Analysis
-
max time kernel
107s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-07-2021 12:42
Static task
static1
Behavioral task
behavioral1
Sample
04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
Resource
win10v20210410
General
-
Target
04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe
-
Size
1.1MB
-
MD5
c834c0e071ba81c16ec8093233a268c9
-
SHA1
a881b1a82d03353a5c843c0bf12982234d7ce3b8
-
SHA256
04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a
-
SHA512
c4d8816b7d207c615c5ed6aee23d7adf347b71963e6e5286f689812853e1f9dedaa1389b655bb2a663d64fc6acea361a4192066760f26dba2371ab89bad2c66b
Malware Config
Extracted
C:\README1.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README2.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README3.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README4.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README5.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README6.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README7.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README8.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README9.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README10.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies Installed Components in the registry 2 TTPs
-
Processes:
resource yara_rule behavioral2/memory/2112-115-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 30 whatismyipaddress.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\3ED4B9443ED4B944.bmp" 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe -
Drops file in Program Files directory 64 IoCs
Processes:
04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\SkypeMedTile.scale-100_contrast-white.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_scale-125.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\PREVIEW.GIF 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-24_altform-unplated.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-40.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\highfive.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-400.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-100.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-100_contrast-white.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ge_60x42.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\sadsmile.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN097.XML 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailWideTile.scale-200.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\Icons\jit_moments.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\moji_mask.contrast-standard.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-unplated_contrast-white.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-125.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\spider_menu_icon.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_1s.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\THMBNAIL.PNG 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-unplated.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_altform-unplated_contrast-white.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-400.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookMedTile.scale-125.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1250_20x20x32.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Audio\dcFireworks_E.wav 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-150_contrast-white.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\cd_60x42.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Audio\Skype_Call_Calling.m4a 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_1c.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_background.jpg 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\PlaneCutKeepBoth.scale-180.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_altform-unplated_contrast-white.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\SmallTile.scale-200.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-30_altform-unplated.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-125.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5372_40x40x32.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql2000.xsl 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60_altform-unplated.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\sj_60x42.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleSplashScreen.scale-100.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\179.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200_contrast-high.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\TIME.XML 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\lv_60x42.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-black_scale-125.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-100_contrast-black.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-40_altform-unplated_contrast-white.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-100.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconEditMoment.scale-200.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\tripeaks_menu_icon.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\mobile\en-GB\doc_offline_getconnected.xml 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBLR6.CHM 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-60.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\LargeTile.scale-100.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailSmallTile.scale-100.png 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3476 2996 WerFault.exe 1504 272 WerFault.exe explorer.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1008 vssadmin.exe 3012 vssadmin.exe 2456 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exeWerFault.exeWerFault.exepid process 2112 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe 2112 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe 2112 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe 2112 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 3476 WerFault.exe 1504 WerFault.exe 1504 WerFault.exe 1504 WerFault.exe 1504 WerFault.exe 1504 WerFault.exe 1504 WerFault.exe 1504 WerFault.exe 1504 WerFault.exe 1504 WerFault.exe 1504 WerFault.exe 1504 WerFault.exe 1504 WerFault.exe 1504 WerFault.exe 1504 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
vssvc.exeWerFault.exeexplorer.exeWerFault.exedescription pid process Token: SeBackupPrivilege 1904 vssvc.exe Token: SeRestorePrivilege 1904 vssvc.exe Token: SeAuditPrivilege 1904 vssvc.exe Token: SeDebugPrivilege 3476 WerFault.exe Token: SeShutdownPrivilege 272 explorer.exe Token: SeCreatePagefilePrivilege 272 explorer.exe Token: SeShutdownPrivilege 272 explorer.exe Token: SeCreatePagefilePrivilege 272 explorer.exe Token: SeShutdownPrivilege 272 explorer.exe Token: SeCreatePagefilePrivilege 272 explorer.exe Token: SeShutdownPrivilege 272 explorer.exe Token: SeCreatePagefilePrivilege 272 explorer.exe Token: SeShutdownPrivilege 272 explorer.exe Token: SeCreatePagefilePrivilege 272 explorer.exe Token: SeDebugPrivilege 1504 WerFault.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
explorer.exepid process 272 explorer.exe 272 explorer.exe 272 explorer.exe 272 explorer.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
explorer.exepid process 272 explorer.exe 272 explorer.exe 272 explorer.exe 272 explorer.exe 272 explorer.exe 272 explorer.exe 272 explorer.exe 272 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.execmd.exedescription pid process target process PID 2112 wrote to memory of 1008 2112 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe vssadmin.exe PID 2112 wrote to memory of 1008 2112 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe vssadmin.exe PID 2112 wrote to memory of 3012 2112 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe vssadmin.exe PID 2112 wrote to memory of 3012 2112 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe vssadmin.exe PID 2112 wrote to memory of 2456 2112 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe vssadmin.exe PID 2112 wrote to memory of 2456 2112 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe vssadmin.exe PID 2112 wrote to memory of 3780 2112 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe cmd.exe PID 2112 wrote to memory of 3780 2112 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe cmd.exe PID 2112 wrote to memory of 3780 2112 04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe cmd.exe PID 3780 wrote to memory of 2272 3780 cmd.exe chcp.com PID 3780 wrote to memory of 2272 3780 cmd.exe chcp.com PID 3780 wrote to memory of 2272 3780 cmd.exe chcp.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe"C:\Users\Admin\AppData\Local\Temp\04fc679a99973664906080767d37131d0ebb5f1dedcb50b5ebf413990c19b13a.sample.exe"1⤵
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2996 -s 70321⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 272 -s 21962⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1008-116-0x0000000000000000-mapping.dmp
-
memory/2112-114-0x0000000002220000-0x00000000022F5000-memory.dmpFilesize
852KB
-
memory/2112-115-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/2272-120-0x0000000000000000-mapping.dmp
-
memory/2456-118-0x0000000000000000-mapping.dmp
-
memory/3012-117-0x0000000000000000-mapping.dmp
-
memory/3780-119-0x0000000000000000-mapping.dmp