Resubmissions
17-04-2024 14:56
240417-sbg1madb74 1017-04-2024 14:56
240417-sbaljsdb64 1017-04-2024 14:56
240417-sbaasadb62 1017-04-2024 14:56
240417-sa9n9aef2v 1017-04-2024 14:56
240417-sa9dgsdb59 1006-04-2024 14:44
240406-r4b5eadc29 1006-04-2024 14:43
240406-r3xpqadb95 1006-04-2024 14:42
240406-r29b5ace9x 1006-04-2024 14:41
240406-r2spdace8x 10Analysis
-
max time kernel
126s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-07-2021 13:00
Static task
static1
Behavioral task
behavioral1
Sample
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe
Resource
win10v20210410
General
-
Target
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe
-
Size
1.1MB
-
MD5
1fc2e4c5ff5844410fc7b78c6987cddf
-
SHA1
52f676fcbfda7f0929385da963df25eb4638d4a4
-
SHA256
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38
-
SHA512
31efba9acfe4b4bfab315a8d2d15b1b7a5ef83f26fc5de17ec37044bb6b61269f291ddb9e20ad90f2e91fff5221360b34bcf1e36e447d369e0d5333de42681fe
Malware Config
Extracted
C:\README1.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README2.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README3.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README4.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README5.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README6.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README7.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README8.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README9.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README10.txt
pilotpilot088@gmail.com
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3004 created 3092 3004 WerFault.exe explorer.exe -
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies Installed Components in the registry 2 TTPs
-
Processes:
resource yara_rule behavioral2/memory/3120-115-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 30 whatismyipaddress.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\7ADB20357ADB2035.bmp" 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe -
Drops file in Program Files directory 64 IoCs
Processes:
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteMediumTile.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\CoreEngine\Data\OilDaubHeight.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-100.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-40.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-48.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\my_16x11.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6701_20x20x32.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OneConnectAppList.targetsize-24.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as90.xsl 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\MedTile.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxAccountsSmallTile.scale-100.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-100.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-36_altform-unplated.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ee_60x42.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-64_altform-unplated.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp2.scale-100.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\BadgeLogo\PaintApplist.scale-400.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\FullScreen\FullScreen-up.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_BadgeLogo.scale-100.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\vi_60x42.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Assets\Images\Tiles\Square44x44Logo.targetsize-24_altform-unplated.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\XboxControl\User_icon-up.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-16_altform-unplated_contrast-black.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\HelpIcon_contrast-black.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-unplated_contrast-white.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-64.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\itwasntme.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-unplated_contrast-white.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageMedTile.scale-100.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\settle.scale-180.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\6px.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72_altform-unplated.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\LargeTile.scale-125.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosStoreLogo.contrast-white.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\co_60x42.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\beer.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\backgroundTile.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\generic.Messaging.config 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\EmbossText.scale-140.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-60_altform-unplated.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\LargeTile.scale-125.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-400.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4632_24x24x32.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4627_20x20x32.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.surprise.small.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-black_scale-100.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\highfive.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Square150x150Logo.scale-125.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-100_contrast-black.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_altform-unplated_contrast-black.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxBadge.scale-125.