c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71

Analysis

max time kernel
119s
max time network
156s
platform
windows7_x64
resource
win7v20210410
submitted
26-07-2021 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe
Size

252KB
MD5

056fa68a3a2b65e4677f685746283209
SHA1

991f7fa89b13f94a5de106950c14a2f0321069f6
SHA256

c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71
SHA512

cca455cacc8bedb3766762327b3b7e640386d16470a538335f119dda3369a7e1963561ea7a9fd112327a0a5ccbeb464ac2f7ab274fbc968dec159a6270ac2061

Score

10^/10

evasion persistence ransomware spyware stealer suricata

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2513283230-931923277-594887482-1000\how_recover+gap.txt

Ransom Note

111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 How did this happen ? ---Specially for your PC was generated personal RSA-4096 KEY, both public and private. ---ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BTC NOW, and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://vr6g2curb2kcidou.encpayment23.com/AD7D2BC4DB652761 2. http://vr6g2curb2kcidou.expay34.com/AD7D2BC4DB652761 3. http://psbc532jm8c.hsh73cu37n1.net/AD7D2BC4DB652761 4. https://vr6g2curb2kcidou.onion.to/AD7D2BC4DB652761 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: vr6g2curb2kcidou.onion/AD7D2BC4DB652761 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://vr6g2curb2kcidou.encpayment23.com/AD7D2BC4DB652761 http://vr6g2curb2kcidou.expay34.com/AD7D2BC4DB652761 http://psbc532jm8c.hsh73cu37n1.net/AD7D2BC4DB652761 https://vr6g2curb2kcidou.onion.to/AD7D2BC4DB652761 Your personal page (using TOR-Browser): vr6g2curb2kcidou.onion/AD7D2BC4DB652761 Your personal identification number (if you open the site (or TOR-Browser's) directly): AD7D2BC4DB652761 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

URLs

http://vr6g2curb2kcidou.encpayment23.com/AD7D2BC4DB652761

http://vr6g2curb2kcidou.expay34.com/AD7D2BC4DB652761

http://psbc532jm8c.hsh73cu37n1.net/AD7D2BC4DB652761

https://vr6g2curb2kcidou.onion.to/AD7D2BC4DB652761

http://vr6g2curb2kcidou.onion/AD7D2BC4DB652761

Extracted

Path

C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html

Ransom Note

NOT YOUR LANGUAGE? USE Google Translate What happened to your files? protected by a strong encryption with RSA-4096 More information about the encryption RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) does this mean? means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our Secret Server!!! * do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really need your data, then we suggest you do not waste valuable time searching for other solutions becausen they do not exist. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1.http://vr6g2curb2kcidou.encpayment23.com/AD7D2BC4DB652761 2.http://vr6g2curb2kcidou.expay34.com/AD7D2BC4DB652761 3.http://psbc532jm8c.hsh73cu37n1.net/AD7D2BC4DB652761 4.https://vr6g2curb2kcidou.onion.to/AD7D2BC4DB652761 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the tor-browser address bar: vr6g2curb2kcidou.onion/AD7D2BC4DB652761 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your Personal PAGES: http://vr6g2curb2kcidou.encpayment23.com/AD7D2BC4DB652761 http://vr6g2curb2kcidou.expay34.com/AD7D2BC4DB652761 http://psbc532jm8c.hsh73cu37n1.net/AD7D2BC4DB652761 https://vr6g2curb2kcidou.onion.to/AD7D2BC4DB652761 Your Personal PAGES (using TOR-Browser): vr6g2curb2kcidou.onion/AD7D2BC4DB652761 Your personal code (if you open the site (or TOR-Browser's) directly):

URLs

http://vr6g2curb2kcidou.onion/AD7D2BC4DB652761

http://vr6g2curb2kcidou.encpayment23.com/AD7D2BC4DB652761

http://vr6g2curb2kcidou.expay34.com/AD7D2BC4DB652761

http://psbc532jm8c.hsh73cu37n1.net/AD7D2BC4DB652761

https://vr6g2curb2kcidou.onion.to/AD7D2BC4DB652761

Signatures

suricata: ET MALWARE AlphaCrypt CnC Beacon 5
suricata
suricata: ET MALWARE AlphaCrypt CnC Beacon 6
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

