028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560

General

Target

028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
Size

256KB
MD5

156ed66fb7257ef1bdd6385c71e5aa83
SHA1

2d302323eab61e5791ab5ce2c6728e6708743bed
SHA256

028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560
SHA512

c63a679abf8eb64ba4a722df4638249499d8ab9e6a94db5e3d39ab136afbe4cec563ff9698814170b12e55d5616865776273303e99a5b7e8742bc870ae5ebdb4

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Blocklisted process makes network request 6 IoCs

Processes:

mshta.exe

flow pid process

16 3272 mshta.exe
17 3272 mshta.exe
19 3272 mshta.exe
20 3272 mshta.exe
22 3272 mshta.exe
24 3272 mshta.exe
Executes dropped EXE 1 IoCs

Processes:

trust.exe

pid process

2820 trust.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

trust.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\ReceiveWait.tiff trust.exe
Deletes itself 1 IoCs

Processes:

mshta.exe

pid process

3712 mshta.exe

flow	pid	process
16	3272	mshta.exe
17	3272	mshta.exe
19	3272	mshta.exe
20	3272	mshta.exe
22	3272	mshta.exe
24	3272	mshta.exe

pid	process
2820	trust.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ReceiveWait.tiff	trust.exe

pid	process
3712	mshta.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mshta.exetrust.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\{EE750B8B-8F1F-4FEB-B415-B9B0FDBD4893} = "C:\\Users\\Admin\\AppData\\Local\\trust.exe"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	trust.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\How to restore files = "mshta.exe \"C:\\Users\\Admin\\How to restore files.hta\""	trust.exe

Drops desktop.ini file(s) 25 IoCs

Processes:

trust.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	trust.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	trust.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	trust.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	trust.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

trust.exe028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	trust.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	trust.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3276 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3600 taskkill.exe

pid	process
3276	vssadmin.exe

pid	process
3600	taskkill.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exetrust.exe

pid	process
3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
2820	trust.exe
2820	trust.exe
2820	trust.exe
2820	trust.exe
2820	trust.exe
2820	trust.exe
2820	trust.exe
2820	trust.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vssvc.exetaskkill.exe

description	pid	process
Token: SeBackupPrivilege	3940	vssvc.exe
Token: SeRestorePrivilege	3940	vssvc.exe
Token: SeAuditPrivilege	3940	vssvc.exe
Token: SeDebugPrivilege	3600	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

mshta.exe

pid process

3272 mshta.exe

pid	process
3272	mshta.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exetrust.execmd.exe

description	pid	process	target process
PID 3912 wrote to memory of 2820	3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	trust.exe
PID 3912 wrote to memory of 2820	3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	trust.exe
PID 3912 wrote to memory of 2820	3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	trust.exe
PID 3912 wrote to memory of 3712	3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	mshta.exe
PID 3912 wrote to memory of 3712	3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	mshta.exe
PID 3912 wrote to memory of 3712	3912	028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe	mshta.exe
PID 2820 wrote to memory of 3564	2820	trust.exe	mshta.exe
PID 2820 wrote to memory of 3564	2820	trust.exe	mshta.exe
PID 2820 wrote to memory of 3564	2820	trust.exe	mshta.exe
PID 2820 wrote to memory of 3276	2820	trust.exe	vssadmin.exe
PID 2820 wrote to memory of 3276	2820	trust.exe	vssadmin.exe
PID 2820 wrote to memory of 3276	2820	trust.exe	vssadmin.exe
PID 2820 wrote to memory of 3272	2820	trust.exe	mshta.exe
PID 2820 wrote to memory of 3272	2820	trust.exe	mshta.exe
PID 2820 wrote to memory of 3272	2820	trust.exe	mshta.exe
PID 2820 wrote to memory of 2160	2820	trust.exe	cmd.exe
PID 2820 wrote to memory of 2160	2820	trust.exe	cmd.exe
PID 2820 wrote to memory of 2160	2820	trust.exe	cmd.exe
PID 2160 wrote to memory of 3600	2160	cmd.exe	taskkill.exe
PID 2160 wrote to memory of 3600	2160	cmd.exe	taskkill.exe
PID 2160 wrote to memory of 3600	2160	cmd.exe	taskkill.exe
PID 2820 wrote to memory of 1860	2820	trust.exe	mshta.exe
PID 2820 wrote to memory of 1860	2820	trust.exe	mshta.exe
PID 2820 wrote to memory of 1860	2820	trust.exe	mshta.exe

C:\Users\Admin\AppData\Local\Temp\028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
"C:\Users\Admin\AppData\Local\Temp\028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe"
1⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3912

C:\Users\Admin\AppData\Local\trust.exe
"C:\Users\Admin\AppData\Local\trust.exe" runas
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\mshta.exe
mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');setInterval(function(){try{o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{EE750B8B-8F1F-4FEB-B415-B9B0FDBD4893}','C:\\Users\\Admin\\AppData\\Local\\trust.exe');}catch(e){}},10);"
3⤵
- Adds Run key to start application
PID:3564

