028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560

General

Target

028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
Size

256KB
MD5

156ed66fb7257ef1bdd6385c71e5aa83
SHA1

2d302323eab61e5791ab5ce2c6728e6708743bed
SHA256

028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560
SHA512

c63a679abf8eb64ba4a722df4638249499d8ab9e6a94db5e3d39ab136afbe4cec563ff9698814170b12e55d5616865776273303e99a5b7e8742bc870ae5ebdb4

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Blocklisted process makes network request 6 IoCs

flow	pid	Process
16	3272	mshta.exe
17	3272	mshta.exe
19	3272	mshta.exe
20	3272	mshta.exe
22	3272	mshta.exe
24	3272	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
2820	trust.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ReceiveWait.tiff	trust.exe

Deletes itself 1 IoCs

pid	Process
3712	mshta.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\{EE750B8B-8F1F-4FEB-B415-B9B0FDBD4893} = "C:\\Users\\Admin\\AppData\\Local\\trust.exe"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	trust.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\How to restore files = "mshta.exe \"C:\\Users\\Admin\\How to restore files.hta\""	trust.exe

Drops desktop.ini file(s) 25 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	trust.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	trust.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	trust.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	trust.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3276	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3600	taskkill.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
2820	trust.exe
2820	trust.exe
2820	trust.exe
2820	trust.exe
2820	trust.exe
2820	trust.exe
2820	trust.exe
2820	trust.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	3940	vssvc.exe
Token: SeRestorePrivilege	3940	vssvc.exe
Token: SeAuditPrivilege	3940	vssvc.exe
Token: SeDebugPrivilege	3600	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3272	mshta.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 2820	3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	76
PID 3912 wrote to memory of 2820	3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	76
PID 3912 wrote to memory of 2820	3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	76
PID 3912 wrote to memory of 3712	3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	77
PID 3912 wrote to memory of 3712	3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	77
PID 3912 wrote to memory of 3712	3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	77
PID 2820 wrote to memory of 3564	2820	trust.exe	78
PID 2820 wrote to memory of 3564	2820	trust.exe	78
PID 2820 wrote to memory of 3564	2820	trust.exe	78
PID 2820 wrote to memory of 3276	2820	trust.exe	79
PID 2820 wrote to memory of 3276	2820	trust.exe	79
PID 2820 wrote to memory of 3276	2820	trust.exe	79
PID 2820 wrote to memory of 3272	2820	trust.exe	88
PID 2820 wrote to memory of 3272	2820	trust.exe	88
PID 2820 wrote to memory of 3272	2820	trust.exe	88
PID 2820 wrote to memory of 2160	2820	trust.exe	89
PID 2820 wrote to memory of 2160	2820	trust.exe	89
PID 2820 wrote to memory of 2160	2820	trust.exe	89
PID 2160 wrote to memory of 3600	2160	cmd.exe	91
PID 2160 wrote to memory of 3600	2160	cmd.exe	91
PID 2160 wrote to memory of 3600	2160	cmd.exe	91
PID 2820 wrote to memory of 1860	2820	trust.exe	92
PID 2820 wrote to memory of 1860	2820	trust.exe	92
PID 2820 wrote to memory of 1860	2820	trust.exe	92

C:\Users\Admin\AppData\Local\Temp\028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
"C:\Users\Admin\AppData\Local\Temp\028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe"
1⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Users\Admin\AppData\Local\trust.exe
  "C:\Users\Admin\AppData\Local\trust.exe" runas
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\mshta.exe
    mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');setInterval(function(){try{o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{EE750B8B-8F1F-4FEB-B415-B9B0FDBD4893}','C:\\Users\\Admin\\AppData\\Local\\trust.exe');}catch(e){}},10);"
    3⤵
    - Adds Run key to start application
    PID:3564
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:3276
- - C:\Windows\SysWOW64\mshta.exe
    mshta.exe "C:\Users\Admin\How to restore files.hta"
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of FindShellTrayWindow
    PID:3272
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C taskkill /PID 3564 /F
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /PID 3564 /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3600
- - C:\Windows\SysWOW64\mshta.exe
    mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('C:\\Users\\Admin\\AppData\\Local\\trust.exe');close()}catch(e){}},10);"
    3⤵
    PID:1860
- C:\Windows\SysWOW64\mshta.exe
  mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('C:\\Users\\Admin\\AppData\\Local\\Temp\\028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe');close()}catch(e){}},10);"
  2⤵
  - Deletes itself
  PID:3712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1824

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\How to restore files.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:1860