c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71

Analysis

max time kernel
115s
max time network
149s
platform
windows10_x64
resource
win10v20210410
submitted
26-07-2021 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe
Size

252KB
MD5

056fa68a3a2b65e4677f685746283209
SHA1

991f7fa89b13f94a5de106950c14a2f0321069f6
SHA256

c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71
SHA512

cca455cacc8bedb3766762327b3b7e640386d16470a538335f119dda3369a7e1963561ea7a9fd112327a0a5ccbeb464ac2f7ab274fbc968dec159a6270ac2061

Score

10^/10

evasion persistence ransomware spyware stealer suricata

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\how_recover+fch.txt

Ransom Note

111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 How did this happen ? ---Specially for your PC was generated personal RSA-4096 KEY, both public and private. ---ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BTC NOW, and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://vr6g2curb2kcidou.encpayment23.com/AC80C2916097D79 2. http://vr6g2curb2kcidou.expay34.com/AC80C2916097D79 3. http://psbc532jm8c.hsh73cu37n1.net/AC80C2916097D79 4. https://vr6g2curb2kcidou.onion.to/AC80C2916097D79 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: vr6g2curb2kcidou.onion/AC80C2916097D79 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://vr6g2curb2kcidou.encpayment23.com/AC80C2916097D79 http://vr6g2curb2kcidou.expay34.com/AC80C2916097D79 http://psbc532jm8c.hsh73cu37n1.net/AC80C2916097D79 https://vr6g2curb2kcidou.onion.to/AC80C2916097D79 Your personal page (using TOR-Browser): vr6g2curb2kcidou.onion/AC80C2916097D79 Your personal identification number (if you open the site (or TOR-Browser's) directly): AC80C2916097D79 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

URLs

http://vr6g2curb2kcidou.encpayment23.com/AC80C2916097D79

http://vr6g2curb2kcidou.expay34.com/AC80C2916097D79

http://psbc532jm8c.hsh73cu37n1.net/AC80C2916097D79

https://vr6g2curb2kcidou.onion.to/AC80C2916097D79

http://vr6g2curb2kcidou.onion/AC80C2916097D79

Extracted

Path

C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html

Ransom Note

NOT YOUR LANGUAGE? USE Google Translate What happened to your files? protected by a strong encryption with RSA-4096 More information about the encryption RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) does this mean? means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our Secret Server!!! * do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really need your data, then we suggest you do not waste valuable time searching for other solutions becausen they do not exist. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1.http://vr6g2curb2kcidou.encpayment23.com/AC80C2916097D79 2.http://vr6g2curb2kcidou.expay34.com/AC80C2916097D79 3.http://psbc532jm8c.hsh73cu37n1.net/AC80C2916097D79 4.https://vr6g2curb2kcidou.onion.to/AC80C2916097D79 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the tor-browser address bar: vr6g2curb2kcidou.onion/AC80C2916097D79 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your Personal PAGES: http://vr6g2curb2kcidou.encpayment23.com/AC80C2916097D79 http://vr6g2curb2kcidou.expay34.com/AC80C2916097D79 http://psbc532jm8c.hsh73cu37n1.net/AC80C2916097D79 https://vr6g2curb2kcidou.onion.to/AC80C2916097D79 Your Personal PAGES (using TOR-Browser): vr6g2curb2kcidou.onion/AC80C2916097D79 Your personal code (if you open the site (or TOR-Browser's) directly):

URLs

http://vr6g2curb2kcidou.onion/AC80C2916097D79

http://vr6g2curb2kcidou.encpayment23.com/AC80C2916097D79

http://vr6g2curb2kcidou.expay34.com/AC80C2916097D79

http://psbc532jm8c.hsh73cu37n1.net/AC80C2916097D79

https://vr6g2curb2kcidou.onion.to/AC80C2916097D79

Signatures

suricata: ET MALWARE AlphaCrypt CnC Beacon 5
suricata
suricata: ET MALWARE AlphaCrypt CnC Beacon 6
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

