medusalocker | c72719f7a27e043e16f452ce87ea8bf0f89fcca520721aa59820f7b1efdc01b7

Analysis

max time kernel
151s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
21/09/2021, 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c72719f7a27e043e16f452ce87ea8bf0f89fcca520721aa59820f7b1efdc01b7.exe
Size

212KB
MD5

a2b0efc0a408c73e6a3501b3a5a0c627
SHA1

492af61143910c55bdebc87bbad30bede3605f1c
SHA256

c72719f7a27e043e16f452ce87ea8bf0f89fcca520721aa59820f7b1efdc01b7
SHA512

561ff63e4a125ce6bf8f79db5d451fdbd81e9fb36e92bcea2cdd3879d6ed8957cb7243ededf1e68ec61a6703eef96f1228d1667f8d660c32ad2585afe93131fd

Score

10^/10

medusalocker raccoon smokeloader backdoor evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://venerynnet1.top/

http://kevonahira2.top/

http://vegangelist3.top/

http://kingriffaele4.top/

http://arakeishant5.top/

rc4.i32

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker

MedusaLocker Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1208-121-0x00007FF795850000-0x00007FF7960C8000-memory.dmp	family_medusalocker

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
688	bcdedit.exe
264	bcdedit.exe

Deletes System State backups 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1300	wbadmin.exe
636	wbadmin.exe

Downloads MZ/PE file

Drops file in Drivers directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\networks.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.inprocess	D0A9.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	D0A9.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks	D0A9.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\drivers\etc\services	D0A9.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.inprocess	D0A9.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.inprocess	D0A9.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.inprocess	D0A9.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol	D0A9.exe

Executes dropped EXE 2 IoCs

pid	Process
1208	D0A9.exe
4016	DDF8.exe

Modifies extensions of user files 17 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\StopImport.png.inprocess	D0A9.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectResume.crw.inprocess	D0A9.exe
File renamed	C:\Users\Admin\Pictures\UseUnregister.crw => C:\Users\Admin\Pictures\UseUnregister.crw.inprocess	D0A9.exe
File opened for modification	C:\Users\Admin\Pictures\UseUnregister.crw.inprocess	D0A9.exe
File renamed	C:\Users\Admin\Pictures\UseUnregister.crw.inprocess => C:\Users\Admin\Pictures\UseUnregister.crw.udacha	D0A9.exe
File renamed	C:\Users\Admin\Pictures\StopImport.png => C:\Users\Admin\Pictures\StopImport.png.inprocess	D0A9.exe
File renamed	C:\Users\Admin\Pictures\UnprotectResume.crw.inprocess => C:\Users\Admin\Pictures\UnprotectResume.crw.udacha	D0A9.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectResume.crw.udacha	D0A9.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateRestore.tiff	D0A9.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateRestore.tiff.udacha	D0A9.exe
File opened for modification	C:\Users\Admin\Pictures\UseUnregister.crw.udacha	D0A9.exe
File opened for modification	C:\Users\Admin\Pictures\StopImport.png.udacha	D0A9.exe
File renamed	C:\Users\Admin\Pictures\UnprotectResume.crw => C:\Users\Admin\Pictures\UnprotectResume.crw.inprocess	D0A9.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateRestore.tiff.inprocess	D0A9.exe
File renamed	C:\Users\Admin\Pictures\UpdateRestore.tiff.inprocess => C:\Users\Admin\Pictures\UpdateRestore.tiff.udacha	D0A9.exe
File renamed	C:\Users\Admin\Pictures\StopImport.png.inprocess => C:\Users\Admin\Pictures\StopImport.png.udacha	D0A9.exe
File renamed	C:\Users\Admin\Pictures\UpdateRestore.tiff => C:\Users\Admin\Pictures\UpdateRestore.tiff.inprocess	D0A9.exe

Deletes itself 1 IoCs

pid	Process
3020	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	D0A9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\D0A9.exe\" e"	D0A9.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini	D0A9.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\Y:	D0A9.exe
File opened (read-only)	\??\O:	D0A9.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\B:	D0A9.exe
File opened (read-only)	\??\F:	D0A9.exe
File opened (read-only)	\??\D:	D0A9.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\T:	D0A9.exe
File opened (read-only)	\??\W:	D0A9.exe
File opened (read-only)	\??\X:	D0A9.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\I:	D0A9.exe
File opened (read-only)	\??\J:	D0A9.exe
File opened (read-only)	\??\P:	D0A9.exe
File opened (read-only)	\??\U:	D0A9.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\K:	D0A9.exe
File opened (read-only)	\??\S:	D0A9.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\L:	D0A9.exe
File opened (read-only)	\??\M:	D0A9.exe
File opened (read-only)	\??\Q:	D0A9.exe
File opened (read-only)	\??\R:	D0A9.exe
File opened (read-only)	\??\E:	D0A9.exe
File opened (read-only)	\??\H:	D0A9.exe
File opened (read-only)	\??\N:	D0A9.exe
File opened (read-only)	\??\V:	D0A9.exe
File opened (read-only)	\??\Z:	D0A9.exe
File opened (read-only)	\??\A:	D0A9.exe
File opened (read-only)	\??\G:	D0A9.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\config\RegBack\DEFAULT	D0A9.exe
File opened for modification	C:\Windows\System32\config\RegBack\SAM	D0A9.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\2adce956-0c74-47e9-8d83-3e951adefd07.inprocess	D0A9.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 09F3C94623B9ED5D.inprocess	D0A9.exe
File opened for modification	C:\Windows\System32\config\DEFAULT	D0A9.exe
File opened for modification	C:\Windows\System32\config\ELAM.inprocess	D0A9.exe
File opened for modification	C:\Windows\System32\config\ELAM.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506.inprocess	D0A9.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868	D0A9.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\config\RegBack\SYSTEM	D0A9.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\e6a14287-4b32-4edc-ac58-8de04ea6e0eb.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead	D0A9.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS.inprocess	D0A9.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\2adce956-0c74-47e9-8d83-3e951adefd07.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.inprocess	D0A9.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9C237ECACBCB4101A3BE740DF0E53F83.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.inprocess	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\config\RegBack\SECURITY	D0A9.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\e6a14287-4b32-4edc-ac58-8de04ea6e0eb	D0A9.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\e6a14287-4b32-4edc-ac58-8de04ea6e0eb.inprocess	D0A9.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\62fea884-ba15-4897-9686-808a166505f3.inprocess	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\config\ELAM	D0A9.exe
File opened for modification	C:\Windows\System32\config\VSMIDK.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f55463bc-6f59-4e20-90ee-5964567988a3	D0A9.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.inprocess	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.inprocess	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749	D0A9.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 09F3C94623B9ED5D	D0A9.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6D1A73D92C4DC2751A4B5A2404E1BDCC	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.inprocess	D0A9.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\62fea884-ba15-4897-9686-808a166505f3	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6D1A73D92C4DC2751A4B5A2404E1BDCC.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f55463bc-6f59-4e20-90ee-5964567988a3.udacha	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6D1A73D92C4DC2751A4B5A2404E1BDCC.inprocess	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	D0A9.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	D0A9.exe
File opened for modification	C:\Windows\System32\config\SAM	D0A9.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb	D0A9.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred	D0A9.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\62fea884-ba15-4897-9686-808a166505f3.udacha	D0A9.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 992 set thread context of 408	992	c72719f7a27e043e16f452ce87ea8bf0f89fcca520721aa59820f7b1efdc01b7.exe	68

