exe PID 1852 wrote to memory of 804 1852 cmd.exe net.exe PID 1852 wrote to memory of 804 1852 cmd.exe net.exe PID 1852 wrote to memory of 804 1852 cmd.exe net.exe PID 1852 wrote to memory of 804 1852 cmd.exe net.exe PID 804 wrote to memory of 1688 804 net.exe net1.exe PID 804 wrote to memory of 1688 804 net.exe net1.exe PID 804 wrote to memory of 1688 804 net.exe net1.exe PID 804 wrote to memory of 1688 804 net.exe net1.exe PID 572 wrote to memory of 772 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 772 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 772 572 Windows Session Manager.exe cmd.exe PID 572 wrote to memory of 772 572 Windows Session Manager.exe cmd.exe PID 772 wrote to memory of 1520 772 cmd.exe net.exe PID 772 wrote to memory of 1520 772 cmd.exe net.exe PID 772 wrote to memory of 1520 772 cmd.exe net.exe PID 772 wrote to memory of 1520 772 cmd.exe net.exe PID 1520 wrote to memory of 1616 1520 net.exe net1.exe PID 1520 wrote to memory of 1616 1520 net.exe net1.exe PID 1520 wrote to memory of 1616 1520 net.exe net1.exe PID 1520 wrote to memory of 1616 1520 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SvHost-3.exe"C:\Users\Admin\AppData\Local\Temp\SvHost-3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSDTC3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSDTC4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSDTC5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SQLSERVERAGENT4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop vds3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop vds4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vds5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLWriter3⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLBrowser3⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER3⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO13⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$CONTOSO14⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$CONTOSO15⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Decrypt-info.txt1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\IDk.txtMD5
d3635b8ba50ffabf323452131e233079
SHA1fd20ffe361e5def412a71d4df0da9177f83899b7
SHA25600d86384045c0d308702aa77bb8682c5132fb0ebb153e99018304dcf9f20c08e
SHA512eb125bec66a99c317624da8e4a670705fe829ac6779f7b171bdb5a154a1c26ab6d3d87514e1f8376ed9d4bf792a78d36e9ad8dfd06e64c314bfb0076fe8ab665
-
C:\ProgramData\pkey.txtMD5
f8c45a865278e2ac3898f21f5c52dd63
SHA1e90c0d87a1b5ff45951ad08fac09a12fbc9cc223
SHA25675a4371f14c16dcbfc1724ee3d0e16503050b260e95a83138e34f22689ca0645
SHA5125f09cb366e8433a504014fd201e4ef0558269f70c1aca5857a13e7fd4af578a7e5ec74a98a8fdd7ee0159e9e5d73dacba40b159eadd88188b131cc29f865e937
-
C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exeMD5
000e2743bf3cb96cefc4be357765cec3
SHA162b9b6afc91e349c56ce967985eec229f7db82aa
SHA256126f06426beeaaeea65331c5896590eb558405e5b924254e1aa17c3adc5c2fb3
SHA512b8298aed9d0ac929c9942ff8addce2a3b0e779093dad50fc99242542e8894fb0c45a5d4e60ed33691fc5fbcdeccfc9e50244dad6056500de8a28fddb6f6f275f
-
C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exeMD5
000e2743bf3cb96cefc4be357765cec3
SHA162b9b6afc91e349c56ce967985eec229f7db82aa