188 bcdedit.exe
2108 bcdedit.exe
3900 bcdedit.exe
3052 bcdedit.exe
4040 bcdedit.exe
Executes dropped EXE 1 IoCs

Processes:

qruajacroic.exe

pid process

2776 qruajacroic.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

qruajacroic.exe

description ioc process

File renamed C:\Users\Admin\Pictures\JoinDisconnect.raw => C:\Users\Admin\Pictures\JoinDisconnect.raw.vvv qruajacroic.exe

pid	process
188	bcdedit.exe
2108	bcdedit.exe
3900	bcdedit.exe
3052	bcdedit.exe
4040	bcdedit.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\JoinDisconnect.raw => C:\Users\Admin\Pictures\JoinDisconnect.raw.vvv	qruajacroic.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

qruajacroic.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	qruajacroic.exe

Drops startup file 4 IoCs

Processes:

qruajacroic.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+fch.html	qruajacroic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+fch.txt	qruajacroic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+fch.html	qruajacroic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+fch.txt	qruajacroic.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

qruajacroic.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	qruajacroic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Acrndtd = "C:\\Users\\Admin\\AppData\\Roaming\\qruajacroic.exe"	qruajacroic.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 myexternalip.com
14 myexternalip.com

flow	ioc
12	myexternalip.com
14	myexternalip.com

Drops file in Program Files directory 64 IoCs

Processes:

qruajacroic.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\how_recover+fch.html	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Effects\leave02.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\how_recover+fch.html	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64_altform-unplated.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-125.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-80_altform-unplated.png	qruajacroic.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\how_recover+fch.html	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\aquarium_11h.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\bt_16x11.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\gd_16x11.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\MedTile.scale-200.png	qruajacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\THMBNAIL.PNG	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Icon.targetsize-48.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\_Resources\how_recover+fch.txt	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\dk_16x11.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\AppCS\Assets\how_recover+fch.txt	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-20_altform-unplated.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\how_recover+fch.txt	qruajacroic.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\how_recover+fch.html	qruajacroic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\how_recover+fch.html	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\BooleanMerge.scale-100.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-fullcolor.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2_48x48x32.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-20_altform-unplated.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2016.511.9510.0_neutral_~_8wekyb3d8bbwe\how_recover+fch.txt	qruajacroic.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\how_recover+fch.html	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreSmallTile.scale-100.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-64.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-250.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-200_contrast-white.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\MedTile.scale-200.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Chevron.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\Buttons\Menu\Menu-over.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tournament\GameModeKlondike.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailWideTile.scale-400.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsWideTile.scale-100.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-black\Movie-TVStoreLogo.scale-200_contrast-black.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\how_recover+fch.txt	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe\AppxMetadata\how_recover+fch.html	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\tr_16x11.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80_altform-unplated_contrast-white.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\LargeTile.scale-125.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80_altform-unplated.png	qruajacroic.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\how_recover+fch.html	qruajacroic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png	qruajacroic.exe
File opened for modification	C:\Program Files\Windows Media Player\Icons\how_recover+fch.txt	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1851_24x24x32.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-150.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\how_recover+fch.txt	qruajacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\how_recover+fch.txt	qruajacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\how_recover+fch.html	qruajacroic.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\how_recover+fch.html	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-20.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Animation\how_recover+fch.txt	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Strive_for_Perfection_.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\sweating.png	qruajacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.png	qruajacroic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\how_recover+fch.html	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_altform-unplated_contrast-white.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GameEnd\how_recover+fch.html	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleWideTile.scale-125.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-40.png	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\how_recover+fch.html	qruajacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\XboxApp.Telemetry\how_recover+fch.html	qruajacroic.exe