Drops file in Program Files directory 49 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.inprocess	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.udacha	D0A9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\master_preferences.inprocess	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.udacha	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.inprocess	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.inprocess	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.inprocess	D0A9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	D0A9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\master_preferences.udacha	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.inprocess	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.inprocess	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.inprocess	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009	D0A9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files.inprocess	D0A9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files.udacha	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.udacha	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.udacha	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.inprocess	D0A9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H	D0A9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete.udacha	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.udacha	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.udacha	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.udacha	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.inprocess	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.udacha	D0A9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.inprocess	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.inprocess	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.udacha	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.udacha	D0A9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.udacha	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.inprocess	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.inprocess	D0A9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete.inprocess	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014	D0A9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\master_preferences	D0A9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.udacha	D0A9.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}.inprocess	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}.udacha	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.inprocess	D0A9.exe
File opened for modification	C:\Windows\Boot\DVD\EFI\BCD	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.inprocess	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{12578975-C765-4BDF-8DDC-3284BC0E855F}.udacha	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F86418066F0}	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F86418066F0}.inprocess	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.udacha	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.inprocess	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.udacha	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}.udacha	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}	D0A9.exe
File opened for modification	C:\Windows\Boot\PCAT\bootmgr	D0A9.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.inprocess	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.inprocess	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}	D0A9.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\state	D0A9.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_cc51e87d-bda7-4ef7-80cf-c431fec6b805	D0A9.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}	D0A9.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\state.udacha	D0A9.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_cc51e87d-bda7-4ef7-80cf-c431fec6b805.udacha	D0A9.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}	D0A9.exe
File opened for modification	C:\Windows\Panther\setupinfo.udacha	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}	D0A9.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\BCD	D0A9.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Panther\setupinfo	D0A9.exe
File opened for modification	C:\Windows\Boot\PCAT\bootnxt	D0A9.exe
File opened for modification	C:\Windows\Resources\Maps\mwconfig_client	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180660}.inprocess	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.inprocess	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}.inprocess	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.udacha	D0A9.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}.udacha	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}.inprocess	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.udacha	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.udacha	D0A9.exe
File opened for modification	C:\Windows\Panther\setupinfo.inprocess	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.udacha	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.udacha	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{12578975-C765-4BDF-8DDC-3284BC0E855F}.inprocess	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.inprocess	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}.inprocess	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}.inprocess	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}.udacha	D0A9.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.udacha	D0A9.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{12578975-C765-4BDF-8DDC-3284BC0E855F}	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F86418066F0}.udacha	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}	D0A9.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\state.inprocess	D0A9.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180660}	D0A9.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_cc51e87d-bda7-4ef7-80cf-c431fec6b805.inprocess	D0A9.exe
File opened for modification	C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}	D0A9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c72719f7a27e043e16f452ce87ea8bf0f89fcca520721aa59820f7b1efdc01b7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c72719f7a27e043e16f452ce87ea8bf0f89fcca520721aa59820f7b1efdc01b7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c72719f7a27e043e16f452ce87ea8bf0f89fcca520721aa59820f7b1efdc01b7.exe

Interacts with shadow copies 2 TTPs 13 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3996	vssadmin.exe
796	vssadmin.exe
364	vssadmin.exe
3232	vssadmin.exe
3996	vssadmin.exe
364	vssadmin.exe
3036	vssadmin.exe
508	vssadmin.exe
688	vssadmin.exe
3972	vssadmin.exe
996	vssadmin.exe
3748	vssadmin.exe
2524	vssadmin.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
408	c72719f7a27e043e16f452ce87ea8bf0f89fcca520721aa59820f7b1efdc01b7.exe
408	c72719f7a27e043e16f452ce87ea8bf0f89fcca520721aa59820f7b1efdc01b7.exe
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3020	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
408	c72719f7a27e043e16f452ce87ea8bf0f89fcca520721aa59820f7b1efdc01b7.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeBackupPrivilege	4008	vssvc.exe
Token: SeRestorePrivilege	4008	vssvc.exe
Token: SeAuditPrivilege	4008	vssvc.exe
Token: SeShutdownPrivilege	3020	Process not Found
Token: SeCreatePagefilePrivilege	3020	Process not Found
Token: SeShutdownPrivilege	3020	Process not Found
Token: SeCreatePagefilePrivilege	3020	Process not Found
Token: SeShutdownPrivilege	3020	Process not Found
Token: SeCreatePagefilePrivilege	3020	Process not Found
Token: SeShutdownPrivilege	3020	Process not Found
Token: SeCreatePagefilePrivilege	3020	Process not Found
Token: SeShutdownPrivilege	3020	Process not Found
Token: SeCreatePagefilePrivilege	3020	Process not Found
Token: SeShutdownPrivilege	3020	Process not Found
Token: SeCreatePagefilePrivilege	3020	Process not Found
Token: SeShutdownPrivilege	3020	Process not Found
Token: SeCreatePagefilePrivilege	3020	Process not Found
Token: SeShutdownPrivilege	3020	Process not Found
Token: SeCreatePagefilePrivilege	3020	Process not Found
Token: SeIncreaseQuotaPrivilege	472	wmic.exe
Token: SeSecurityPrivilege	472	wmic.exe
Token: SeTakeOwnershipPrivilege	472	wmic.exe
Token: SeLoadDriverPrivilege	472	wmic.exe
Token: SeSystemProfilePrivilege	472	wmic.exe
Token: SeSystemtimePrivilege	472	wmic.exe
Token: SeProfSingleProcessPrivilege	472	wmic.exe
Token: SeIncBasePriorityPrivilege	472	wmic.exe
Token: SeCreatePagefilePrivilege	472	wmic.exe
Token: SeBackupPrivilege	472	wmic.exe
Token: SeRestorePrivilege	472	wmic.exe
Token: SeShutdownPrivilege	472	wmic.exe
Token: SeDebugPrivilege	472	wmic.exe
Token: SeSystemEnvironmentPrivilege	472	wmic.exe
Token: SeRemoteShutdownPrivilege	472	wmic.exe
Token: SeUndockPrivilege	472	wmic.exe
Token: SeManageVolumePrivilege	472	wmic.exe
Token: 33	472	wmic.exe
Token: 34	472	wmic.exe
Token: 35	472	wmic.exe
Token: 36	472	wmic.exe
Token: SeShutdownPrivilege	3020	Process not Found
Token: SeCreatePagefilePrivilege	3020	Process not Found
Token: SeShutdownPrivilege	3020	Process not Found
Token: SeCreatePagefilePrivilege	3020	Process not Found
Token: SeShutdownPrivilege	3020	Process not Found
Token: SeCreatePagefilePrivilege	3020	Process not Found

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3020	Process not Found

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 408	992	c72719f7a27e043e16f452ce87ea8bf0f89fcca520721aa59820f7b1efdc01b7.exe	68
PID 992 wrote to memory of 408	992	c72719f7a27e043e16f452ce87ea8bf0f89fcca520721aa59820f7b1efdc01b7.exe	68
PID 992 wrote to memory of 408	992	c72719f7a27e043e16f452ce87ea8bf0f89fcca520721aa59820f7b1efdc01b7.exe	68
PID 992 wrote to memory of 408	992	c72719f7a27e043e16f452ce87ea8bf0f89fcca520721aa59820f7b1efdc01b7.exe	68
PID 992 wrote to memory of 408	992	c72719f7a27e043e16f452ce87ea8bf0f89fcca520721aa59820f7b1efdc01b7.exe	68
PID 992 wrote to memory of 408	992	c72719f7a27e043e16f452ce87ea8bf0f89fcca520721aa59820f7b1efdc01b7.exe	68
PID 3020 wrote to memory of 1208	3020	Process not Found	69
PID 3020 wrote to memory of 1208	3020	Process not Found	69
PID 1208 wrote to memory of 3036	1208	D0A9.exe	72
PID 1208 wrote to memory of 3036	1208	D0A9.exe	72
PID 3020 wrote to memory of 4016	3020	Process not Found	75
PID 3020 wrote to memory of 4016	3020	Process not Found	75
PID 3020 wrote to memory of 4016	3020	Process not Found	75
PID 1208 wrote to memory of 3996	1208	D0A9.exe	78
PID 1208 wrote to memory of 3996	1208	D0A9.exe	78
PID 1208 wrote to memory of 796	1208	D0A9.exe	80
PID 1208 wrote to memory of 796	1208	D0A9.exe	80
PID 1208 wrote to memory of 508	1208	D0A9.exe	82
PID 1208 wrote to memory of 508	1208	D0A9.exe	82
PID 1208 wrote to memory of 364	1208	D0A9.exe	84
PID 1208 wrote to memory of 364	1208	D0A9.exe	84
PID 1208 wrote to memory of 3232	1208	D0A9.exe	86
PID 1208 wrote to memory of 3232	1208	D0A9.exe	86
PID 1208 wrote to memory of 688	1208	D0A9.exe	88
PID 1208 wrote to memory of 688	1208	D0A9.exe	88
PID 1208 wrote to memory of 3972	1208	D0A9.exe	90
PID 1208 wrote to memory of 3972	1208	D0A9.exe	90
PID 1208 wrote to memory of 996	1208	D0A9.exe	92
PID 1208 wrote to memory of 996	1208	D0A9.exe	92
PID 1208 wrote to memory of 3996	1208	D0A9.exe	94
PID 1208 wrote to memory of 3996	1208	D0A9.exe	94
PID 1208 wrote to memory of 3748	1208	D0A9.exe	96
PID 1208 wrote to memory of 3748	1208	D0A9.exe	96
PID 1208 wrote to memory of 2524	1208	D0A9.exe	98
PID 1208 wrote to memory of 2524	1208	D0A9.exe	98
PID 1208 wrote to memory of 364	1208	D0A9.exe	101
PID 1208 wrote to memory of 364	1208	D0A9.exe	101
PID 1208 wrote to memory of 688	1208	D0A9.exe	103
PID 1208 wrote to memory of 688	1208	D0A9.exe	103
PID 1208 wrote to memory of 264	1208	D0A9.exe	105
PID 1208 wrote to memory of 264	1208	D0A9.exe	105
PID 1208 wrote to memory of 1300	1208	D0A9.exe	107
PID 1208 wrote to memory of 1300	1208	D0A9.exe	107
PID 1208 wrote to memory of 636	1208	D0A9.exe	109
PID 1208 wrote to memory of 636	1208	D0A9.exe	109
PID 1208 wrote to memory of 472	1208	D0A9.exe	111
PID 1208 wrote to memory of 472	1208	D0A9.exe	111
PID 1208 wrote to memory of 3972	1208	D0A9.exe	114
PID 1208 wrote to memory of 3972	1208	D0A9.exe	114

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	D0A9.exe

C:\Users\Admin\AppData\Local\Temp\c72719f7a27e043e16f452ce87ea8bf0f89fcca520721aa59820f7b1efdc01b7.exe
"C:\Users\Admin\AppData\Local\Temp\c72719f7a27e043e16f452ce87ea8bf0f89fcca520721aa59820f7b1efdc01b7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:992
- C:\Users\Admin\AppData\Local\Temp\c72719f7a27e043e16f452ce87ea8bf0f89fcca520721aa59820f7b1efdc01b7.exe
  "C:\Users\Admin\AppData\Local\Temp\c72719f7a27e043e16f452ce87ea8bf0f89fcca520721aa59820f7b1efdc01b7.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:408

C:\Users\Admin\AppData\Local\Temp\D0A9.exe
C:\Users\Admin\AppData\Local\Temp\D0A9.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1208
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3036
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:3996
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:796
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:508
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:364
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3232
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:688
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3972
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:996
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3996
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3748
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2524
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:364
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:688
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:264
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:1300
- C:\Windows\SYSTEM32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:636
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:472
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\D0A9.exe >> NUL
  2⤵
  PID:3972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Users\Admin\AppData\Local\Temp\DDF8.exe
C:\Users\Admin\AppData\Local\Temp\DDF8.exe
1⤵
- Executes dropped EXE
PID:4016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/408-115-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/992-114-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/1208-121-0x00007FF795850000-0x00007FF7960C8000-memory.dmp

Filesize
8.5MB

Download
memory/3020-117-0x0000000000DA0000-0x0000000000DB5000-memory.dmp

Filesize
84KB

Download
memory/4016-143-0x00000000021D0000-0x0000000002260000-memory.dmp

Filesize
576KB

Download
memory/4016-144-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download