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:3276

C:\Windows\SysWOW64\mshta.exe
mshta.exe "C:\Users\Admin\How to restore files.hta"
3⤵
- Blocklisted process makes network request
- Suspicious use of FindShellTrayWindow
PID:3272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C taskkill /PID 3564 /F
3⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\taskkill.exe
taskkill /PID 3564 /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\SysWOW64\mshta.exe
mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('C:\\Users\\Admin\\AppData\\Local\\trust.exe');close()}catch(e){}},10);"
3⤵
PID:1860

C:\Windows\SysWOW64\mshta.exe
mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('C:\\Users\\Admin\\AppData\\Local\\Temp\\028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe');close()}catch(e){}},10);"
2⤵
- Deletes itself
PID:3712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1824

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\How to restore files.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:1860

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini
MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5TQ9Z63L\4iCs6KVjbNBYlgoKfw7y[1].eot
MD5
03c831f7b9cdf705e0565484d568b6f6

SHA1
b738b697d55aee78d144a23697eba4fd03571e93

SHA256
11ceefbbdf2a7c3bc8a16cd7d95605849711b2490b36ebec89c4ae13dfe2d1dc

SHA512
f69a97b2f5ce7053596c7349a71fb68d0f7c69c361da8604fad0177b413bb197ef4fa5f0afd0b50befe90b07e19d41d3be7f520334987a7f08c367c64cad5532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GDGLHSEM\css[1].css
MD5
5dac57c84854eda4cd49c0ab5e7b289c

SHA1
d61afb9b10e8925ecef2b99afb9d61b691fe99f6

SHA256
eeca6edb7ddb9bc96001f753a26805454e1f2d24b6ab424200eb99f2a0de17e9

SHA512
63187ba234b662e2950a4240c4a99b442a3d5cac9602fbf3e31012e060aa279648c5e8bb581625ad178bc0aa963318205f0aa71415fa12937b3518265956c77c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U0EJMF7X\css[1].css
MD5
1149800c6e7b84abe6184f1cf50a36c4

SHA1
e692eef86c038a84196f4bec2312764c25f60dfb

SHA256
4e32d3003986ad22118a79ec9bb5b878a2b3c8c4cacb12b8297be6c52bb7e2ff

SHA512
c5e2610a76965b370441f827c6e9f0c075b9eeefd9d9442c48c0deac1e3cb6195a5c75234f1d9db1cef4b9bbb06764f66dc322976468f61cd5660277f72d964a

Download Submit
C:\Users\Admin\AppData\Local\trust.exe
MD5
156ed66fb7257ef1bdd6385c71e5aa83

SHA1
2d302323eab61e5791ab5ce2c6728e6708743bed

SHA256
028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560

SHA512
c63a679abf8eb64ba4a722df4638249499d8ab9e6a94db5e3d39ab136afbe4cec563ff9698814170b12e55d5616865776273303e99a5b7e8742bc870ae5ebdb4

Download Submit
C:\Users\Admin\AppData\Local\trust.exe
MD5
156ed66fb7257ef1bdd6385c71e5aa83

SHA1
2d302323eab61e5791ab5ce2c6728e6708743bed

SHA256
028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560

SHA512
c63a679abf8eb64ba4a722df4638249499d8ab9e6a94db5e3d39ab136afbe4cec563ff9698814170b12e55d5616865776273303e99a5b7e8742bc870ae5ebdb4

Download Submit
C:\Users\Admin\Desktop\How to restore files.hta
MD5
baea36a6937c0186f2011df9f9604b54

SHA1
f56e99f8e839c5a372637d9115817e634c18c58e

SHA256
4a93edc002924dcdbb19989e0f87b92af800bd33b573073d0cd07386dce56c4c

SHA512
de23509f7e85a40b2a1ba99877cb9c10c10de771f142328f47782174a6da732f442838999cf62e85fbe5bda960eea0d9c0c9ca3f9e56374828690e97f8c6a2a7

Download Submit
C:\Users\Admin\How to restore files.hta
MD5
baea36a6937c0186f2011df9f9604b54

SHA1
f56e99f8e839c5a372637d9115817e634c18c58e

SHA256
4a93edc002924dcdbb19989e0f87b92af800bd33b573073d0cd07386dce56c4c

SHA512
de23509f7e85a40b2a1ba99877cb9c10c10de771f142328f47782174a6da732f442838999cf62e85fbe5bda960eea0d9c0c9ca3f9e56374828690e97f8c6a2a7

Download Submit
memory/1860-125-0x0000000000000000-mapping.dmp

Download
memory/2160-123-0x0000000000000000-mapping.dmp

Download
memory/2820-114-0x0000000000000000-mapping.dmp

Download
memory/3272-121-0x0000000000000000-mapping.dmp

Download
memory/3276-119-0x0000000000000000-mapping.dmp

Download
memory/3564-118-0x0000000000000000-mapping.dmp

Download
memory/3600-124-0x0000000000000000-mapping.dmp

Download
memory/3712-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads