Analysis
-
max time kernel
70s -
max time network
155s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 12:57
Static task
static1
Behavioral task
behavioral1
Sample
2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe
Resource
win10v20210410
General
-
Target
2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe
-
Size
191KB
-
MD5
965d3b5a69778fb98336811099866921
-
SHA1
34293ddd9c4f8b2239e288bf7c3680743bc23eb3
-
SHA256
2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c
-
SHA512
ff8f648702d53716bbf4d40f1e3097a288e0665614543fb21fca942bd12c6105023d9bddb99761b11ae2b4ec3257258be2ae995487225cdcd49955255d651b24
Malware Config
Extracted
\??\c:\_R_E_A_D___T_H_I_S___7DI7G_.txt
cerber
http://xpcx6erilkjced3j.onion/9A18-3140-AE1D-0006-4CFE
http://xpcx6erilkjced3j.tor2web.org/9A18-3140-AE1D-0006-4CFE
http://xpcx6erilkjced3j.onion.link/9A18-3140-AE1D-0006-4CFE
http://xpcx6erilkjced3j.onion.nu/9A18-3140-AE1D-0006-4CFE
http://xpcx6erilkjced3j.onion.cab/9A18-3140-AE1D-0006-4CFE
http://xpcx6erilkjced3j.onion.to/9A18-3140-AE1D-0006-4CFE
Extracted
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___6S47TM9_.hta
http://xpcx6erilkjced3j.tor2web.org/9A18-3140-AE1D-0006-4CFEhttp://xpcx6erilkjced3j.onion.link/9A18-3140-AE1D-0006-4CFEhttp://xpcx6erilkjced3j.onion.nu/9A18-3140-AE1D-0006-4CFEhttp://xpcx6erilkjced3j.onion.cab/9A18-3140-AE1D-0006-4CFEhttp://xpcx6erilkjced3j.onion.to/9A18-3140-AE1D-0006-4CFE
http://xpcx6erilkjced3j.onion/9A18-3140-AE1D-0006-4CFE
https://www.baidu.com
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
suricata: ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup
-
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (10)
-
Blocklisted process makes network request 7 IoCs
Processes:
mshta.exeflow pid process 2182 936 mshta.exe 2185 936 mshta.exe 2187 936 mshta.exe 2189 936 mshta.exe 2191 936 mshta.exe 2193 936 mshta.exe 2195 936 mshta.exe -
Modifies Windows Firewall 1 TTPs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exedescription ioc process File opened (read-only) \??\j: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened (read-only) \??\m: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened (read-only) \??\p: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened (read-only) \??\r: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened (read-only) \??\t: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened (read-only) \??\z: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened (read-only) \??\b: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened (read-only) \??\g: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened (read-only) \??\o: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened (read-only) \??\v: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened (read-only) \??\w: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened (read-only) \??\k: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened (read-only) \??\n: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened (read-only) \??\f: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened (read-only) \??\q: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened (read-only) \??\u: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened (read-only) \??\y: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened (read-only) \??\a: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened (read-only) \??\e: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened (read-only) \??\l: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened (read-only) \??\s: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened (read-only) \??\x: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened (read-only) \??\h: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened (read-only) \??\i: 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe -
Drops file in System32 directory 38 IoCs
Processes:
2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exedescription ioc process File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp341B.bmp" 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe -
Drops file in Program Files directory 20 IoCs
Processes:
2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exedescription ioc process File opened for modification \??\c:\program files (x86)\ 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\program files (x86)\microsoft\office 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\program files (x86)\microsoft\onenote 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\program files (x86)\steam 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\program files (x86)\word 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\program files\ 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\program files (x86)\microsoft sql server 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\program files (x86)\microsoft\powerpoint 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\program files (x86)\onenote 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\program files (x86)\powerpoint 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\program files (x86)\bitcoin 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\program files (x86)\excel 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\program files (x86)\microsoft\outlook 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\program files (x86)\microsoft\word 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\program files (x86)\microsoft\excel 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\program files (x86)\office 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\program files (x86)\outlook 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\program files (x86)\the bat! 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\program files (x86)\thunderbird 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe -
Drops file in Windows directory 64 IoCs
Processes:
2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exedescription ioc process File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\office 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat! 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\ 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat! 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\excel 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\documents 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\documents 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\office 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\word 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\onenote 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\steam 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\excel 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\desktop 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 928 taskkill.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C mshta.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 mshta.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 mshta.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1072 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exetaskkill.exedescription pid process Token: SeShutdownPrivilege 1924 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe Token: SeDebugPrivilege 928 taskkill.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.execmd.exedescription pid process target process PID 1924 wrote to memory of 772 1924 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe netsh.exe PID 1924 wrote to memory of 772 1924 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe netsh.exe PID 1924 wrote to memory of 772 1924 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe netsh.exe PID 1924 wrote to memory of 772 1924 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe netsh.exe PID 1924 wrote to memory of 1632 1924 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe netsh.exe PID 1924 wrote to memory of 1632 1924 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe netsh.exe PID 1924 wrote to memory of 1632 1924 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe netsh.exe PID 1924 wrote to memory of 1632 1924 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe netsh.exe PID 1924 wrote to memory of 936 1924 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe mshta.exe PID 1924 wrote to memory of 936 1924 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe mshta.exe PID 1924 wrote to memory of 936 1924 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe mshta.exe PID 1924 wrote to memory of 936 1924 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe mshta.exe PID 1924 wrote to memory of 1072 1924 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe NOTEPAD.EXE PID 1924 wrote to memory of 1072 1924 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe NOTEPAD.EXE PID 1924 wrote to memory of 1072 1924 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe NOTEPAD.EXE PID 1924 wrote to memory of 1072 1924 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe NOTEPAD.EXE PID 1924 wrote to memory of 880 1924 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe cmd.exe PID 1924 wrote to memory of 880 1924 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe cmd.exe PID 1924 wrote to memory of 880 1924 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe cmd.exe PID 1924 wrote to memory of 880 1924 2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe cmd.exe PID 880 wrote to memory of 928 880 cmd.exe taskkill.exe PID 880 wrote to memory of 928 880 cmd.exe taskkill.exe PID 880 wrote to memory of 928 880 cmd.exe taskkill.exe PID 880 wrote to memory of 928 880 cmd.exe taskkill.exe PID 880 wrote to memory of 1780 880 cmd.exe PING.EXE PID 880 wrote to memory of 1780 880 cmd.exe PING.EXE PID 880 wrote to memory of 1780 880 cmd.exe PING.EXE PID 880 wrote to memory of 1780 880 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe"C:\Users\Admin\AppData\Local\Temp\2f72425b28c03245758d9778b9f637ac981f1ec3df591162f69949c466bfb19c.sample.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___6S47TM9_.hta"2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Modifies system certificate store
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___UEERED1Y_.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "2" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "2"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___6S47TM9_.htaMD5
a440a5cb1d98d4364674353990cff126
SHA1d111e08cbe08c072d3286ee856ac548b5f5eb890
SHA25601f22f5adb3fb4682ca1b53a44c573820ce9f338dbb0a686096b8264553c131d
SHA512daf063233ea60bbc4c347e5dfee52094b00f4736bdbfe6644bf66bb8ff42c7300e2393fab0722d1777a6a27194c6759b36d3e7338e8ea642bf7231eb778854ee
-
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___UEERED1Y_.txtMD5
45b94d1f21ac451512054a185cd073e9
SHA1479a0b4b31ce189969b7ee2ac4404389b2666149
SHA256fce311335c13f59cbe408300f473820698da86b010c801175fe6ee0806855822
SHA512d756427f0019b528216d2969f9eb1ec2e328655a2a9b28fe4477f36b9d0d868635cb42dd9e863ce330ac0781973c2615020d0b7391b5ade07a41af5bd741197e
-
memory/772-61-0x0000000000000000-mapping.dmp
-
memory/880-68-0x0000000000000000-mapping.dmp
-
memory/928-69-0x0000000000000000-mapping.dmp
-
memory/936-65-0x0000000000000000-mapping.dmp
-
memory/1072-66-0x0000000000000000-mapping.dmp
-
memory/1632-63-0x0000000000000000-mapping.dmp
-
memory/1780-71-0x0000000000000000-mapping.dmp
-
memory/1924-60-0x00000000760B1000-0x00000000760B3000-memory.dmpFilesize
8KB