516 bcdedit.exe
1140 bcdedit.exe
928 bcdedit.exe
1784 bcdedit.exe
736 bcdedit.exe
Executes dropped EXE 1 IoCs

Processes:

gabnnacroic.exe

pid process

1704 gabnnacroic.exe

pid	process
516	bcdedit.exe
1140	bcdedit.exe
928	bcdedit.exe
1784	bcdedit.exe
736	bcdedit.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

gabnnacroic.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CompressEnter.crw => C:\Users\Admin\Pictures\CompressEnter.crw.vvv	gabnnacroic.exe
File renamed	C:\Users\Admin\Pictures\MoveInstall.png => C:\Users\Admin\Pictures\MoveInstall.png.vvv	gabnnacroic.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2020 cmd.exe

pid	process
2020	cmd.exe

Drops startup file 2 IoCs

Processes:

gabnnacroic.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+gap.html	gabnnacroic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+gap.txt	gabnnacroic.exe

Loads dropped DLL 1 IoCs

Processes:

c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe

pid process

1732 c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1732	c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

gabnnacroic.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run	gabnnacroic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Acrndtd = "C:\\Users\\Admin\\AppData\\Roaming\\gabnnacroic.exe"	gabnnacroic.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 myexternalip.com
8 myexternalip.com

flow	ioc
5	myexternalip.com
8	myexternalip.com

Drops file in Program Files directory 64 IoCs

Processes:

gabnnacroic.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\how_recover+gap.txt	gabnnacroic.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_s.png	gabnnacroic.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_rest.png	gabnnacroic.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_rainy.png	gabnnacroic.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	gabnnacroic.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png	gabnnacroic.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png	gabnnacroic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\how_recover+gap.txt	gabnnacroic.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\how_recover+gap.txt	gabnnacroic.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png	gabnnacroic.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\how_recover+gap.html	gabnnacroic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\how_recover+gap.html	gabnnacroic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\how_recover+gap.html	gabnnacroic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\how_recover+gap.html	gabnnacroic.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\calendar.css	gabnnacroic.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\18.png	gabnnacroic.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\how_recover+gap.txt	gabnnacroic.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv	gabnnacroic.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png	gabnnacroic.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\how_recover+gap.txt	gabnnacroic.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv	gabnnacroic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\how_recover+gap.html	gabnnacroic.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\how_recover+gap.txt	gabnnacroic.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\how_recover+gap.txt	gabnnacroic.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\how_recover+gap.txt	gabnnacroic.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\how_recover+gap.html	gabnnacroic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\how_recover+gap.html	gabnnacroic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\how_recover+gap.txt	gabnnacroic.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi	gabnnacroic.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\how_recover+gap.txt	gabnnacroic.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\how_recover+gap.txt	gabnnacroic.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png	gabnnacroic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\how_recover+gap.txt	gabnnacroic.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\picturePuzzle.css	gabnnacroic.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_s.png	gabnnacroic.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\how_recover+gap.txt	gabnnacroic.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\5.png	gabnnacroic.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png	gabnnacroic.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\how_recover+gap.html	gabnnacroic.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIcon.png	gabnnacroic.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\how_recover+gap.html	gabnnacroic.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\how_recover+gap.html	gabnnacroic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\how_recover+gap.txt	gabnnacroic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\how_recover+gap.html	gabnnacroic.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png	gabnnacroic.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\how_recover+gap.html	gabnnacroic.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\how_recover+gap.txt	gabnnacroic.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower.png	gabnnacroic.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_down.png	gabnnacroic.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full.png	gabnnacroic.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\how_recover+gap.txt	gabnnacroic.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png	gabnnacroic.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\how_recover+gap.txt	gabnnacroic.exe
File opened for modification	C:\Program Files\Google\how_recover+gap.html	gabnnacroic.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	gabnnacroic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\how_recover+gap.txt	gabnnacroic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\how_recover+gap.txt	gabnnacroic.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png	gabnnacroic.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\how_recover+gap.txt	gabnnacroic.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png	gabnnacroic.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\how_recover+gap.html	gabnnacroic.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\how_recover+gap.txt	gabnnacroic.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv	gabnnacroic.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png	gabnnacroic.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

624 vssadmin.exe
1320 vssadmin.exe

pid	process
624	vssadmin.exe
1320	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0c22efd2582d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b02e9fe2c9041842933c5d709b805a270000000002000000000010660000000100002000000027c58eddb9d2ddad3e09c181f30591e2bbe01f40c239a931fb3157d20d0caf66000000000e800000000200002000000095aac1831c860a67aab48fa1c0c4055dcd376a723ffe8daf370960a2d50ebef790000000980be95fbe8f48b3a0ee35b0ef7cad67b2220af940ea7939597497a4798032ff8f626d671097747629479ffbf0288e5116b6190920442525535ab5f7a432bb3a46033d940851261c6ab4cf8afe175971430fb85e2ef4d937282b51ba16caf2e98eff6d485d6dda69ecdf9ffc6c9dbc3499d7e141ad542c19b7ee8ecd1f89fa333fa81e1f4322ce0044bcc42c1545d2b84000000073d2239a2e44a86441e179a392684e9921f80a87e3782b225dbc838af002f0c07881de4574400ad585128842f26d0b543addc34e13df90119a1c8cd6edbfe946	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "334072712"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{27EA9651-EE19-11EB-8528-FAFEA7710D2E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b02e9fe2c9041842933c5d709b805a270000000002000000000010660000000100002000000079d44cf61cab8f2bafb495abaecbe5e64a225e16bfaaf853ea2fe8cd52a03ef0000000000e800000000200002000000035f68a5c8b881ae65916b165bea770dfd28cc66913f02623d88741123931342b200000004cdf06cd05df5c0cc87ee5d42c300c9784416bc2979730671fd6e4b87569e4c14000000029d4a0902a0b76fe6ae0fef7dfb76a1b32f4d6ad04438475a63d16b3f0f384aba6c81299beca324aae44341871ecf023911c495ef9a813a42cd0c59e952b5904	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

gabnnacroic.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	gabnnacroic.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	gabnnacroic.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	gabnnacroic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	gabnnacroic.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	gabnnacroic.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1476 NOTEPAD.EXE

pid	process
1476	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

gabnnacroic.exe

pid	process
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe
1704	gabnnacroic.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exegabnnacroic.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1732	c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe
Token: SeDebugPrivilege	1704	gabnnacroic.exe
Token: SeBackupPrivilege	1556	vssvc.exe
Token: SeRestorePrivilege	1556	vssvc.exe
Token: SeAuditPrivilege	1556	vssvc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

1792 iexplore.exe
1832 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1792 iexplore.exe
1792 iexplore.exe
556 IEXPLORE.EXE
556 IEXPLORE.EXE

pid	process
1792	iexplore.exe
1832	DllHost.exe

pid	process
1792	iexplore.exe
1792	iexplore.exe
556	IEXPLORE.EXE
556	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exegabnnacroic.exeiexplore.exe

