targetcompany | 415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3

General

Target

415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
Size

128KB
MD5

af8c28577e447bb43f80cc81c518d146
SHA1

206f2335b0d7e42553bac9841e67b7f3c8e2d645
SHA256

415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3
SHA512

39d7f007a9b439107140382b19a192ce3ec12824eeda71a62dcbfc97afe7e78fff7f203a86a460b7147c629a67f080db4a087284c30ad9933e6db68e81cd624e

Score

10^/10

targetcompany evasion ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\How to decrypt files.txt

Family

targetcompany

Ransom Note

Your personal identifier: DF8NMQN4DLD All files on Hellenic Recovery Recycling Corporation SA network have been encrypted due to insufficient security. The only way to quickly and reliably regain access to your files is to contact us. The price depends on how fast you write to us. In other cases, you risk losing your time and access to data. Usually time is much more valuable than money. In addition, we have ~170 gb of data from your network. We can see your partners and if you don't get in contact, we will let them know that you were the source of the data leak. We are aware of the strictness of the European data protection law (GPRD) and we are sure that you are not interested in publishing it. FAQ Q: How to contact us A: * Download Tor Browser - https://www.torproject.org/ * Open link in Tor Browser http://eghv5cpdsmuj5e6tpyjk5icgq642hqubildf6yrfnqlq3rmsqk2zanid.onion/contact * Follow the instructions on the website. Q: What guarantees? A: Before paying, we can decrypt several of your test files. Files should not contain valuable information. Q: Can I decrypt my data for free or through intermediaries? A: Use third party programs and intermediaries at your own risk. Third party software may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam. �

URLs

http://eghv5cpdsmuj5e6tpyjk5icgq642hqubildf6yrfnqlq3rmsqk2zanid.onion/contact

Signatures

TargetCompany
Ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
ransomware targetcompany
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4044 bcdedit.exe
2932 bcdedit.exe

pid	process
4044	bcdedit.exe
2932	bcdedit.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe

description	ioc	process
File opened (read-only)	\??\E:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened (read-only)	\??\F:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened (read-only)	\??\H:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened (read-only)	\??\I:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened (read-only)	\??\M:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened (read-only)	\??\O:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened (read-only)	\??\P:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened (read-only)	\??\Q:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened (read-only)	\??\T:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened (read-only)	\??\V:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened (read-only)	\??\B:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened (read-only)	\??\G:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened (read-only)	\??\J:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened (read-only)	\??\Y:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened (read-only)	\??\K:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened (read-only)	\??\L:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened (read-only)	\??\R:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened (read-only)	\??\U:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened (read-only)	\??\X:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened (read-only)	\??\Z:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened (read-only)	\??\A:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened (read-only)	\??\N:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened (read-only)	\??\S:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened (read-only)	\??\W:	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe

Drops file in Program Files directory 64 IoCs

Processes:

415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\How to decrypt files.txt	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql120.xsl	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\How to decrypt files.txt	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons.png	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\zh-cn_get.svg	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\de-de\How to decrypt files.txt	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluEmptyStateCCFiles_280x192.svg	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\How to decrypt files.txt	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\PREVIEW.GIF	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\How to decrypt files.txt	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-1x.png	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-phn.xrm-ms	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\How to decrypt files.txt	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-phn.xrm-ms	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\selector.js	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-pl.xrm-ms	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File created	C:\Program Files\VideoLAN\VLC\lua\How to decrypt files.txt	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_hover_2x.png	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\How to decrypt files.txt	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-gb\ui-strings.js	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\How to decrypt files.txt	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\How to decrypt files.txt	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\faf_icons.png	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-oob.xrm-ms	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\nub.png	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\How to decrypt files.txt	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util_ja.jar	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ppd.xrm-ms	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\main.css	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ru-ru\ui-strings.js	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ja-jp\ui-strings.js	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-il\ui-strings.js	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-80.png	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_fr_135x40.svg	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.contenttype_3.4.200.v20140207-1251.jar	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\ui-strings.js	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-pl.xrm-ms	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-tw_get.svg	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\ui-strings.js	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-oob.xrm-ms	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sv-se\ui-strings.js	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_nl_135x40.svg	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\PREVIEW.GIF	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\jquery.jstree.js	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-sl\How to decrypt files.txt	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons.png	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_zh_CN.jar	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ppd.xrm-ms	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluError_136x136.svg	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\ui-strings.js	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\How to decrypt files.txt	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2164 vssadmin.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2628 PING.EXE

pid	process
2164	vssadmin.exe

pid	process
2628	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe

pid	process
3904	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
3904	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exevssvc.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3904	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
Token: SeDebugPrivilege	3904	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
Token: SeBackupPrivilege	2636	vssvc.exe
Token: SeRestorePrivilege	2636	vssvc.exe
Token: SeAuditPrivilege	2636	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

NOTEPAD.EXE

pid process

2696 NOTEPAD.EXE

pid	process
2696	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3904 wrote to memory of 2164	3904	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe	vssadmin.exe
PID 3904 wrote to memory of 2164	3904	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe	vssadmin.exe
PID 3904 wrote to memory of 2388	3904	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe	cmd.exe
PID 3904 wrote to memory of 2388	3904	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe	cmd.exe
PID 3904 wrote to memory of 2516	3904	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe	cmd.exe
PID 3904 wrote to memory of 2516	3904	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe	cmd.exe
PID 2516 wrote to memory of 4044	2516	cmd.exe	bcdedit.exe
PID 2516 wrote to memory of 4044	2516	cmd.exe	bcdedit.exe
PID 2388 wrote to memory of 2932	2388	cmd.exe	bcdedit.exe
PID 2388 wrote to memory of 2932	2388	cmd.exe	bcdedit.exe
PID 3904 wrote to memory of 1200	3904	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe	cmd.exe
PID 3904 wrote to memory of 1200	3904	415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe	cmd.exe
PID 1200 wrote to memory of 2628	1200	cmd.exe	PING.EXE
PID 1200 wrote to memory of 2628	1200	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe
"C:\Users\Admin\AppData\Local\Temp\415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Windows\System32\vssadmin.exe
  "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2164
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2932
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4044
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\415321444d2ab732e84ff7acb4739e09827ee2fcc748d0fa1d7504bae1d133a3.exe" >> NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\How to decrypt files.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:2696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\How to decrypt files.txt

MD5
3ad61e4ee64fa9f5413ba46c81b153ad

SHA1
95dbf962c09660850fb03d44aacde1dbe418d978

SHA256
b5a32ef84f1c554a41bde2114c3965228b789178a7ebf87b5e54fd800bfdff77

SHA512
f22a6effa7f30ff8ea0a93f60d74dd58d6fbcf4765a65dfef4cf39ab79b52baba682ca954176fb56a55cae7210606194232785ecf501f3e3b59d92640eec0fa5

Download Submit
memory/1200-120-0x0000000000000000-mapping.dmp

Download
memory/2164-114-0x0000000000000000-mapping.dmp

Download
memory/2388-115-0x0000000000000000-mapping.dmp

Download
memory/2516-116-0x0000000000000000-mapping.dmp

Download
memory/2628-121-0x0000000000000000-mapping.dmp

Download
memory/2932-118-0x0000000000000000-mapping.dmp

Download
memory/4044-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads