Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
20-09-2021 11:57
Static task
static1
Behavioral task
behavioral1
Sample
B06.exe
Resource
win7-en-20210916
Behavioral task
behavioral2
Sample
B06.exe
Resource
win10v20210408
General
-
Target
B06.exe
-
Size
4.5MB
-
MD5
49fb0e5a3415155c24d6839250cd7fed
-
SHA1
69fa4c797df21b98740368c268cfd1919bf4a6e0
-
SHA256
f2a155473c06ecad973676f1e2a8d228ab4a8adf32a87477c716f31fddf6cbaf
-
SHA512
4bcf713b36e0c0bd1e12018cc835a988dbbb2d54556531ebddf97435fd430dab0393fe55e16de5b0c894a49fbea7829f2e6cba5214230f4ee70978a6a87ce397
Malware Config
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4648-114-0x00007FF7BE690000-0x00007FF7BEF08000-memory.dmp family_medusalocker -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 804 bcdedit.exe 64 bcdedit.exe -
Processes:
wbadmin.exewbadmin.exepid process 1112 wbadmin.exe 1432 wbadmin.exe -
Drops file in Drivers directory 12 IoCs
Processes:
B06.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\networks.inprocess B06.exe File opened for modification C:\Windows\System32\drivers\etc\protocol.inprocess B06.exe File opened for modification C:\Windows\System32\drivers\etc\services B06.exe File opened for modification C:\Windows\System32\drivers\etc\services.inprocess B06.exe File opened for modification C:\Windows\System32\drivers\etc\services.udacha B06.exe File opened for modification C:\Windows\System32\drivers\etc\hosts B06.exe File opened for modification C:\Windows\System32\drivers\etc\hosts.udacha B06.exe File opened for modification C:\Windows\System32\drivers\etc\networks.udacha B06.exe File opened for modification C:\Windows\System32\drivers\etc\protocol B06.exe File opened for modification C:\Windows\System32\drivers\etc\protocol.udacha B06.exe File opened for modification C:\Windows\System32\drivers\etc\hosts.inprocess B06.exe File opened for modification C:\Windows\System32\drivers\etc\networks B06.exe -
Modifies extensions of user files 44 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
B06.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\HideGrant.raw.udacha B06.exe File opened for modification C:\Users\Admin\Pictures\JoinPush.crw.inprocess B06.exe File renamed C:\Users\Admin\Pictures\LimitPing.png => C:\Users\Admin\Pictures\LimitPing.png.inprocess B06.exe File opened for modification C:\Users\Admin\Pictures\MoveOpen.raw.inprocess B06.exe File renamed C:\Users\Admin\Pictures\ResetCompress.png => C:\Users\Admin\Pictures\ResetCompress.png.inprocess B06.exe File renamed C:\Users\Admin\Pictures\DismountFind.png.inprocess => C:\Users\Admin\Pictures\DismountFind.png.udacha B06.exe File renamed C:\Users\Admin\Pictures\EnterCopy.crw => C:\Users\Admin\Pictures\EnterCopy.crw.inprocess B06.exe File renamed C:\Users\Admin\Pictures\MoveOpen.raw.inprocess => C:\Users\Admin\Pictures\MoveOpen.raw.udacha B06.exe File renamed C:\Users\Admin\Pictures\ResetCompress.png.inprocess => C:\Users\Admin\Pictures\ResetCompress.png.udacha B06.exe File renamed C:\Users\Admin\Pictures\UseOut.tif => C:\Users\Admin\Pictures\UseOut.tif.inprocess B06.exe File renamed C:\Users\Admin\Pictures\CheckpointClear.png => C:\Users\Admin\Pictures\CheckpointClear.png.inprocess B06.exe File opened for modification C:\Users\Admin\Pictures\CheckpointClear.png.inprocess B06.exe File opened for modification C:\Users\Admin\Pictures\EnterCopy.crw.inprocess B06.exe File renamed C:\Users\Admin\Pictures\MoveOpen.raw => C:\Users\Admin\Pictures\MoveOpen.raw.inprocess B06.exe File opened for modification C:\Users\Admin\Pictures\ResetCompress.png.inprocess B06.exe File opened for modification C:\Users\Admin\Pictures\ResizeWrite.raw.udacha B06.exe File renamed C:\Users\Admin\Pictures\DisableRegister.tif => C:\Users\Admin\Pictures\DisableRegister.tif.inprocess B06.exe File renamed C:\Users\Admin\Pictures\JoinPush.crw => C:\Users\Admin\Pictures\JoinPush.crw.inprocess B06.exe File renamed C:\Users\Admin\Pictures\JoinPush.crw.inprocess => C:\Users\Admin\Pictures\JoinPush.crw.udacha B06.exe File opened for modification C:\Users\Admin\Pictures\ResetCompress.png.udacha B06.exe File opened for modification C:\Users\Admin\Pictures\ResizeWrite.raw.inprocess B06.exe File renamed C:\Users\Admin\Pictures\ResizeWrite.raw.inprocess => C:\Users\Admin\Pictures\ResizeWrite.raw.udacha B06.exe File opened for modification C:\Users\Admin\Pictures\CheckpointClear.png.udacha B06.exe File opened for modification C:\Users\Admin\Pictures\DisableRegister.tif.inprocess B06.exe File renamed C:\Users\Admin\Pictures\HideGrant.raw => C:\Users\Admin\Pictures\HideGrant.raw.inprocess B06.exe File renamed C:\Users\Admin\Pictures\UseOut.tif.inprocess => C:\Users\Admin\Pictures\UseOut.tif.udacha B06.exe File renamed C:\Users\Admin\Pictures\CheckpointClear.png.inprocess => C:\Users\Admin\Pictures\CheckpointClear.png.udacha B06.exe File opened for modification C:\Users\Admin\Pictures\DisableRegister.tif.udacha B06.exe File opened for modification C:\Users\Admin\Pictures\DismountFind.png.inprocess B06.exe File opened for modification C:\Users\Admin\Pictures\DismountFind.png.udacha B06.exe File renamed C:\Users\Admin\Pictures\EnterCopy.crw.inprocess => C:\Users\Admin\Pictures\EnterCopy.crw.udacha B06.exe File opened for modification C:\Users\Admin\Pictures\JoinPush.crw.udacha B06.exe File opened for modification C:\Users\Admin\Pictures\LimitPing.png.inprocess B06.exe File renamed C:\Users\Admin\Pictures\LimitPing.png.inprocess => C:\Users\Admin\Pictures\LimitPing.png.udacha B06.exe File opened for modification C:\Users\Admin\Pictures\LimitPing.png.udacha B06.exe File renamed C:\Users\Admin\Pictures\DisableRegister.tif.inprocess => C:\Users\Admin\Pictures\DisableRegister.tif.udacha B06.exe File renamed C:\Users\Admin\Pictures\DismountFind.png => C:\Users\Admin\Pictures\DismountFind.png.inprocess B06.exe File opened for modification C:\Users\Admin\Pictures\HideGrant.raw.inprocess B06.exe File renamed C:\Users\Admin\Pictures\HideGrant.raw.inprocess => C:\Users\Admin\Pictures\HideGrant.raw.udacha B06.exe File opened for modification C:\Users\Admin\Pictures\MoveOpen.raw.udacha B06.exe File renamed C:\Users\Admin\Pictures\ResizeWrite.raw => C:\Users\Admin\Pictures\ResizeWrite.raw.inprocess B06.exe File opened for modification C:\Users\Admin\Pictures\UseOut.tif.inprocess B06.exe File opened for modification C:\Users\Admin\Pictures\UseOut.tif.udacha B06.exe File opened for modification C:\Users\Admin\Pictures\EnterCopy.crw.udacha B06.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
B06.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run B06.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\B06.exe\" e" B06.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
B06.exedescription ioc process File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini B06.exe -
Enumerates connected drives 3 TTPs 41 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
B06.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\Z: B06.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\F: B06.exe File opened (read-only) \??\J: B06.exe File opened (read-only) \??\Y: B06.exe File opened (read-only) \??\B: B06.exe File opened (read-only) \??\I: B06.exe File opened (read-only) \??\L: B06.exe File opened (read-only) \??\P: B06.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\N: B06.exe File opened (read-only) \??\O: B06.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\Q: B06.exe File opened (read-only) \??\W: B06.exe File opened (read-only) \??\X: B06.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\A: B06.exe File opened (read-only) \??\T: B06.exe File opened (read-only) \??\D: B06.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\V: B06.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\G: B06.exe File opened (read-only) \??\H: B06.exe File opened (read-only) \??\M: B06.exe File opened (read-only) \??\R: B06.exe File opened (read-only) \??\E: B06.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\K: B06.exe File opened (read-only) \??\S: B06.exe File opened (read-only) \??\U: B06.exe -
Drops file in System32 directory 64 IoCs
Processes:
B06.exesvchost.exedescription ioc process File opened for modification C:\Windows\System32\config\BCD-Template.inprocess B06.exe File opened for modification C:\Windows\System32\config\DRIVERS B06.exe File opened for modification C:\Windows\System32\config\SAM B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\e6a14287-4b32-4edc-ac58-8de04ea6e0eb.udacha B06.exe File opened for modification C:\Windows\System32\config\BCD-Template B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\2adce956-0c74-47e9-8d83-3e951adefd07.udacha B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.inprocess B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868.inprocess B06.exe File opened for modification C:\Windows\System32\config\BBI B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC.udacha B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9C237ECACBCB4101A3BE740DF0E53F83 B06.exe File opened for modification C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.jfm svchost.exe File opened for modification C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.udacha B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.inprocess B06.exe File opened for modification C:\Windows\system32\CatRoot2\edb.log svchost.exe File opened for modification C:\Windows\system32\CatRoot2\edb.jtx svchost.exe File created C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.jfm svchost.