description	pid	process	target process
PID 1732 wrote to memory of 1704	1732	c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe	gabnnacroic.exe
PID 1732 wrote to memory of 1704	1732	c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe	gabnnacroic.exe
PID 1732 wrote to memory of 1704	1732	c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe	gabnnacroic.exe
PID 1732 wrote to memory of 1704	1732	c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe	gabnnacroic.exe
PID 1732 wrote to memory of 2020	1732	c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe	cmd.exe
PID 1732 wrote to memory of 2020	1732	c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe	cmd.exe
PID 1732 wrote to memory of 2020	1732	c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe	cmd.exe
PID 1732 wrote to memory of 2020	1732	c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe	cmd.exe
PID 1704 wrote to memory of 516	1704	gabnnacroic.exe	bcdedit.exe
PID 1704 wrote to memory of 516	1704	gabnnacroic.exe	bcdedit.exe
PID 1704 wrote to memory of 516	1704	gabnnacroic.exe	bcdedit.exe
PID 1704 wrote to memory of 516	1704	gabnnacroic.exe	bcdedit.exe
PID 1704 wrote to memory of 624	1704	gabnnacroic.exe	vssadmin.exe
PID 1704 wrote to memory of 624	1704	gabnnacroic.exe	vssadmin.exe
PID 1704 wrote to memory of 624	1704	gabnnacroic.exe	vssadmin.exe
PID 1704 wrote to memory of 624	1704	gabnnacroic.exe	vssadmin.exe
PID 1704 wrote to memory of 1140	1704	gabnnacroic.exe	bcdedit.exe
PID 1704 wrote to memory of 1140	1704	gabnnacroic.exe	bcdedit.exe
PID 1704 wrote to memory of 1140	1704	gabnnacroic.exe	bcdedit.exe
PID 1704 wrote to memory of 1140	1704	gabnnacroic.exe	bcdedit.exe
PID 1704 wrote to memory of 928	1704	gabnnacroic.exe	bcdedit.exe
PID 1704 wrote to memory of 928	1704	gabnnacroic.exe	bcdedit.exe
PID 1704 wrote to memory of 928	1704	gabnnacroic.exe	bcdedit.exe
PID 1704 wrote to memory of 928	1704	gabnnacroic.exe	bcdedit.exe
PID 1704 wrote to memory of 1784	1704	gabnnacroic.exe	bcdedit.exe
PID 1704 wrote to memory of 1784	1704	gabnnacroic.exe	bcdedit.exe
PID 1704 wrote to memory of 1784	1704	gabnnacroic.exe	bcdedit.exe
PID 1704 wrote to memory of 1784	1704	gabnnacroic.exe	bcdedit.exe
PID 1704 wrote to memory of 736	1704	gabnnacroic.exe	bcdedit.exe
PID 1704 wrote to memory of 736	1704	gabnnacroic.exe	bcdedit.exe
PID 1704 wrote to memory of 736	1704	gabnnacroic.exe	bcdedit.exe
PID 1704 wrote to memory of 736	1704	gabnnacroic.exe	bcdedit.exe
PID 1704 wrote to memory of 1476	1704	gabnnacroic.exe	NOTEPAD.EXE
PID 1704 wrote to memory of 1476	1704	gabnnacroic.exe	NOTEPAD.EXE
PID 1704 wrote to memory of 1476	1704	gabnnacroic.exe	NOTEPAD.EXE
PID 1704 wrote to memory of 1476	1704	gabnnacroic.exe	NOTEPAD.EXE
PID 1704 wrote to memory of 1792	1704	gabnnacroic.exe	iexplore.exe
PID 1704 wrote to memory of 1792	1704	gabnnacroic.exe	iexplore.exe
PID 1704 wrote to memory of 1792	1704	gabnnacroic.exe	iexplore.exe
PID 1704 wrote to memory of 1792	1704	gabnnacroic.exe	iexplore.exe
PID 1792 wrote to memory of 556	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 556	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 556	1792	iexplore.exe	IEXPLORE.EXE
PID 1792 wrote to memory of 556	1792	iexplore.exe	IEXPLORE.EXE
PID 1704 wrote to memory of 1320	1704	gabnnacroic.exe	vssadmin.exe
PID 1704 wrote to memory of 1320	1704	gabnnacroic.exe	vssadmin.exe
PID 1704 wrote to memory of 1320	1704	gabnnacroic.exe	vssadmin.exe
PID 1704 wrote to memory of 1320	1704	gabnnacroic.exe	vssadmin.exe
PID 1704 wrote to memory of 1584	1704	gabnnacroic.exe	cmd.exe
PID 1704 wrote to memory of 1584	1704	gabnnacroic.exe	cmd.exe
PID 1704 wrote to memory of 1584	1704	gabnnacroic.exe	cmd.exe
PID 1704 wrote to memory of 1584	1704	gabnnacroic.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

gabnnacroic.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gabnnacroic.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	gabnnacroic.exe

C:\Users\Admin\AppData\Local\Temp\c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe
"C:\Users\Admin\AppData\Local\Temp\c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Roaming\gabnnacroic.exe
C:\Users\Admin\AppData\Roaming\gabnnacroic.exe
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1704

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {current} bootems off
3⤵
- Modifies boot configuration data using bcdedit
PID:516

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
3⤵
- Interacts with shadow copies
PID:624

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {current} advancedoptions off
3⤵
- Modifies boot configuration data using bcdedit
PID:1140

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {current} optionsedit off
3⤵
- Modifies boot configuration data using bcdedit
PID:928

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
3⤵
- Modifies boot configuration data using bcdedit
PID:1784

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {current} recoveryenabled off
3⤵
- Modifies boot configuration data using bcdedit
PID:736

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:1476

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1792 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:556

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
3⤵
- Interacts with shadow copies
PID:1320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\GABNNA~1.EXE
3⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\C5DCCB~1.EXE
2⤵
- Deletes itself
PID:2020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
21d79a5f0e741333cb77d78a368bd0df

SHA1
26d39adefea9e2f5f18654df3c65e851fa5eae82

SHA256
4100071004e1590bb098323a0e1a357259715224d1ee343913aacaca4dc37d15

SHA512
96b20c1da916590c658575a11886594834c7e7757ee03d20b23d715711b795069419ab560c7a7b0a936baa5ceedac165a920abd77cf8bf65627452a98e3d4201

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\how_recover+gap.html
MD5
19bc53b2e2c4270b34d865aba9bf85cd

SHA1
415658613f394b782d6d7300b8b70237ba3d7def

SHA256
0be92300c1ff95613e5dedad221ed94166e028699f9951f592ca681e1a38f57f

SHA512
0260331d58c4ef18b15a10500cc5bc1678def3298201f8a95f2e658af94111315d7bb3d7422783d7d58a3697d98b4a83b57057e4ed72441b0a880771f51fde9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\how_recover+gap.txt
MD5
d313ea55677ccc777157e300e32642bd

SHA1
e6d37e8c7f2c93083588a42bbbe15b998d4b5727

SHA256
aade73b75788f14901ba75c255ab7bef51ba184ee45504548f9af63f2aea1ed5

SHA512
18f09f8d48b2135004c66994d8015c2f56b52ff4e1890c703d09270c40df8f0338df01fe850491489c92f0461fb2f5bf7688ea285cb92b6268dffafe0c485472

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\how_recover+gap.html
MD5
19bc53b2e2c4270b34d865aba9bf85cd

SHA1
415658613f394b782d6d7300b8b70237ba3d7def

SHA256
0be92300c1ff95613e5dedad221ed94166e028699f9951f592ca681e1a38f57f

SHA512
0260331d58c4ef18b15a10500cc5bc1678def3298201f8a95f2e658af94111315d7bb3d7422783d7d58a3697d98b4a83b57057e4ed72441b0a880771f51fde9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\how_recover+gap.txt
MD5
d313ea55677ccc777157e300e32642bd

SHA1
e6d37e8c7f2c93083588a42bbbe15b998d4b5727

SHA256
aade73b75788f14901ba75c255ab7bef51ba184ee45504548f9af63f2aea1ed5

SHA512
18f09f8d48b2135004c66994d8015c2f56b52ff4e1890c703d09270c40df8f0338df01fe850491489c92f0461fb2f5bf7688ea285cb92b6268dffafe0c485472

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\how_recover+gap.html
MD5
19bc53b2e2c4270b34d865aba9bf85cd

SHA1
415658613f394b782d6d7300b8b70237ba3d7def

SHA256
0be92300c1ff95613e5dedad221ed94166e028699f9951f592ca681e1a38f57f

SHA512
0260331d58c4ef18b15a10500cc5bc1678def3298201f8a95f2e658af94111315d7bb3d7422783d7d58a3697d98b4a83b57057e4ed72441b0a880771f51fde9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\how_recover+gap.txt
MD5
d313ea55677ccc777157e300e32642bd

SHA1
e6d37e8c7f2c93083588a42bbbe15b998d4b5727

SHA256
aade73b75788f14901ba75c255ab7bef51ba184ee45504548f9af63f2aea1ed5

SHA512
18f09f8d48b2135004c66994d8015c2f56b52ff4e1890c703d09270c40df8f0338df01fe850491489c92f0461fb2f5bf7688ea285cb92b6268dffafe0c485472

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2HJ5PQ1O.txt
MD5
00129db4dd04e040a48ea45c149f9330

SHA1
8ab4b27548f0754e99262416e00d69acf82a339c

SHA256
6c07155a1fd5a5adde6dbd8e685a9d50ae34a0b097a7e732f81940e377169597

SHA512
6de407c566ab8b21d40b565d80411c886e51b5e319e7c64affc8804e25f907f8c6cb7d321efe1d5079342ce791d7b175df1fb03e838a2443d6064efc12563827

Download Submit
C:\Users\Admin\AppData\Roaming\gabnnacroic.exe
MD5
056fa68a3a2b65e4677f685746283209

SHA1
991f7fa89b13f94a5de106950c14a2f0321069f6

SHA256
c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71

SHA512
cca455cacc8bedb3766762327b3b7e640386d16470a538335f119dda3369a7e1963561ea7a9fd112327a0a5ccbeb464ac2f7ab274fbc968dec159a6270ac2061

Download Submit
C:\Users\Admin\AppData\Roaming\gabnnacroic.exe
MD5
056fa68a3a2b65e4677f685746283209

SHA1
991f7fa89b13f94a5de106950c14a2f0321069f6

SHA256
c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71

SHA512
cca455cacc8bedb3766762327b3b7e640386d16470a538335f119dda3369a7e1963561ea7a9fd112327a0a5ccbeb464ac2f7ab274fbc968dec159a6270ac2061

Download Submit
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.bmp
MD5
96e8f7307ced22a54bac8124a96dc232

SHA1
e0ebab78f98690c623810e024717c59bec35c542

SHA256
e851dd21dc7c05689f47bf69a0864b015ac9ff25d8c21d52c1f694dfede74f02

SHA512
2a312f724eef9d40c59c156dd9fd3d6f7cccfc9e913884cf4dde72a85739b89b5e618d44a95949bb415acb71785aa9509ebb82e89af6a8d19f5526b3a9542986

Download Submit
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html
MD5
19bc53b2e2c4270b34d865aba9bf85cd

SHA1
415658613f394b782d6d7300b8b70237ba3d7def

SHA256
0be92300c1ff95613e5dedad221ed94166e028699f9951f592ca681e1a38f57f

SHA512
0260331d58c4ef18b15a10500cc5bc1678def3298201f8a95f2e658af94111315d7bb3d7422783d7d58a3697d98b4a83b57057e4ed72441b0a880771f51fde9a

Download Submit
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt
MD5
d313ea55677ccc777157e300e32642bd

SHA1
e6d37e8c7f2c93083588a42bbbe15b998d4b5727

SHA256
aade73b75788f14901ba75c255ab7bef51ba184ee45504548f9af63f2aea1ed5

SHA512
18f09f8d48b2135004c66994d8015c2f56b52ff4e1890c703d09270c40df8f0338df01fe850491489c92f0461fb2f5bf7688ea285cb92b6268dffafe0c485472

Download Submit
\Users\Admin\AppData\Roaming\gabnnacroic.exe
MD5
056fa68a3a2b65e4677f685746283209

SHA1
991f7fa89b13f94a5de106950c14a2f0321069f6

SHA256
c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71

SHA512
cca455cacc8bedb3766762327b3b7e640386d16470a538335f119dda3369a7e1963561ea7a9fd112327a0a5ccbeb464ac2f7ab274fbc968dec159a6270ac2061

Download Submit
memory/516-67-0x0000000000000000-mapping.dmp

Download
memory/556-77-0x0000000000000000-mapping.dmp

Download
memory/624-68-0x0000000000000000-mapping.dmp

Download
memory/736-72-0x0000000000000000-mapping.dmp

Download
memory/928-70-0x0000000000000000-mapping.dmp

Download
memory/1140-69-0x0000000000000000-mapping.dmp

Download
memory/1320-80-0x0000000000000000-mapping.dmp

Download
memory/1476-73-0x0000000000000000-mapping.dmp

Download
memory/1584-84-0x0000000000000000-mapping.dmp

Download
memory/1704-62-0x0000000000000000-mapping.dmp

Download
memory/1732-60-0x0000000075971000-0x0000000075973000-memory.dmp

Filesize
8KB

Download
memory/1784-71-0x0000000000000000-mapping.dmp

Download
memory/1792-75-0x0000000000000000-mapping.dmp

Download
memory/1832-79-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/1832-82-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2020-65-0x0000000000000000-mapping.dmp

Download