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2896 vssadmin.exe
2936 vssadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

pid	process
2896	vssadmin.exe
2936	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

browser_broker.exeMicrosoftEdgeCP.exeMicrosoftEdge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedHeight = "600"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionIn = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedWidth = "800"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionIn	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3580 NOTEPAD.EXE

pid	process
3580	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

qruajacroic.exe

pid	process
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe
2776	qruajacroic.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

4188 MicrosoftEdgeCP.exe

pid	process
4188	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exeqruajacroic.exevssvc.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	3892	c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe
Token: SeDebugPrivilege	2776	qruajacroic.exe
Token: SeBackupPrivilege	3760	vssvc.exe
Token: SeRestorePrivilege	3760	vssvc.exe
Token: SeAuditPrivilege	3760	vssvc.exe
Token: SeDebugPrivilege	252	MicrosoftEdge.exe
Token: SeDebugPrivilege	252	MicrosoftEdge.exe
Token: SeDebugPrivilege	252	MicrosoftEdge.exe
Token: SeDebugPrivilege	252	MicrosoftEdge.exe
Token: SeDebugPrivilege	4260	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4260	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4260	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4260	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	252	MicrosoftEdge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

252 MicrosoftEdge.exe
4188 MicrosoftEdgeCP.exe
4188 MicrosoftEdgeCP.exe

pid	process
252	MicrosoftEdge.exe
4188	MicrosoftEdgeCP.exe
4188	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exeqruajacroic.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 3892 wrote to memory of 2776	3892	c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe	qruajacroic.exe
PID 3892 wrote to memory of 2776	3892	c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe	qruajacroic.exe
PID 3892 wrote to memory of 2776	3892	c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe	qruajacroic.exe
PID 3892 wrote to memory of 4040	3892	c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe	cmd.exe
PID 3892 wrote to memory of 4040	3892	c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe	cmd.exe
PID 3892 wrote to memory of 4040	3892	c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe	cmd.exe
PID 2776 wrote to memory of 188	2776	qruajacroic.exe	bcdedit.exe
PID 2776 wrote to memory of 188	2776	qruajacroic.exe	bcdedit.exe
PID 2776 wrote to memory of 2896	2776	qruajacroic.exe	vssadmin.exe
PID 2776 wrote to memory of 2896	2776	qruajacroic.exe	vssadmin.exe
PID 2776 wrote to memory of 2108	2776	qruajacroic.exe	bcdedit.exe
PID 2776 wrote to memory of 2108	2776	qruajacroic.exe	bcdedit.exe
PID 2776 wrote to memory of 3900	2776	qruajacroic.exe	bcdedit.exe
PID 2776 wrote to memory of 3900	2776	qruajacroic.exe	bcdedit.exe
PID 2776 wrote to memory of 3052	2776	qruajacroic.exe	bcdedit.exe
PID 2776 wrote to memory of 3052	2776	qruajacroic.exe	bcdedit.exe
PID 2776 wrote to memory of 4040	2776	qruajacroic.exe	bcdedit.exe
PID 2776 wrote to memory of 4040	2776	qruajacroic.exe	bcdedit.exe
PID 2776 wrote to memory of 3580	2776	qruajacroic.exe	NOTEPAD.EXE
PID 2776 wrote to memory of 3580	2776	qruajacroic.exe	NOTEPAD.EXE
PID 2776 wrote to memory of 3580	2776	qruajacroic.exe	NOTEPAD.EXE
PID 2776 wrote to memory of 2936	2776	qruajacroic.exe	vssadmin.exe
PID 2776 wrote to memory of 2936	2776	qruajacroic.exe	vssadmin.exe
PID 4188 wrote to memory of 4260	4188	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4188 wrote to memory of 4260	4188	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4188 wrote to memory of 4260	4188	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4188 wrote to memory of 4260	4188	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4188 wrote to memory of 4260	4188	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4188 wrote to memory of 4260	4188	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2776 wrote to memory of 4492	2776	qruajacroic.exe	cmd.exe
PID 2776 wrote to memory of 4492	2776	qruajacroic.exe	cmd.exe
PID 2776 wrote to memory of 4492	2776	qruajacroic.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

qruajacroic.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	qruajacroic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	qruajacroic.exe

