Overview
overview
10Static
static
90f178bc093...35.exe
windows7_x64
100f178bc093...35.exe
windows10_x64
101b109db549...18.exe
windows7_x64
101b109db549...18.exe
windows10_x64
101dbe9f9565...92.exe
windows7_x64
101dbe9f9565...92.exe
windows10_x64
101e3bf358c7...70.exe
windows7_x64
101e3bf358c7...70.exe
windows10_x64
1026b6a9fecf...39.exe
windows7_x64
1026b6a9fecf...39.exe
windows10_x64
10286bffaa9c...3f.exe
windows7_x64
10286bffaa9c...3f.exe
windows10_x64
10410c884d88...77.exe
windows7_x64
10410c884d88...77.exe
windows10_x64
105072678821...db.exe
windows7_x64
105072678821...db.exe
windows10_x64
1069d9dd7fdd...97.exe
windows7_x64
1069d9dd7fdd...97.exe
windows10_x64
1076a77def28...78.exe
windows7_x64
1076a77def28...78.exe
windows10_x64
1091d1ab6c30...31.exe
windows7_x64
1091d1ab6c30...31.exe
windows10_x64
10ca57455fd1...75.exe
windows7_x64
10ca57455fd1...75.exe
windows10_x64
10e3f236e4ae...77.exe
windows7_x64
10e3f236e4ae...77.exe
windows10_x64
10faa3453ceb...69.exe
windows7_x64
10faa3453ceb...69.exe
windows10_x64
10ffbb6c4d8d...4d.exe
windows7_x64
10ffbb6c4d8d...4d.exe
windows10_x64
10Analysis
-
max time kernel
722s -
max time network
728s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-08-2021 05:46
Behavioral task
behavioral1
Sample
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18.exe
Resource
win10v20210410
Behavioral task
behavioral5
Sample
1dbe9f956514460774290197ffccb11d817d1a5a5aeab81877ae7b74daa1b592.exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
1dbe9f956514460774290197ffccb11d817d1a5a5aeab81877ae7b74daa1b592.exe
Resource
win10v20210410
Behavioral task
behavioral7
Sample
1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770.exe
Resource
win7v20210408
Behavioral task
behavioral8
Sample
1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770.exe
Resource
win10v20210410
Behavioral task
behavioral9
Sample
26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739.exe
Resource
win7v20210410
Behavioral task
behavioral10
Sample
26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739.exe
Resource
win10v20210408
Behavioral task
behavioral11
Sample
286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe
Resource
win7v20210410
Behavioral task
behavioral12
Sample
286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f.exe
Resource
win10v20210408
Behavioral task
behavioral13
Sample
410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe
Resource
win7v20210408
Behavioral task
behavioral14
Sample
410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677.exe
Resource
win10v20210408
Behavioral task
behavioral15
Sample
5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db.exe
Resource
win7v20210408
Behavioral task
behavioral16
Sample
5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db.exe
Resource
win10v20210408
Behavioral task
behavioral17
Sample
69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
Resource
win7v20210408
Behavioral task
behavioral18
Sample
69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997.exe
Resource
win10v20210410
Behavioral task
behavioral19
Sample
76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78.exe
Resource
win7v20210410
Behavioral task
behavioral20
Sample
76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78.exe
Resource
win10v20210408
Behavioral task
behavioral21
Sample
91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631.exe
Resource
win7v20210410
Behavioral task
behavioral22
Sample
91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631.exe
Resource
win10v20210410
Behavioral task
behavioral23
Sample
ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75.exe
Resource
win7v20210410
Behavioral task
behavioral24
Sample
ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75.exe
Resource
win10v20210408
Behavioral task
behavioral25
Sample
e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877.exe
Resource
win7v20210410
Behavioral task
behavioral26
Sample
e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877.exe
Resource
win10v20210410
Behavioral task
behavioral27
Sample
faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe
Resource
win7v20210410
Behavioral task
behavioral28
Sample
faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869.exe
Resource
win10v20210410
Behavioral task
behavioral29
Sample
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe
Resource
win7v20210410
Behavioral task
behavioral30
Sample
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe
Resource
win10v20210410
General
-
Target
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe
-
Size
191KB
-
MD5
0859a78bb06a77e7c6758276eafbefd9
-
SHA1
a72e18efa33f1e3438dbb4451c335d487cbd4082
-
SHA256
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d
-
SHA512
49ca427843dd5c5cefef3d50206b0cf772152f78f82bf42a927aa0d70ceed1c1e828cb20f7f2e8dce58bf2c33e14ff75ec74319d15671b9268e0c18457722c5d
Malware Config
Extracted
C:\odt\Restore-My-Files.txt
lockbit
http://lockbitks2tvnmwk.onion/?F51E3D94FA5D7445A35EEF5AE7AF2EA0
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1260 bcdedit.exe 1504 bcdedit.exe -
Processes:
wbadmin.exepid process 2104 wbadmin.exe -
Executes dropped EXE 2 IoCs
Processes:
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exesvchost.compid process 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2316 svchost.com -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExportBlock.raw => C:\Users\Admin\Pictures\ExportBlock.raw.lockbit ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File renamed C:\Users\Admin\Pictures\SelectUnpublish.crw => C:\Users\Admin\Pictures\SelectUnpublish.crw.lockbit ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3582-490\\ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe\"" ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exedescription ioc process File opened (read-only) \??\Z: ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\38A5.tmp.bmp" ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exepid process 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exeffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8196_20x20x32.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-150.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\Restore-My-Files.txt ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\HelpIcon_contrast-black.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File created C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\Restore-My-Files.txt ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\LobbyTiles\Tripeaks_bp_809.jpg ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-180.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookIconFirstRunCalendar.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-150_contrast-white.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-pl.xrm-ms ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\freecell\Get_Out_Of_Jail_Free_.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\tk_16x11.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-96.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-96.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\Restore-My-Files.txt ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\pyramid\Golden_Pharaoh_.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File created C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\AppxMetadata\Restore-My-Files.txt ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\remove.svg ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\vlc.mo ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\resources.pri ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Pyramid\ResPacks\gameplaypyramid.respack ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8041_48x48x32.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\WideTile.scale-125.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-64_altform-unplated_contrast-white.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\microsoft.system.package.metadata\resources.857e5af3.pri ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-128.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\AppxManifest.xml ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_1h.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reportabuse-default_18.svg ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\Restore-My-Files.txt ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\10290_40x40x32.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\dot.cur ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\mask\1s.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\blushing.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-125.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\es-es\ui-strings.js ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-150_contrast-white.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\ui-strings.js ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\spider_menu_icon.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\Restore-My-Files.txt ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\da-dk\ui-strings.js ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_zh_4.4.0.v20140623020002.jar ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ul-oob.xrm-ms ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Backgrounds\Classic.jpg ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File created C:\Program Files (x86)\Windows Media Player\Skins\Restore-My-Files.txt ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\nashorn.jar ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-pl.xrm-ms ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-125_contrast-black.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-20_altform-unplated.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Logo.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\WinStore\Resources\Assets\RT_Icons_Popcorn_42.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim1.scale-200.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-64_altform-unplated.png ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe -
Drops file in Windows directory 3 IoCs
Processes:
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exesvchost.comdescription ioc process File opened for modification C:\Windows\svchost.com ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 988 vssadmin.exe -
Modifies Control Panel 2 IoCs
Processes:
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "2" ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\TileWallpaper = "0" ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe -
Modifies registry class 2 IoCs
Processes:
