medusalocker | f2a155473c06ecad973676f1e2a8d228ab4a8adf32a87477c716f31fddf6cbaf

Resubmissions

04/10/2021, 11:00

211004-m37gpsgccl 10

20/09/2021, 11:57

210920-n4q2sagfap 10

Analysis

max time kernel
150s
max time network
143s
platform
windows10_x64
resource
win10v20210408
submitted
20/09/2021, 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

B06.exe
Size

4.5MB
MD5

49fb0e5a3415155c24d6839250cd7fed
SHA1

69fa4c797df21b98740368c268cfd1919bf4a6e0
SHA256

f2a155473c06ecad973676f1e2a8d228ab4a8adf32a87477c716f31fddf6cbaf
SHA512

4bcf713b36e0c0bd1e12018cc835a988dbbb2d54556531ebddf97435fd430dab0393fe55e16de5b0c894a49fbea7829f2e6cba5214230f4ee70978a6a87ce397

Score

10^/10

medusalocker evasion persistence ransomware spyware stealer

Malware Config

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker

MedusaLocker Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4648-114-0x00007FF7BE690000-0x00007FF7BEF08000-memory.dmp	family_medusalocker

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
804	bcdedit.exe
64	bcdedit.exe

Deletes System State backups 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1112	wbadmin.exe
1432	wbadmin.exe

Drops file in Drivers directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\networks.inprocess	B06.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.inprocess	B06.exe
File opened for modification	C:\Windows\System32\drivers\etc\services	B06.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.inprocess	B06.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.udacha	B06.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	B06.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.udacha	B06.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.udacha	B06.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol	B06.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.udacha	B06.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.inprocess	B06.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks	B06.exe

Modifies extensions of user files 44 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\HideGrant.raw.udacha	B06.exe
File opened for modification	C:\Users\Admin\Pictures\JoinPush.crw.inprocess	B06.exe
File renamed	C:\Users\Admin\Pictures\LimitPing.png => C:\Users\Admin\Pictures\LimitPing.png.inprocess	B06.exe
File opened for modification	C:\Users\Admin\Pictures\MoveOpen.raw.inprocess	B06.exe
File renamed	C:\Users\Admin\Pictures\ResetCompress.png => C:\Users\Admin\Pictures\ResetCompress.png.inprocess	B06.exe
File renamed	C:\Users\Admin\Pictures\DismountFind.png.inprocess => C:\Users\Admin\Pictures\DismountFind.png.udacha	B06.exe
File renamed	C:\Users\Admin\Pictures\EnterCopy.crw => C:\Users\Admin\Pictures\EnterCopy.crw.inprocess	B06.exe
File renamed	C:\Users\Admin\Pictures\MoveOpen.raw.inprocess => C:\Users\Admin\Pictures\MoveOpen.raw.udacha	B06.exe
File renamed	C:\Users\Admin\Pictures\ResetCompress.png.inprocess => C:\Users\Admin\Pictures\ResetCompress.png.udacha	B06.exe
File renamed	C:\Users\Admin\Pictures\UseOut.tif => C:\Users\Admin\Pictures\UseOut.tif.inprocess	B06.exe
File renamed	C:\Users\Admin\Pictures\CheckpointClear.png => C:\Users\Admin\Pictures\CheckpointClear.png.inprocess	B06.exe
File opened for modification	C:\Users\Admin\Pictures\CheckpointClear.png.inprocess	B06.exe
File opened for modification	C:\Users\Admin\Pictures\EnterCopy.crw.inprocess	B06.exe
File renamed	C:\Users\Admin\Pictures\MoveOpen.raw => C:\Users\Admin\Pictures\MoveOpen.raw.inprocess	B06.exe
File opened for modification	C:\Users\Admin\Pictures\ResetCompress.png.inprocess	B06.exe
File opened for modification	C:\Users\Admin\Pictures\ResizeWrite.raw.udacha	B06.exe
File renamed	C:\Users\Admin\Pictures\DisableRegister.tif => C:\Users\Admin\Pictures\DisableRegister.tif.inprocess	B06.exe
File renamed	C:\Users\Admin\Pictures\JoinPush.crw => C:\Users\Admin\Pictures\JoinPush.crw.inprocess	B06.exe
File renamed	C:\Users\Admin\Pictures\JoinPush.crw.inprocess => C:\Users\Admin\Pictures\JoinPush.crw.udacha	B06.exe
File opened for modification	C:\Users\Admin\Pictures\ResetCompress.png.udacha	B06.exe
File opened for modification	C:\Users\Admin\Pictures\ResizeWrite.raw.inprocess	B06.exe
File renamed	C:\Users\Admin\Pictures\ResizeWrite.raw.inprocess => C:\Users\Admin\Pictures\ResizeWrite.raw.udacha	B06.exe
File opened for modification	C:\Users\Admin\Pictures\CheckpointClear.png.udacha	B06.exe
File opened for modification	C:\Users\Admin\Pictures\DisableRegister.tif.inprocess	B06.exe
File renamed	C:\Users\Admin\Pictures\HideGrant.raw => C:\Users\Admin\Pictures\HideGrant.raw.inprocess	B06.exe
File renamed	C:\Users\Admin\Pictures\UseOut.tif.inprocess => C:\Users\Admin\Pictures\UseOut.tif.udacha	B06.exe
File renamed	C:\Users\Admin\Pictures\CheckpointClear.png.inprocess => C:\Users\Admin\Pictures\CheckpointClear.png.udacha	B06.exe
File opened for modification	C:\Users\Admin\Pictures\DisableRegister.tif.udacha	B06.exe
File opened for modification	C:\Users\Admin\Pictures\DismountFind.png.inprocess	B06.exe
File opened for modification	C:\Users\Admin\Pictures\DismountFind.png.udacha	B06.exe
File renamed	C:\Users\Admin\Pictures\EnterCopy.crw.inprocess => C:\Users\Admin\Pictures\EnterCopy.crw.udacha	B06.exe
File opened for modification	C:\Users\Admin\Pictures\JoinPush.crw.udacha	B06.exe
File opened for modification	C:\Users\Admin\Pictures\LimitPing.png.inprocess	B06.exe
File renamed	C:\Users\Admin\Pictures\LimitPing.png.inprocess => C:\Users\Admin\Pictures\LimitPing.png.udacha	B06.exe
File opened for modification	C:\Users\Admin\Pictures\LimitPing.png.udacha	B06.exe
File renamed	C:\Users\Admin\Pictures\DisableRegister.tif.inprocess => C:\Users\Admin\Pictures\DisableRegister.tif.udacha	B06.exe
File renamed	C:\Users\Admin\Pictures\DismountFind.png => C:\Users\Admin\Pictures\DismountFind.png.inprocess	B06.exe
File opened for modification	C:\Users\Admin\Pictures\HideGrant.raw.inprocess	B06.exe
File renamed	C:\Users\Admin\Pictures\HideGrant.raw.inprocess => C:\Users\Admin\Pictures\HideGrant.raw.udacha	B06.exe
File opened for modification	C:\Users\Admin\Pictures\MoveOpen.raw.udacha	B06.exe
File renamed	C:\Users\Admin\Pictures\ResizeWrite.raw => C:\Users\Admin\Pictures\ResizeWrite.raw.inprocess	B06.exe
File opened for modification	C:\Users\Admin\Pictures\UseOut.tif.inprocess	B06.exe
File opened for modification	C:\Users\Admin\Pictures\UseOut.tif.udacha	B06.exe
File opened for modification	C:\Users\Admin\Pictures\EnterCopy.crw.udacha	B06.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	B06.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\B06.exe\" e"	B06.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini	B06.exe

Enumerates connected drives 3 TTPs 41 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	B06.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\F:	B06.exe
File opened (read-only)	\??\J:	B06.exe
File opened (read-only)	\??\Y:	B06.exe
File opened (read-only)	\??\B:	B06.exe
File opened (read-only)	\??\I:	B06.exe
File opened (read-only)	\??\L:	B06.exe
File opened (read-only)	\??\P:	B06.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\N:	B06.exe
File opened (read-only)	\??\O:	B06.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\Q:	B06.exe
File opened (read-only)	\??\W:	B06.exe
File opened (read-only)	\??\X:	B06.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\A:	B06.exe
File opened (read-only)	\??\T:	B06.exe
File opened (read-only)	\??\D:	B06.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\V:	B06.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\G:	B06.exe
File opened (read-only)	\??\H:	B06.exe
File opened (read-only)	\??\M:	B06.exe
File opened (read-only)	\??\R:	B06.exe
File opened (read-only)	\??\E:	B06.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\K:	B06.exe
File opened (read-only)	\??\S:	B06.exe
File opened (read-only)	\??\U:	B06.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\config\BCD-Template.inprocess	B06.exe
File opened for modification	C:\Windows\System32\config\DRIVERS	B06.exe
File opened for modification	C:\Windows\System32\config\SAM	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\e6a14287-4b32-4edc-ac58-8de04ea6e0eb.udacha	B06.exe
File opened for modification	C:\Windows\System32\config\BCD-Template	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\2adce956-0c74-47e9-8d83-3e951adefd07.udacha	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.inprocess	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868.inprocess	B06.exe
File opened for modification	C:\Windows\System32\config\BBI	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC.udacha	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9C237ECACBCB4101A3BE740DF0E53F83	B06.exe
File opened for modification	C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.jfm	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.udacha	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.inprocess	B06.exe
File opened for modification	C:\Windows\system32\CatRoot2\edb.log	svchost.exe
File opened for modification	C:\Windows\system32\CatRoot2\edb.jtx	svchost.exe
File created	C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.jfm	svchost.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f55463bc-6f59-4e20-90ee-5964567988a3	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749.udacha	B06.exe
File opened for modification	C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.jfm	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.inprocess	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\e6a14287-4b32-4edc-ac58-8de04ea6e0eb	B06.exe
File opened for modification	C:\Windows\system32\CatRoot2\edb.chk	svchost.exe
File created	C:\Windows\system32\CatRoot2\edbres00002.jrs	svchost.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS	B06.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS.udacha	B06.exe
File opened for modification	C:\Windows\System32\config\SOFTWARE	B06.exe
File opened for modification	C:\Windows\System32\config\VSMIDK.udacha	B06.exe
File opened for modification	C:\Windows\System32\config\RegBack\SYSTEM	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\2adce956-0c74-47e9-8d83-3e951adefd07	B06.exe
File opened for modification	C:\Windows\system32\CatRoot2\edb.jcp	svchost.exe
File opened for modification	C:\Windows\System32\config\BCD-Template.udacha	B06.exe
File created	C:\Windows\system32\CatRoot2\edb.chk	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.inprocess	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.inprocess	B06.exe
File opened for modification	C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb	svchost.exe
File created	C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb	svchost.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.inprocess	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.inprocess	B06.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.udacha	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.udacha	B06.exe
File opened for modification	C:\Windows\System32\config\DRIVERS.udacha	B06.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	svchost.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f55463bc-6f59-4e20-90ee-5964567988a3.udacha	B06.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6D1A73D92C4DC2751A4B5A2404E1BDCC.inprocess	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\62fea884-ba15-4897-9686-808a166505f3.udacha	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC.inprocess	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6D1A73D92C4DC2751A4B5A2404E1BDCC.udacha	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\2adce956-0c74-47e9-8d83-3e951adefd07.inprocess	B06.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.udacha	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749	B06.exe
File opened for modification	C:\Windows\System32\config\VSMIDK	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83	B06.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.inprocess	B06.exe
File opened for modification	C:\Windows\System32\config\SECURITY	B06.exe
File opened for modification	C:\Windows\System32\config\RegBack\DEFAULT	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\62fea884-ba15-4897-9686-808a166505f3	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead.inprocess	B06.exe

Drops file in Program Files directory 49 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.udacha	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.udacha	B06.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete	B06.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete.udacha	B06.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files.udacha	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014	B06.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files.inprocess	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.inprocess	B06.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.inprocess	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.inprocess	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.udacha	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.udacha	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.inprocess	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.udacha	B06.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete.inprocess	B06.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\master_preferences	B06.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\master_preferences.udacha	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.udacha	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.inprocess	B06.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile	B06.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.inprocess	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.udacha	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.udacha	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.udacha	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.inprocess	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.udacha	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.udacha	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.inprocess	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.udacha	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.inprocess	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.inprocess	B06.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\master_preferences.inprocess	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.inprocess	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.inprocess	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009	B06.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.inprocess	B06.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.udacha	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.udacha	B06.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_cc51e87d-bda7-4ef7-80cf-c431fec6b805.inprocess	B06.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.inprocess	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F86418066F0}.udacha	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.udacha	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.inprocess	B06.exe
File opened for modification	C:\Windows\Resources\Maps\mwconfig_client	B06.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}	B06.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\state	B06.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}.inprocess	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.inprocess	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.inprocess	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}	B06.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_cc51e87d-bda7-4ef7-80cf-c431fec6b805.udacha	B06.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.inprocess	B06.exe
File opened for modification	C:\Windows\Panther\setupinfo.udacha	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.udacha	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}	B06.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\state.inprocess	B06.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}.udacha	B06.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\state.udacha	B06.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}.udacha	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180660}.inprocess	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}.udacha	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.udacha	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{12578975-C765-4BDF-8DDC-3284BC0E855F}.udacha	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}.udacha	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.inprocess	B06.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\BCD	B06.exe
File opened for modification	C:\Windows\Boot\DVD\EFI\BCD	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{12578975-C765-4BDF-8DDC-3284BC0E855F}	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.udacha	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F86418066F0}.inprocess	B06.exe
File opened for modification	C:\Windows\Boot\PCAT\bootnxt	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.udacha	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.inprocess	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180660}	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180660}.udacha	B06.exe
File opened for modification	C:\Windows\Panther\setupinfo	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}.inprocess	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}.inprocess	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}.udacha	B06.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	svchost.exe
File opened for modification	C:\Windows\Panther\setupinfo.inprocess	B06.exe
File opened for modification	C:\Windows\Boot\PCAT\bootmgr	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}.inprocess	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.inprocess	B06.exe
File opened for modification	C:\Windows\Installer\SourceHash{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}.inprocess	B06.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 13 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3316	vssadmin.exe
3132	vssadmin.exe
2024	vssadmin.exe
3492	vssadmin.exe
3700	vssadmin.exe
4108	vssadmin.exe
740	vssadmin.exe
4260	vssadmin.exe
4264	vssadmin.exe
3344	vssadmin.exe
4744	vssadmin.exe
5024	vssadmin.exe
5076	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3316161802"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 707bb7c627aed701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40ffccc627aed701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30912039"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009fad30496263f04b8ae6fb0124a2cee9000000000200000000001066000000010000200000000372839ffdca66439a39e2cf5aa4a8e5cfb5855a348080da81ea694d1d97a402000000000e800000000200002000000091b4079fbdab509ca79bfdfaf7f8b084fec8bdb7be63ce4c2eba7195e5c2057c50000000476f2760224a9934e924aaf9bb153bd4fde3bfc697884bcc4f84fe951d83e7472f7c81258b7d2e1c643b544f9df269efad2b15ebe5d3ed9378d0b72c8d23e7afe41472781a82c251d3ff0443087e630f4000000087608192fd0bdce603829e623ad35d0ebdaedcd5ebb6b6ff0b603b50777ed8f5ce4732fc1da58eaa1f238bbf9f2e8c3b980c33247e3403a00be3a0eb96e99cf3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009fad30496263f04b8ae6fb0124a2cee9000000000200000000001066000000010000200000001418f290ba35d67d01ef2b8626e5edd7b15ad9368433f5e9c9edca5b58cbe275000000000e800000000200002000000001f48af3f61daf7b08d3cf153b20f67a5332d33b92ba18669ca8699880671747200000009d3cde594e70c34725e6f2db81baa4b39332f87137ae4bea85c635d24f07f2334000000005d3f0e52809ee84b0549e73357c17ed8410702aaf55b33b390d30cc19488f9c0bb0ee642c53ff4d39dcd72e42194c9812e2241772c6da3a72282a8f7553a359	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3303766020"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30912039"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3303766020"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30912039"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009fad30496263f04b8ae6fb0124a2cee90000000002000000000010660000000100002000000021ef24e3fc453f6196279bf9ed0fadc11293a5ea94dab6efcb356a37639c9db2000000000e8000000002000020000000f3c13d3a29498f3421bea880e09ae0cf7d04d7477fcca8f3b590268127093fa8100000006d284e75721fd78599fdcd77499ba4db40000000eb798692b5965d980d55da075e9203b47032dcfe1bf0c78a7a0605fdbed71c090e6c33234b388562ac4a15cbdb432eee966255a7b9549f9b20b73a75a8bb0739	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009fad30496263f04b8ae6fb0124a2cee900000000020000000000106600000001000020000000ab4dc09c67239b32914569d0c9bfb27ae52407c5d6e1e1160ce240b3c9bc4305000000000e8000000002000020000000a24862f2cc7051dc70bf82b074de9d0364881f8e23d40c7b61f0d5b0a6bba31420000000e20ff96d04036eb04ebea7714041319bc4e1bcc47f3a49078b52b8449546d44f40000000e6123824ee5900d94a864c7aca9a6504b09b0a3e699c54e450a8ed8dec935108904c92e954397d4ca9765f118fb92b70b493c9ca342f79608765afffcd987d7d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F031FCC0-1A1A-11EC-B2DB-52F460BD0637} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe
4648	B06.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeBackupPrivilege	4840	vssvc.exe
Token: SeRestorePrivilege	4840	vssvc.exe
Token: SeAuditPrivilege	4840	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1692	wmic.exe
Token: SeSecurityPrivilege	1692	wmic.exe
Token: SeTakeOwnershipPrivilege	1692	wmic.exe
Token: SeLoadDriverPrivilege	1692	wmic.exe
Token: SeSystemProfilePrivilege	1692	wmic.exe
Token: SeSystemtimePrivilege	1692	wmic.exe
Token: SeProfSingleProcessPrivilege	1692	wmic.exe
Token: SeIncBasePriorityPrivilege	1692	wmic.exe
Token: SeCreatePagefilePrivilege	1692	wmic.exe
Token: SeBackupPrivilege	1692	wmic.exe
Token: SeRestorePrivilege	1692	wmic.exe
Token: SeShutdownPrivilege	1692	wmic.exe
Token: SeDebugPrivilege	1692	wmic.exe
Token: SeSystemEnvironmentPrivilege	1692	wmic.exe
Token: SeRemoteShutdownPrivilege	1692	wmic.exe
Token: SeUndockPrivilege	1692	wmic.exe
Token: SeManageVolumePrivilege	1692	wmic.exe
Token: 33	1692	wmic.exe
Token: 34	1692	wmic.exe
Token: 35	1692	wmic.exe
Token: 36	1692	wmic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4964	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4964	iexplore.exe
4964	iexplore.exe
5072	IEXPLORE.EXE
5072	IEXPLORE.EXE
5072	IEXPLORE.EXE
5072	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 4744	4648	B06.exe	68
PID 4648 wrote to memory of 4744	4648	B06.exe	68
PID 4648 wrote to memory of 5024	4648	B06.exe	74
PID 4648 wrote to memory of 5024	4648	B06.exe	74
PID 4648 wrote to memory of 5076	4648	B06.exe	76
PID 4648 wrote to memory of 5076	4648	B06.exe	76
PID 4648 wrote to memory of 4108	4648	B06.exe	78
PID 4648 wrote to memory of 4108	4648	B06.exe	78
PID 4648 wrote to memory of 2024	4648	B06.exe	80
PID 4648 wrote to memory of 2024	4648	B06.exe	80
PID 4648 wrote to memory of 3492	4648	B06.exe	82
PID 4648 wrote to memory of 3492	4648	B06.exe	82
PID 4648 wrote to memory of 3700	4648	B06.exe	84
PID 4648 wrote to memory of 3700	4648	B06.exe	84
PID 4648 wrote to memory of 740	4648	B06.exe	86
PID 4648 wrote to memory of 740	4648	B06.exe	86
PID 4648 wrote to memory of 4260	4648	B06.exe	88
PID 4648 wrote to memory of 4260	4648	B06.exe	88
PID 4648 wrote to memory of 3316	4648	B06.exe	90
PID 4648 wrote to memory of 3316	4648	B06.exe	90
PID 4648 wrote to memory of 3132	4648	B06.exe	92
PID 4648 wrote to memory of 3132	4648	B06.exe	92
PID 4648 wrote to memory of 4264	4648	B06.exe	94
PID 4648 wrote to memory of 4264	4648	B06.exe	94
PID 4648 wrote to memory of 3344	4648	B06.exe	96
PID 4648 wrote to memory of 3344	4648	B06.exe	96
PID 4648 wrote to memory of 804	4648	B06.exe	98
PID 4648 wrote to memory of 804	4648	B06.exe	98
PID 4648 wrote to memory of 64	4648	B06.exe	100
PID 4648 wrote to memory of 64	4648	B06.exe	100
PID 4648 wrote to memory of 1112	4648	B06.exe	102
PID 4648 wrote to memory of 1112	4648	B06.exe	102
PID 4648 wrote to memory of 1432	4648	B06.exe	104
PID 4648 wrote to memory of 1432	4648	B06.exe	104
PID 4648 wrote to memory of 1692	4648	B06.exe	106
PID 4648 wrote to memory of 1692	4648	B06.exe	106
PID 4648 wrote to memory of 4612	4648	B06.exe	113
PID 4648 wrote to memory of 4612	4648	B06.exe	113
PID 4964 wrote to memory of 5072	4964	iexplore.exe	120
PID 4964 wrote to memory of 5072	4964	iexplore.exe	120
PID 4964 wrote to memory of 5072	4964	iexplore.exe	120

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	B06.exe

C:\Users\Admin\AppData\Local\Temp\B06.exe
"C:\Users\Admin\AppData\Local\Temp\B06.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4648
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4744
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5024
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5076
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4108
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2024
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3492
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3700
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:740
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4260
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3316
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3132
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4264
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:3344
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:804
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:64
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:1112
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:1432
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B06.exe >> NUL
  2⤵
  PID:4612

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ReadMe_Instruction.mht
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4964 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -s CryptSvc
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1968-140-0x0000027BCEED0000-0x0000027BCEF30000-memory.dmp

Filesize
384KB

Download
memory/1968-137-0x0000027BCEED0000-0x0000027BCEEE0000-memory.dmp

Filesize
64KB

Download
memory/1968-146-0x0000027BCEF90000-0x0000027BCEFF0000-memory.dmp

Filesize
384KB

Download
memory/1968-138-0x0000027BCEF90000-0x0000027BCEFA0000-memory.dmp

Filesize
64KB

Download
memory/4648-114-0x00007FF7BE690000-0x00007FF7BEF08000-memory.dmp

Filesize
8.5MB

Download
memory/4964-134-0x00007FFA6F760000-0x00007FFA6F7CB000-memory.dmp

Filesize
428KB

Download