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f55463bc-6f59-4e20-90ee-5964567988a3 B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749.udacha B06.exe File opened for modification C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.jfm svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.inprocess B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\e6a14287-4b32-4edc-ac58-8de04ea6e0eb B06.exe File opened for modification C:\Windows\system32\CatRoot2\edb.chk svchost.exe File created C:\Windows\system32\CatRoot2\edbres00002.jrs svchost.exe File opened for modification C:\Windows\System32\config\COMPONENTS B06.exe File opened for modification C:\Windows\System32\config\COMPONENTS.udacha B06.exe File opened for modification C:\Windows\System32\config\SOFTWARE B06.exe File opened for modification C:\Windows\System32\config\VSMIDK.udacha B06.exe File opened for modification C:\Windows\System32\config\RegBack\SYSTEM B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\2adce956-0c74-47e9-8d83-3e951adefd07 B06.exe File opened for modification C:\Windows\system32\CatRoot2\edb.jcp svchost.exe File opened for modification C:\Windows\System32\config\BCD-Template.udacha B06.exe File created C:\Windows\system32\CatRoot2\edb.chk svchost.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.inprocess B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868 B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.inprocess B06.exe File opened for modification C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb svchost.exe File created C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb svchost.exe File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.inprocess B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.inprocess B06.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.udacha B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.udacha B06.exe File opened for modification C:\Windows\System32\config\DRIVERS.udacha B06.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt svchost.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f55463bc-6f59-4e20-90ee-5964567988a3.udacha B06.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6D1A73D92C4DC2751A4B5A2404E1BDCC.inprocess B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\62fea884-ba15-4897-9686-808a166505f3.udacha B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC.inprocess B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6D1A73D92C4DC2751A4B5A2404E1BDCC.udacha B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\2adce956-0c74-47e9-8d83-3e951adefd07.inprocess B06.exe File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.udacha B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749 B06.exe File opened for modification C:\Windows\System32\config\VSMIDK B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83 B06.exe File opened for modification C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.inprocess B06.exe File opened for modification C:\Windows\System32\config\SECURITY B06.exe File opened for modification C:\Windows\System32\config\RegBack\DEFAULT B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\62fea884-ba15-4897-9686-808a166505f3 B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead.inprocess B06.exe -
Drops file in Program Files directory 49 IoCs
Processes:
B06.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.udacha B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008 B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.udacha B06.exe File opened for modification C:\Program Files\Mozilla Firefox\precomplete B06.exe File opened for modification C:\Program Files\Mozilla Firefox\precomplete.udacha B06.exe File opened for modification C:\Program Files\Mozilla Firefox\removed-files.udacha B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014 B06.exe File opened for modification C:\Program Files\Mozilla Firefox\removed-files.inprocess B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003 B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.inprocess B06.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.inprocess B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.inprocess B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.udacha B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.udacha B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006 B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.inprocess B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.udacha B06.exe File opened for modification C:\Program Files\Mozilla Firefox\precomplete.inprocess B06.exe File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences B06.exe File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences.udacha B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007 B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.udacha B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.inprocess B06.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile B06.exe File opened for modification C:\Program Files\Mozilla Firefox\removed-files B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.inprocess B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.udacha B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.udacha B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125 B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.udacha B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.inprocess B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011 B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.udacha B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033 B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005 B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.udacha B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.inprocess B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.udacha B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050 B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.inprocess B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.inprocess B06.exe File opened for modification C:\Program Files\Google\Chrome\Application\master_preferences.inprocess B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002 B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.inprocess B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.inprocess B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009 B06.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.inprocess B06.exe -
Drops file in Windows directory 64 IoCs
Processes:
B06.exewbadmin.exewbadmin.exesvchost.exedescription ioc process File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.udacha B06.exe File opened for modification C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.udacha B06.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_cc51e87d-bda7-4ef7-80cf-c431fec6b805.inprocess B06.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.inprocess B06.exe File opened for modification C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F86418066F0}.udacha B06.exe File opened for modification C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C} B06.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE} B06.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.udacha B06.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.inprocess B06.exe File opened for modification C:\Windows\Resources\Maps\mwconfig_client B06.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707} B06.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\state B06.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00} B06.exe File opened for modification C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}.inprocess B06.exe File opened for modification C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.inprocess B06.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.inprocess B06.exe File opened for modification C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100} B06.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_cc51e87d-bda7-4ef7-80cf-c431fec6b805.udacha B06.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.inprocess B06.exe File opened for modification C:\Windows\Panther\setupinfo.udacha B06.exe File opened for modification C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.udacha B06.exe File opened for modification C:\Windows\Installer\SourceHash{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6} B06.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\state.inprocess B06.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe File opened for modification C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}.udacha B06.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\state.udacha B06.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D B06.exe File opened for modification C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7} B06.exe File opened for modification C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}.udacha B06.exe File opened for modification C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180660}.inprocess B06.exe File opened for modification C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}.udacha B06.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.udacha B06.exe File opened for modification C:\Windows\Installer\SourceHash{12578975-C765-4BDF-8DDC-3284BC0E855F}.udacha B06.exe File opened for modification C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10} B06.exe File opened for modification C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}.udacha B06.exe File opened for modification C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.inprocess B06.exe File opened for modification C:\Windows\Boot\DVD\PCAT\BCD B06.exe File opened for modification C:\Windows\Boot\DVD\EFI\BCD B06.exe File opened for modification C:\Windows\Installer\SourceHash{12578975-C765-4BDF-8DDC-3284BC0E855F} B06.exe File opened for modification C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.udacha B06.exe File opened for modification C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F86418066F0}.inprocess B06.exe File opened for modification C:\Windows\Boot\PCAT\bootnxt B06.exe File opened for modification C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.udacha B06.exe File opened for modification C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.inprocess B06.exe File opened for modification C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} B06.exe File opened for modification C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} B06.exe File opened for modification C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180660} B06.exe File opened for modification C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180660}.udacha B06.exe File opened for modification C:\Windows\Panther\setupinfo B06.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE} B06.exe File opened for modification C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}.inprocess B06.exe File opened for modification C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}.inprocess B06.exe File opened for modification C:\Windows\Installer\SourceHash{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}.udacha B06.exe File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe File opened for modification C:\Windows\Panther\setupinfo.inprocess B06.exe File opened for modification C:\Windows\Boot\PCAT\bootmgr B06.exe File opened for modification C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}.inprocess B06.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE} B06.exe File opened for modification C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.inprocess B06.exe File opened for modification C:\Windows\Installer\SourceHash{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}.inprocess B06.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 13 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 3316 vssadmin.exe 3132 vssadmin.exe 2024 vssadmin.exe 3492 vssadmin.exe 3700 vssadmin.exe 4108 vssadmin.exe 740 vssadmin.exe 4260 vssadmin.exe 4264 vssadmin.exe 3344 vssadmin.exe 4744 vssadmin.exe 5024 vssadmin.exe 5076 vssadmin.exe -
Processes:
IEXPLORE.EXEiexplore.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3316161802" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 707bb7c627aed701 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40ffccc627aed701 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\User Preferences iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30912039" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009fad30496263f04b8ae6fb0124a2cee9000000000200000000001066000000010000200000000372839ffdca66439a39e2cf5aa4a8e5cfb5855a348080da81ea694d1d97a402000000000e800000000200002000000091b4079fbdab509ca79bfdfaf7f8b084fec8bdb7be63ce4c2eba7195e5c2057c50000000476f2760224a9934e924aaf9bb153bd4fde3bfc697884bcc4f84fe951d83e7472f7c81258b7d2e1c643b544f9df269efad2b15ebe5d3ed9378d0b72c8d23e7afe41472781a82c251d3ff0443087e630f4000000087608192fd0bdce603829e623ad35d0ebdaedcd5ebb6b6ff0b603b50777ed8f5ce4732fc1da58eaa1f238bbf9f2e8c3b980c33247e3403a00be3a0eb96e99cf3 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009fad30496263f04b8ae6fb0124a2cee9000000000200000000001066000000010000200000001418f290ba35d67d01ef2b8626e5edd7b15ad9368433f5e9c9edca5b58cbe275000000000e800000000200002000000001f48af3f61daf7b08d3cf153b20f67a5332d33b92ba18669ca8699880671747200000009d3cde594e70c34725e6f2db81baa4b39332f87137ae4bea85c635d24f07f2334000000005d3f0e52809ee84b0549e73357c17ed8410702aaf55b33b390d30cc19488f9c0bb0ee642c53ff4d39dcd72e42194c9812e2241772c6da3a72282a8f7553a359 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3303766020" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30912039" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3303766020" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30912039" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009fad30496263f04b8ae6fb0124a2cee90000000002000000000010660000000100002000000021ef24e3fc453f6196279bf9ed0fadc11293a5ea94dab6efcb356a37639c9db2000000000e8000000002000020000000f3c13d3a29498f3421bea880e09ae0cf7d04d7477fcca8f3b590268127093fa8100000006d284e75721fd78599fdcd77499ba4db40000000eb798692b5965d980d55da075e9203b47032dcfe1bf0c78a7a0605fdbed71c090e6c33234b388562ac4a15cbdb432eee966255a7b9549f9b20b73a75a8bb0739 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009fad30496263f04b8ae6fb0124a2cee900000000020000000000106600000001000020000000ab4dc09c67239b32914569d0c9bfb27ae52407c5d6e1e1160ce240b3c9bc4305000000000e8000000002000020000000a24862f2cc7051dc70bf82b074de9d0364881f8e23d40c7b61f0d5b0a6bba31420000000e20ff96d04036eb04ebea7714041319bc4e1bcc47f3a49078b52b8449546d44f40000000e6123824ee5900d94a864c7aca9a6504b09b0a3e699c54e450a8ed8dec935108904c92e954397d4ca9765f118fb92b70b493c9ca342f79608765afffcd987d7d iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F031FCC0-1A1A-11EC-B2DB-52F460BD0637} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
B06.exepid process 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe 4648 B06.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vssvc.exewmic.exedescription pid process Token: SeBackupPrivilege 4840 vssvc.exe Token: SeRestorePrivilege 4840 vssvc.exe Token: SeAuditPrivilege 4840 vssvc.exe Token: SeIncreaseQuotaPrivilege 1692 wmic.exe Token: SeSecurityPrivilege 1692 wmic.exe Token: SeTakeOwnershipPrivilege 1692 wmic.exe Token: SeLoadDriverPrivilege 1692 wmic.exe Token: SeSystemProfilePrivilege 1692 wmic.exe Token: SeSystemtimePrivilege 1692 wmic.exe Token: SeProfSingleProcessPrivilege 1692 wmic.exe Token: SeIncBasePriorityPrivilege 1692 wmic.exe Token: SeCreatePagefilePrivilege 1692 wmic.exe Token: SeBackupPrivilege 1692 wmic.exe Token: SeRestorePrivilege 1692 wmic.exe Token: SeShutdownPrivilege 1692 wmic.exe Token: SeDebugPrivilege 1692 wmic.exe Token: SeSystemEnvironmentPrivilege 1692 wmic.exe Token: SeRemoteShutdownPrivilege 1692 wmic.exe Token: SeUndockPrivilege 1692 wmic.exe Token: SeManageVolumePrivilege 1692 wmic.exe Token: 33 1692 wmic.exe Token: 34 1692 wmic.exe Token: 35 1692 wmic.exe Token: 36 1692 wmic.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 4964 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 4964 iexplore.exe 4964 iexplore.exe 5072 IEXPLORE.EXE 5072 IEXPLORE.EXE 5072 IEXPLORE.EXE 5072 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
B06.exeiexplore.exedescription pid process target process PID 4648 wrote to memory of 4744 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 4744 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 5024 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 5024 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 5076 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 5076 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 4108 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 4108 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 2024 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 2024 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 3492 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 3492 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 3700 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 3700 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 740 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 740 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 4260 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 4260 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 3316 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 3316 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 3132 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 3132 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 4264 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 4264 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 3344 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 3344 4648 B06.exe vssadmin.exe PID 4648 wrote to memory of 804 4648 B06.exe bcdedit.exe PID 4648 wrote to memory of 804 4648 B06.exe bcdedit.exe PID 4648 wrote to memory of 64 4648 B06.exe bcdedit.exe PID 4648 wrote to memory of 64 4648 B06.exe bcdedit.exe PID 4648 wrote to memory of 1112 4648 B06.exe wbadmin.exe PID 4648 wrote to memory of 1112 4648 B06.exe wbadmin.exe PID 4648 wrote to memory of 1432 4648 B06.exe wbadmin.exe PID 4648 wrote to memory of 1432 4648 B06.exe wbadmin.exe PID 4648 wrote to memory of 1692 4648 B06.exe wmic.exe PID 4648 wrote to memory of 1692 4648 B06.exe wmic.exe PID 4648 wrote to memory of 4612 4648 B06.exe cmd.exe PID 4648 wrote to memory of 4612 4648 B06.exe cmd.exe PID 4964 wrote to memory of 5072 4964 iexplore.exe IEXPLORE.EXE PID 4964 wrote to memory of 5072 4964 iexplore.exe IEXPLORE.EXE PID 4964 wrote to memory of 5072 4964 iexplore.exe IEXPLORE.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
B06.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" B06.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\B06.exe"C:\Users\Admin\AppData\Local\Temp\B06.exe"1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Deletes System State backups
- Drops file in Windows directory
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵
- Deletes System State backups
- Drops file in Windows directory
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B06.exe >> NUL2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ReadMe_Instruction.mht1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4964 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -s CryptSvc1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
afb3184cd6ba3ccd4d11e3caf9605965
SHA1529d9e77549890a7c4c6e3d4c0894894f34036c8
SHA2564cfebe01e11ade084470601ecacf242fb858bfbdecdce1c36044d331dae56083
SHA5124201d07b2b4d87f4a962b535172b51325a798c35257e0ff0d81d5eae77150d49c7d5dca12e04c51c95840980f811132ca79f28b327cfaa7a99566938c8b6a606
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157MD5
f7e6f6e31a30dd75de0b05a14b3f301f
SHA122f532fed7fb4c7d1e8665e9b29bde6eef725336
SHA256874520525ea1c50ea46df66bdabf69f8ee520eb6065aa8077d990b20bd665cdc
SHA5124c28feeb515a3304fc3e60f394963721b05df2b1cfe3851f6ba8413644a72f33fc5e2c305d9e691dfe61a43c1fc261cb760d98dc9630e513bdf24acd5d9e8a93
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
7529ebb5e4e902b9e446aec7cf34d37a
SHA16354d19b357703bcac9469dd1bb8c2061ed8b359
SHA256732bf437c65271b0b89b0b15cb5e4fba94f48dd922b19e3c8274b1419ad0e015
SHA5126d66f4d31a2564e5143a8041806b0d90e00ce3fadcd9f78f1ae16b269e221ba8c60cdbf1c8ad06a13df459bae44ffe676ef713c934cff06b15b84b65b74b868d
-
C:\Users\Admin\Desktop\ReadMe_Instruction.mhtMD5
f6d3a1509576138c7083e35bedd31032
SHA10bfa0ea13c73a5f1aacf722c7de3ca21352ce2ce
SHA2561ec791f31fe01e688ba0e3f4d0ddc0eeed5d90fec9f3835732afce4c93b5e5f2
SHA5125184bfda955c27d5a8e07fd6c4044219e52d6225afac291c63680d3a094af94878289ee2f19c52392dc0dccd72224525ed8fe99258695ec555d7e936d6dec307
-
C:\Users\Admin\Favorites\Bing.url.udachaMD5
24c3f1bf6d8c30e7ea4044861124d63b
SHA11b1a5f23b4b0bafb7eb5e9a7ad15880348388dac
SHA256bfa2cebacc4aaee5a3ab44f735d9ed3b37a991320bfcf37b838252a2b417a80b
SHA512e42e7b9172b198690413326ee6d079208c7ba064b1702d1782bcb8fab5e4f42dd58aa98b1420be6a845a3b66bc93ab8be2a14c8702f02973f87661514ce0b0ef
-
memory/64-129-0x0000000000000000-mapping.dmp
-
memory/740-122-0x0000000000000000-mapping.dmp
-
memory/804-128-0x0000000000000000-mapping.dmp
-
memory/1112-130-0x0000000000000000-mapping.dmp
-
memory/1432-131-0x0000000000000000-mapping.dmp
-
memory/1692-132-0x0000000000000000-mapping.dmp
-
memory/1968-140-0x0000027BCEED0000-0x0000027BCEF30000-memory.dmpFilesize
384KB
-
memory/1968-137-0x0000027BCEED0000-0x0000027BCEEE0000-memory.dmpFilesize
64KB
-
memory/1968-146-0x0000027BCEF90000-0x0000027BCEFF0000-memory.dmpFilesize
384KB
-
memory/1968-138-0x0000027BCEF90000-0x0000027BCEFA0000-memory.dmpFilesize
64KB
-
memory/2024-119-0x0000000000000000-mapping.dmp
-
memory/3132-125-0x0000000000000000-mapping.dmp
-
memory/3316-124-0x0000000000000000-mapping.dmp
-
memory/3344-127-0x0000000000000000-mapping.dmp
-
memory/3492-120-0x0000000000000000-mapping.dmp
-
memory/3700-121-0x0000000000000000-mapping.dmp
-
memory/4108-118-0x0000000000000000-mapping.dmp
-
memory/4260-123-0x0000000000000000-mapping.dmp
-
memory/4264-126-0x0000000000000000-mapping.dmp
-
memory/4612-133-0x0000000000000000-mapping.dmp
-
memory/4648-114-0x00007FF7BE690000-0x00007FF7BEF08000-memory.dmpFilesize
8.5MB
-
memory/4744-115-0x0000000000000000-mapping.dmp
-
memory/4964-134-0x00007FFA6F760000-0x00007FFA6F7CB000-memory.dmpFilesize
428KB
-
memory/5024-116-0x0000000000000000-mapping.dmp
-
memory/5072-135-0x0000000000000000-mapping.dmp
-
memory/5076-117-0x0000000000000000-mapping.dmp