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\doh.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageSmallTile.scale-200.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-20_altform-unplated.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\rofl.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-60_altform-unplated.png 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3224 2460 WerFault.exe 3260 3092 WerFault.exe explorer.exe 3004 3092 WerFault.exe explorer.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1264 vssadmin.exe 2540 vssadmin.exe 188 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exeWerFault.exeWerFault.exeWerFault.exepid process 3120 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe 3120 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe 3120 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe 3120 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe 3224 WerFault.exe 3224 WerFault.exe 3224 WerFault.exe 3224 WerFault.exe 3224 WerFault.exe 3224 WerFault.exe 3224 WerFault.exe 3224 WerFault.exe 3224 WerFault.exe 3224 WerFault.exe 3224 WerFault.exe 3224 WerFault.exe 3224 WerFault.exe 3224 WerFault.exe 3260 WerFault.exe 3260 WerFault.exe 3260 WerFault.exe 3260 WerFault.exe 3260 WerFault.exe 3260 WerFault.exe 3260 WerFault.exe 3260 WerFault.exe 3260 WerFault.exe 3260 WerFault.exe 3260 WerFault.exe 3260 WerFault.exe 3260 WerFault.exe 3260 WerFault.exe 3004 WerFault.exe 3004 WerFault.exe 3004 WerFault.exe 3004 WerFault.exe 3004 WerFault.exe 3004 WerFault.exe 3004 WerFault.exe 3004 WerFault.exe 3004 WerFault.exe 3004 WerFault.exe 3004 WerFault.exe 3004 WerFault.exe 3004 WerFault.exe 3004 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
vssvc.exeWerFault.exeexplorer.exeWerFault.exeWerFault.exedescription pid process Token: SeBackupPrivilege 3640 vssvc.exe Token: SeRestorePrivilege 3640 vssvc.exe Token: SeAuditPrivilege 3640 vssvc.exe Token: SeDebugPrivilege 3224 WerFault.exe Token: SeShutdownPrivilege 3092 explorer.exe Token: SeCreatePagefilePrivilege 3092 explorer.exe Token: SeShutdownPrivilege 3092 explorer.exe Token: SeCreatePagefilePrivilege 3092 explorer.exe Token: SeShutdownPrivilege 3092 explorer.exe Token: SeCreatePagefilePrivilege 3092 explorer.exe Token: SeShutdownPrivilege 3092 explorer.exe Token: SeCreatePagefilePrivilege 3092 explorer.exe Token: SeDebugPrivilege 3260 WerFault.exe Token: SeShutdownPrivilege 3092 explorer.exe Token: SeCreatePagefilePrivilege 3092 explorer.exe Token: SeDebugPrivilege 3004 WerFault.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
explorer.exepid process 3092 explorer.exe 3092 explorer.exe 3092 explorer.exe 3092 explorer.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
explorer.exepid process 3092 explorer.exe 3092 explorer.exe 3092 explorer.exe 3092 explorer.exe 3092 explorer.exe 3092 explorer.exe 3092 explorer.exe 3092 explorer.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.execmd.execmd.exedescription pid process target process PID 3120 wrote to memory of 1264 3120 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe vssadmin.exe PID 3120 wrote to memory of 1264 3120 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe vssadmin.exe PID 3120 wrote to memory of 2540 3120 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe vssadmin.exe PID 3120 wrote to memory of 2540 3120 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe vssadmin.exe PID 3120 wrote to memory of 188 3120 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe vssadmin.exe PID 3120 wrote to memory of 188 3120 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe vssadmin.exe PID 3120 wrote to memory of 4012 3120 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe cmd.exe PID 3120 wrote to memory of 4012 3120 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe cmd.exe PID 3120 wrote to memory of 4012 3120 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe cmd.exe PID 4012 wrote to memory of 4024 4012 cmd.exe chcp.com PID 4012 wrote to memory of 4024 4012 cmd.exe chcp.com PID 4012 wrote to memory of 4024 4012 cmd.exe chcp.com PID 3120 wrote to memory of 3232 3120 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe cmd.exe PID 3120 wrote to memory of 3232 3120 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe cmd.exe PID 3120 wrote to memory of 3232 3120 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe cmd.exe PID 3232 wrote to memory of 188 3232 cmd.exe chcp.com PID 3232 wrote to memory of 188 3232 cmd.exe chcp.com PID 3232 wrote to memory of 188 3232 cmd.exe chcp.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe"C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe"1⤵
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2460 -s 25281⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3092 -s 21362⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3092 -s 21162⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WERC18.tmp.appcompat.txtMD5
52b10eaf25e1ca34a7ff271dd92be150
SHA1acf7626a408291381f92d2f4f187911e5c49c618
SHA2564feba2a5052aa21ebca55e408d2a64e78f05cdbfb75aa7e9bd98538091743328
SHA51269e7db859e9429cd9ab0004a125a1f078761dc96b25c32b5f9dc3f9c8ee1fa76def923d457b73c22d9188dfd7e571f132822d01a440e812ed1478915be1d00b0
-
memory/188-118-0x0000000000000000-mapping.dmp
-
memory/188-123-0x0000000000000000-mapping.dmp
-
memory/1264-116-0x0000000000000000-mapping.dmp
-
memory/2540-117-0x0000000000000000-mapping.dmp
-
memory/3120-114-0x00000000023A0000-0x0000000002475000-memory.dmpFilesize
852KB
-
memory/3120-115-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3232-122-0x0000000000000000-mapping.dmp
-
memory/4012-119-0x0000000000000000-mapping.dmp
-
memory/4024-120-0x0000000000000000-mapping.dmp