SHA256126f06426beeaaeea65331c5896590eb558405e5b924254e1aa17c3adc5c2fb3
SHA512b8298aed9d0ac929c9942ff8addce2a3b0e779093dad50fc99242542e8894fb0c45a5d4e60ed33691fc5fbcdeccfc9e50244dad6056500de8a28fddb6f6f275f
-
C:\Users\Admin\Desktop\Decrypt-info.txtMD5
8f354c539d510bed2647d3648fd8faaf
SHA1905a22e60242511e35dfb257952a61e8f2b3f327
SHA2562874f97a4b5b0c4ce7259a25b45f313090c22fcc0a6d274151e941e55356ae8c
SHA512422e63bba5059e4df90b3f598dc29c945ffe023c0459b7ab1f7066407f905ce1d4cd4ddcd6eb9fbc969d150f904940664f8a35feff9c04613ca393e30a1c3399
-
\Users\Admin\AppData\Local\Temp\Windows Session Manager.exeMD5
000e2743bf3cb96cefc4be357765cec3
SHA162b9b6afc91e349c56ce967985eec229f7db82aa
SHA256126f06426beeaaeea65331c5896590eb558405e5b924254e1aa17c3adc5c2fb3
SHA512b8298aed9d0ac929c9942ff8addce2a3b0e779093dad50fc99242542e8894fb0c45a5d4e60ed33691fc5fbcdeccfc9e50244dad6056500de8a28fddb6f6f275f
-
\Users\Admin\AppData\Local\Temp\Windows Session Manager.exeMD5
000e2743bf3cb96cefc4be357765cec3
SHA162b9b6afc91e349c56ce967985eec229f7db82aa
SHA256126f06426beeaaeea65331c5896590eb558405e5b924254e1aa17c3adc5c2fb3
SHA512b8298aed9d0ac929c9942ff8addce2a3b0e779093dad50fc99242542e8894fb0c45a5d4e60ed33691fc5fbcdeccfc9e50244dad6056500de8a28fddb6f6f275f
-
\Users\Admin\AppData\Local\Temp\Windows Session Manager.exeMD5
000e2743bf3cb96cefc4be357765cec3
SHA162b9b6afc91e349c56ce967985eec229f7db82aa
SHA256126f06426beeaaeea65331c5896590eb558405e5b924254e1aa17c3adc5c2fb3
SHA512b8298aed9d0ac929c9942ff8addce2a3b0e779093dad50fc99242542e8894fb0c45a5d4e60ed33691fc5fbcdeccfc9e50244dad6056500de8a28fddb6f6f275f
-
memory/288-69-0x0000000000000000-mapping.dmp
-
memory/388-85-0x0000000000000000-mapping.dmp
-
memory/396-84-0x0000000000000000-mapping.dmp
-
memory/528-91-0x0000000000000000-mapping.dmp
-
memory/552-66-0x0000000000000000-mapping.dmp
-
memory/572-63-0x0000000000000000-mapping.dmp
-
memory/772-98-0x0000000000000000-mapping.dmp
-
memory/772-78-0x0000000000000000-mapping.dmp
-
memory/804-76-0x0000000000000000-mapping.dmp
-
memory/804-92-0x0000000000000000-mapping.dmp
-
memory/836-70-0x0000000000000000-mapping.dmp
-
memory/892-68-0x0000000000000000-mapping.dmp
-
memory/956-95-0x0000000000000000-mapping.dmp
-
memory/1036-59-0x0000000075721000-0x0000000075723000-memory.dmpFilesize
8KB
-
memory/1112-94-0x0000000000000000-mapping.dmp
-
memory/1264-67-0x0000000000000000-mapping.dmp
-
memory/1368-74-0x0000000000000000-mapping.dmp
-
memory/1520-97-0x0000000000000000-mapping.dmp
-
memory/1520-79-0x0000000000000000-mapping.dmp
-
memory/1608-101-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmpFilesize
8KB
-
memory/1616-80-0x0000000000000000-mapping.dmp
-
memory/1636-96-0x0000000000000000-mapping.dmp
-
memory/1640-71-0x0000000000000000-mapping.dmp
-
memory/1640-87-0x0000000000000000-mapping.dmp
-
memory/1684-88-0x0000000000000000-mapping.dmp
-
memory/1688-77-0x0000000000000000-mapping.dmp
-
memory/1716-81-0x0000000000000000-mapping.dmp
-
memory/1724-90-0x0000000000000000-mapping.dmp
-
memory/1724-72-0x0000000000000000-mapping.dmp
-
memory/1760-82-0x0000000000000000-mapping.dmp
-
memory/1812-89-0x0000000000000000-mapping.dmp
-
memory/1812-73-0x0000000000000000-mapping.dmp
-
memory/1852-93-0x0000000000000000-mapping.dmp
-
memory/1852-75-0x0000000000000000-mapping.dmp