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exeffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exepid process 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exevssvc.exeWMIC.exedescription pid process Token: SeTakeOwnershipPrivilege 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe Token: SeDebugPrivilege 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe Token: SeBackupPrivilege 3340 vssvc.exe Token: SeRestorePrivilege 3340 vssvc.exe Token: SeAuditPrivilege 3340 vssvc.exe Token: SeIncreaseQuotaPrivilege 3960 WMIC.exe Token: SeSecurityPrivilege 3960 WMIC.exe Token: SeTakeOwnershipPrivilege 3960 WMIC.exe Token: SeLoadDriverPrivilege 3960 WMIC.exe Token: SeSystemProfilePrivilege 3960 WMIC.exe Token: SeSystemtimePrivilege 3960 WMIC.exe Token: SeProfSingleProcessPrivilege 3960 WMIC.exe Token: SeIncBasePriorityPrivilege 3960 WMIC.exe Token: SeCreatePagefilePrivilege 3960 WMIC.exe Token: SeBackupPrivilege 3960 WMIC.exe Token: SeRestorePrivilege 3960 WMIC.exe Token: SeShutdownPrivilege 3960 WMIC.exe Token: SeDebugPrivilege 3960 WMIC.exe Token: SeSystemEnvironmentPrivilege 3960 WMIC.exe Token: SeRemoteShutdownPrivilege 3960 WMIC.exe Token: SeUndockPrivilege 3960 WMIC.exe Token: SeManageVolumePrivilege 3960 WMIC.exe Token: 33 3960 WMIC.exe Token: 34 3960 WMIC.exe Token: 35 3960 WMIC.exe Token: 36 3960 WMIC.exe Token: SeIncreaseQuotaPrivilege 3960 WMIC.exe Token: SeSecurityPrivilege 3960 WMIC.exe Token: SeTakeOwnershipPrivilege 3960 WMIC.exe Token: SeLoadDriverPrivilege 3960 WMIC.exe Token: SeSystemProfilePrivilege 3960 WMIC.exe Token: SeSystemtimePrivilege 3960 WMIC.exe Token: SeProfSingleProcessPrivilege 3960 WMIC.exe Token: SeIncBasePriorityPrivilege 3960 WMIC.exe Token: SeCreatePagefilePrivilege 3960 WMIC.exe Token: SeBackupPrivilege 3960 WMIC.exe Token: SeRestorePrivilege 3960 WMIC.exe Token: SeShutdownPrivilege 3960 WMIC.exe Token: SeDebugPrivilege 3960 WMIC.exe Token: SeSystemEnvironmentPrivilege 3960 WMIC.exe Token: SeRemoteShutdownPrivilege 3960 WMIC.exe Token: SeUndockPrivilege 3960 WMIC.exe Token: SeManageVolumePrivilege 3960 WMIC.exe Token: 33 3960 WMIC.exe Token: 34 3960 WMIC.exe Token: 35 3960 WMIC.exe Token: 36 3960 WMIC.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exeffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.execmd.exesvchost.comcmd.exedescription pid process target process PID 3776 wrote to memory of 2536 3776 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe PID 3776 wrote to memory of 2536 3776 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe PID 3776 wrote to memory of 2536 3776 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe PID 2536 wrote to memory of 3160 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe cmd.exe PID 2536 wrote to memory of 3160 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe cmd.exe PID 3160 wrote to memory of 988 3160 cmd.exe vssadmin.exe PID 3160 wrote to memory of 988 3160 cmd.exe vssadmin.exe PID 3160 wrote to memory of 3960 3160 cmd.exe WMIC.exe PID 3160 wrote to memory of 3960 3160 cmd.exe WMIC.exe PID 3160 wrote to memory of 1260 3160 cmd.exe bcdedit.exe PID 3160 wrote to memory of 1260 3160 cmd.exe bcdedit.exe PID 3160 wrote to memory of 1504 3160 cmd.exe bcdedit.exe PID 3160 wrote to memory of 1504 3160 cmd.exe bcdedit.exe PID 3160 wrote to memory of 2104 3160 cmd.exe wbadmin.exe PID 3160 wrote to memory of 2104 3160 cmd.exe wbadmin.exe PID 2536 wrote to memory of 2316 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe svchost.com PID 2536 wrote to memory of 2316 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe svchost.com PID 2536 wrote to memory of 2316 2536 ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe svchost.com PID 2316 wrote to memory of 3064 2316 svchost.com cmd.exe PID 2316 wrote to memory of 3064 2316 svchost.com cmd.exe PID 2316 wrote to memory of 3064 2316 svchost.com cmd.exe PID 3064 wrote to memory of 248 3064 cmd.exe PING.EXE PID 3064 wrote to memory of 248 3064 cmd.exe PING.EXE PID 3064 wrote to memory of 248 3064 cmd.exe PING.EXE PID 3064 wrote to memory of 632 3064 cmd.exe fsutil.exe PID 3064 wrote to memory of 632 3064 cmd.exe fsutil.exe PID 3064 wrote to memory of 632 3064 cmd.exe fsutil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe"C:\Users\Admin\AppData\Local\Temp\ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\3582-490\ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\3582-490\ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 C:\Users\Admin\AppData\Local\Temp\3582-490\ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe & Del /f /q C:\Users\Admin\AppData\Local\Temp\3582-490\ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 35⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 C:\Users\Admin\AppData\Local\Temp\3582-490\ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exe5⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exeMD5
1f4f6abfced4c347ba951a04c8d86982
SHA1a4c486b0926f55e99d12f749135612602cc4bf64
SHA2561b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18
SHA512ae9d631a193d04194bcb54ccf5573730c04b2d9d732addf04af2100e7d67584a3cfba67cfaa2a9da05099d71c56dd58cfdb9f58d070b72ae58d0add20cf0afd3
-
C:\Users\Admin\AppData\Local\Temp\3582-490\ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d.exeMD5
1f4f6abfced4c347ba951a04c8d86982
SHA1a4c486b0926f55e99d12f749135612602cc4bf64
SHA2561b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18
SHA512ae9d631a193d04194bcb54ccf5573730c04b2d9d732addf04af2100e7d67584a3cfba67cfaa2a9da05099d71c56dd58cfdb9f58d070b72ae58d0add20cf0afd3
-
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmpMD5
9fc77a3bd5fbce5bfb131f469142477c
SHA11390897c78d1ac85e95f96e17b7031a24a45f275
SHA256b499624651b60ccdc19c5c8a3969e34f0caaf786e4189016b2c884c6db97dcc7
SHA5127b738b82c7b77ef248f69faabaa0f4cc58c982d7ac9a6105a852f4cc38a278a4e2b5e2d5e5bcdfb6534054db421325752e310d90fdb559d0648eef4c2a9fbf72
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
memory/248-130-0x0000000000000000-mapping.dmp
-
memory/632-131-0x0000000000000000-mapping.dmp
-
memory/988-120-0x0000000000000000-mapping.dmp
-
memory/1260-122-0x0000000000000000-mapping.dmp
-
memory/1504-123-0x0000000000000000-mapping.dmp
-
memory/2104-124-0x0000000000000000-mapping.dmp
-
memory/2316-125-0x0000000000000000-mapping.dmp
-
memory/2536-116-0x0000000000000000-mapping.dmp
-
memory/3064-128-0x0000000000000000-mapping.dmp
-
memory/3160-119-0x0000000000000000-mapping.dmp
-
memory/3960-121-0x0000000000000000-mapping.dmp