C:\Users\Admin\AppData\Local\Temp\c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe
"C:\Users\Admin\AppData\Local\Temp\c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892

C:\Users\Admin\AppData\Roaming\qruajacroic.exe
C:\Users\Admin\AppData\Roaming\qruajacroic.exe
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2776

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {current} bootems off
3⤵
- Modifies boot configuration data using bcdedit
PID:188

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
3⤵
- Interacts with shadow copies
PID:2896

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {current} advancedoptions off
3⤵
- Modifies boot configuration data using bcdedit
PID:2108

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {current} optionsedit off
3⤵
- Modifies boot configuration data using bcdedit
PID:3900

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
3⤵
- Modifies boot configuration data using bcdedit
PID:3052

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {current} recoveryenabled off
3⤵
- Modifies boot configuration data using bcdedit
PID:4040

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:3580

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
3⤵
- Interacts with shadow copies
PID:2936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\QRUAJA~1.EXE
3⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\C5DCCB~1.EXE
2⤵
PID:4040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:252

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2280

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\qruajacroic.exe
MD5
056fa68a3a2b65e4677f685746283209

SHA1
991f7fa89b13f94a5de106950c14a2f0321069f6

SHA256
c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71

SHA512
cca455cacc8bedb3766762327b3b7e640386d16470a538335f119dda3369a7e1963561ea7a9fd112327a0a5ccbeb464ac2f7ab274fbc968dec159a6270ac2061

Download Submit
C:\Users\Admin\AppData\Roaming\qruajacroic.exe
MD5
056fa68a3a2b65e4677f685746283209

SHA1
991f7fa89b13f94a5de106950c14a2f0321069f6

SHA256
c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71

SHA512
cca455cacc8bedb3766762327b3b7e640386d16470a538335f119dda3369a7e1963561ea7a9fd112327a0a5ccbeb464ac2f7ab274fbc968dec159a6270ac2061

Download Submit
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html
MD5
5bc1c2bd0995d7d899e1e0b54bcb65cd

SHA1
abf4fd44146f1315f86cceb3b3d7183852d4c203

SHA256
b50e7303c6318202f7fc216b868d357abbe460d6c23d9a33ea4b423c48d1f76c

SHA512
3ea038e706a0b98baa35e80f0cd4ba3741a52dffed38d83ddcc04c3b3d45437e5d1a15a3e8cf99af9f63772e58f0efc8bdaa4adb76935b99c0215fdbca5e7830

Download Submit
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt
MD5
d698b9f70791a803090a61820e101f50

SHA1
3c7f66b99924fc7d777417d965e72cff73a0e8c7

SHA256
f9495222ee318a10c404044bf73dcae8a8c91503daafd8fe1b4fa85daa51a724

SHA512
005242eb67a8188a762c1cd6a4a2eaae15aafad9aca0176c90a774b2dcb036874a3760cb6214f347bb152365a5b3bb9f8d52cc0fd3b5e7b4e28cbe1fa5a56396

Download Submit
memory/188-118-0x0000000000000000-mapping.dmp

Download
memory/2108-120-0x0000000000000000-mapping.dmp

Download
memory/2776-114-0x0000000000000000-mapping.dmp

Download
memory/2896-119-0x0000000000000000-mapping.dmp

Download
memory/2936-127-0x0000000000000000-mapping.dmp

Download
memory/3052-122-0x0000000000000000-mapping.dmp

Download
memory/3580-124-0x0000000000000000-mapping.dmp

Download
memory/3900-121-0x0000000000000000-mapping.dmp

Download
memory/4040-117-0x0000000000000000-mapping.dmp

Download
memory/4040-123-0x0000000000000000-mapping.dmp

Download
memory/4492-129-0x0000000000000000-mapping.dmp

Download