medusalocker | f2a155473c06ecad973676f1e2a8d228ab4a8adf32a87477c716f31fddf6cbaf

pid	Process
1348	bcdedit.exe
1592	bcdedit.exe

Deletes System State backups 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

pid	Process
1828	wbadmin.exe
1244	wbadmin.exe

Drops file in Drivers directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\networks	B06.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol	B06.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.inprocess	B06.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.udacha	B06.exe
File opened for modification	C:\Windows\System32\drivers\etc\services	B06.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	B06.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.inprocess	B06.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.udacha	B06.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.inprocess	B06.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.udacha	B06.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.inprocess	B06.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.udacha	B06.exe

Modifies extensions of user files 37 IoCs

Ransomware generally changes the extension on encrypted files.

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ExportBlock.png => C:\Users\Admin\Pictures\ExportBlock.png.inprocess	B06.exe
File renamed	C:\Users\Admin\Pictures\ShowOpen.png.inprocess => C:\Users\Admin\Pictures\ShowOpen.png.udacha	B06.exe
File renamed	C:\Users\Admin\Pictures\ExportBlock.png.inprocess => C:\Users\Admin\Pictures\ExportBlock.png.udacha	B06.exe
File renamed	C:\Users\Admin\Pictures\RestartSave.tiff.inprocess => C:\Users\Admin\Pictures\RestartSave.tiff.udacha	B06.exe
File renamed	C:\Users\Admin\Pictures\StartLock.png => C:\Users\Admin\Pictures\StartLock.png.inprocess	B06.exe
File renamed	C:\Users\Admin\Pictures\UndoOpen.png => C:\Users\Admin\Pictures\UndoOpen.png.inprocess	B06.exe
File opened for modification	C:\Users\Admin\Pictures\UndoOpen.png.udacha	B06.exe
File renamed	C:\Users\Admin\Pictures\UnlockBlock.raw => C:\Users\Admin\Pictures\UnlockBlock.raw.inprocess	B06.exe
File opened for modification	C:\Users\Admin\Pictures\ShowOpen.png.inprocess	B06.exe
File opened for modification	C:\Users\Admin\Pictures\StartLock.png.udacha	B06.exe
File opened for modification	C:\Users\Admin\Pictures\UndoOpen.png.inprocess	B06.exe
File opened for modification	C:\Users\Admin\Pictures\JoinOut.tif.udacha	B06.exe
File renamed	C:\Users\Admin\Pictures\RestartSave.tiff => C:\Users\Admin\Pictures\RestartSave.tiff.inprocess	B06.exe
File renamed	C:\Users\Admin\Pictures\StartLock.png.inprocess => C:\Users\Admin\Pictures\StartLock.png.udacha	B06.exe
File renamed	C:\Users\Admin\Pictures\UndoOpen.png.inprocess => C:\Users\Admin\Pictures\UndoOpen.png.udacha	B06.exe
File opened for modification	C:\Users\Admin\Pictures\UnlockBlock.raw.inprocess	B06.exe
File opened for modification	C:\Users\Admin\Pictures\ExitSplit.raw.inprocess	B06.exe
File opened for modification	C:\Users\Admin\Pictures\ExitSplit.raw.udacha	B06.exe
File opened for modification	C:\Users\Admin\Pictures\RestartSave.tiff.inprocess	B06.exe
File opened for modification	C:\Users\Admin\Pictures\RestartSave.tiff.udacha	B06.exe
File opened for modification	C:\Users\Admin\Pictures\ExportBlock.png.inprocess	B06.exe
File renamed	C:\Users\Admin\Pictures\JoinOut.tif => C:\Users\Admin\Pictures\JoinOut.tif.inprocess	B06.exe
File opened for modification	C:\Users\Admin\Pictures\JoinOut.tif.inprocess	B06.exe
File renamed	C:\Users\Admin\Pictures\JoinOut.tif.inprocess => C:\Users\Admin\Pictures\JoinOut.tif.udacha	B06.exe
File opened for modification	C:\Users\Admin\Pictures\PopMerge.png.inprocess	B06.exe
File renamed	C:\Users\Admin\Pictures\PopMerge.png.inprocess => C:\Users\Admin\Pictures\PopMerge.png.udacha	B06.exe
File opened for modification	C:\Users\Admin\Pictures\PopMerge.png.udacha	B06.exe
File opened for modification	C:\Users\Admin\Pictures\ShowOpen.png.udacha	B06.exe
File renamed	C:\Users\Admin\Pictures\ExitSplit.raw => C:\Users\Admin\Pictures\ExitSplit.raw.inprocess	B06.exe
File opened for modification	C:\Users\Admin\Pictures\ExportBlock.png.udacha	B06.exe
File renamed	C:\Users\Admin\Pictures\PopMerge.png => C:\Users\Admin\Pictures\PopMerge.png.inprocess	B06.exe
File renamed	C:\Users\Admin\Pictures\ShowOpen.png => C:\Users\Admin\Pictures\ShowOpen.png.inprocess	B06.exe
File renamed	C:\Users\Admin\Pictures\UnlockBlock.raw.inprocess => C:\Users\Admin\Pictures\UnlockBlock.raw.udacha	B06.exe
File opened for modification	C:\Users\Admin\Pictures\UnlockBlock.raw.udacha	B06.exe
File renamed	C:\Users\Admin\Pictures\ExitSplit.raw.inprocess => C:\Users\Admin\Pictures\ExitSplit.raw.udacha	B06.exe
File opened for modification	C:\Users\Admin\Pictures\RestartSave.tiff	B06.exe
File opened for modification	C:\Users\Admin\Pictures\StartLock.png.inprocess	B06.exe

Deletes itself 1 IoCs

pid	Process
1244	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\B06.exe\" e"	B06.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run	B06.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-3456797065-1076791440-4146276586-1000\desktop.ini	B06.exe

Enumerates connected drives 3 TTPs 41 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	B06.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\A:	B06.exe
File opened (read-only)	\??\L:	B06.exe
File opened (read-only)	\??\M:	B06.exe
File opened (read-only)	\??\U:	B06.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\K:	B06.exe
File opened (read-only)	\??\Q:	B06.exe
File opened (read-only)	\??\V:	B06.exe
File opened (read-only)	\??\W:	B06.exe
File opened (read-only)	\??\G:	B06.exe
File opened (read-only)	\??\J:	B06.exe
File opened (read-only)	\??\P:	B06.exe
File opened (read-only)	\??\Y:	B06.exe
File opened (read-only)	\??\E:	B06.exe
File opened (read-only)	\??\F:	B06.exe
File opened (read-only)	\??\T:	B06.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\H:	B06.exe
File opened (read-only)	\??\N:	B06.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\O:	B06.exe
File opened (read-only)	\??\R:	B06.exe
File opened (read-only)	\??\S:	B06.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\D:	B06.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\B:	B06.exe
File opened (read-only)	\??\I:	B06.exe
File opened (read-only)	\??\Z:	B06.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	B06.exe
File opened for modification	C:\Windows\System32\config\SOFTWARE	B06.exe
File opened for modification	C:\Windows\System32\config\RegBack\SYSTEM	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d	B06.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor	B06.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.udacha	B06.exe
File opened for modification	C:\Windows\System32\config\RegBack\DEFAULT	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c	B06.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.udacha	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.udacha	B06.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7	B06.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.inprocess	B06.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.udacha	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\a18fb1e2-27ff-4f92-867e-e632da9f3bd1.udacha	B06.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	B06.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.udacha	B06.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.inprocess	B06.exe
File opened for modification	C:\Windows\System32\config\RegBack\SAM	B06.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	B06.exe
File opened for modification	C:\Windows\System32\config\SAM	B06.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.udacha	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.inprocess	B06.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.inprocess	B06.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	B06.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS.udacha	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.udacha	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\adb8f35b-8802-47f1-9a3c-af076fedb5fa	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.udacha	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	B06.exe
File opened for modification	C:\Windows\System32\config\BCD-Template.udacha	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\22d1c628-3b2c-4036-bc01-a62eb3e4f9fd.inprocess	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	B06.exe
File opened for modification	C:\Windows\System32\config\RegBack\SECURITY	B06.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.udacha	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035.inprocess	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\adb8f35b-8802-47f1-9a3c-af076fedb5fa.udacha	B06.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.udacha	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	B06.exe
File opened for modification	C:\Windows\System32\config\BCD-Template.inprocess	B06.exe
File opened for modification	C:\Windows\System32\config\SECURITY	B06.exe
File opened for modification	C:\Windows\System32\config\SYSTEM	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\a18fb1e2-27ff-4f92-867e-e632da9f3bd1	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.udacha	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d.inprocess	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.inprocess	B06.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess	B06.exe
File opened for modification	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb	B06.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb	B06.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.inprocess	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\22d1c628-3b2c-4036-bc01-a62eb3e4f9fd	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\22d1c628-3b2c-4036-bc01-a62eb3e4f9fd.udacha	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\adb8f35b-8802-47f1-9a3c-af076fedb5fa.inprocess	B06.exe
File opened for modification	C:\Windows\System32\config\COMPONENTS.inprocess	B06.exe
File opened for modification	C:\Windows\System32\config\DEFAULT	B06.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.inprocess	B06.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	B06.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.inprocess	B06.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	B06.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Montevideo.inprocess	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Cordoba	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\tzmappings.inprocess	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7.inprocess	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Inuvik.udacha	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Nicosia.udacha	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cayman	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Halifax.udacha	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg.inprocess	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Paramaribo.udacha	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Tirane	B06.exe
File opened for modification	C:\Program Files\Java\jre7\LICENSE.udacha	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\EST5EDT.inprocess	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Goose_Bay	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Dili.udacha	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Kerguelen.inprocess	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Warsaw	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT.inprocess	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Zurich	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Araguaina	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Currie	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Porto_Velho	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Tallinn	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Rio_Branco	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Juan.inprocess	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cayenne	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Lord_Howe.inprocess	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Chagos	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\New_York	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Kiritimati	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Antigua	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand.inprocess	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\MST7.inprocess	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vevay	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Pangnirtung.inprocess	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\AST4ADT.inprocess	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\cacerts.udacha	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Dhaka	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hovd	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Moncton	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Guadalcanal.inprocess	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Sydney.udacha	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-9	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Shanghai.udacha	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Tashkent.inprocess	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-8.udacha	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Panama.udacha	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Campo_Grande.inprocess	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Jayapura.inprocess	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Manila.inprocess	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\UCT.udacha	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Beirut.inprocess	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Magadan	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Efate	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center.inprocess	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan.udacha	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Broken_Hill.udacha	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Manila.udacha	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Gambier	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\HST10	B06.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Nauru.inprocess	B06.exe

Drops file in Windows directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb2	B06.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.inprocess	B06.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Panther\setupinfo	B06.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\BCD	B06.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\absthr_0	B06.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\absthr_2	B06.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_3	B06.exe
File opened for modification	C:\Windows\Boot\PCAT\bootmgr	B06.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb0	B06.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2th1	B06.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\dewindow	B06.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th1	B06.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state	B06.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.udacha	B06.exe
File opened for modification	C:\Windows\Panther\setupinfo.udacha	B06.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb1	B06.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Boot\DVD\EFI\BCD	B06.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1cb0	B06.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb1	B06.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_0	B06.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_1	B06.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\alloc_2	B06.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.udacha	B06.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess	B06.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Panther\setupinfo.inprocess	B06.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th2	B06.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2cb2	B06.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2th0	B06.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\2th2	B06.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\enwindow	B06.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.udacha	B06.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	B06.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\1th0	B06.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\absthr_1	B06.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	B06.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess	B06.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 13 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

File Deletion

T1107

Inhibit System Recovery

pid	Process
976	vssadmin.exe
1540	vssadmin.exe
1716	vssadmin.exe
1632	vssadmin.exe
1888	vssadmin.exe
1116	vssadmin.exe
1532	vssadmin.exe
1820	vssadmin.exe
772	vssadmin.exe
1644	vssadmin.exe
1664	vssadmin.exe
1556	vssadmin.exe
236	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000822253614caeec4e88425137194fa7ab0000000002000000000010660000000100002000000074544fdfd030a326619cbae550f7cf28e6adb1e20d3b81b7737a2481ff17c8dc000000000e8000000002000020000000d48ce8d62b33b50ef8c75b708e6b753c2b4e524af066e154865360013398fb0990000000c9b713b279d234e7ba402e93c172d41c64603bd6c54ddbd3e51ac632dd9239269cbdd27c2c311d3f2bee8c5ef42ae12a0bac1bcb118e31da598250652b9e826c8fcd4c861434f2d81a95820148e8d7f37ede49bc0186dd3586913cd095b844528b9f89453594901b2b047d654564ff17b222376ce3495ddb21608fca74686a4e4d0b75fb2a2bd6ef72a11fcfd2a5380f4000000050cec96af73782ea724797b762a3f4fe5884825363cb5e2ed9c67c378d99e64b659175548720edc91d644b1e6ddcf86b45597a111c3c7611b38778ad99182f23	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5A5234F1-2502-11EC-826A-5A38D35B81CE} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000822253614caeec4e88425137194fa7ab0000000002000000000010660000000100002000000056279a8e2b91acccb12bbfb89c2c1485337c7c5f024a92b318908828f718c84a000000000e800000000200002000000053d477213be839f1e35c2d7b493a85ba8f8601ab8a61b06c5a9411abe3a3c39f20000000555cfc87c16eb12b6b5898499382d1480a1b3ea10914dd324143ea2f1cb4f699400000003995c94839f760b2975e5132fac52b2ebe8941a59a2a4852db506bf199da695843c90d02f9e07c8a5e998ad51ff8efc4f4929999c4c7ca2b37aa7f7d465b39ad	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d045e8320fb9d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6BD210B1-2502-11EC-826A-5A38D35B81CE} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_Classes\Local Settings	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs

pid	Process
1372	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe
1272	B06.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeBackupPrivilege	548	vssvc.exe
Token: SeRestorePrivilege	548	vssvc.exe
Token: SeAuditPrivilege	548	vssvc.exe
Token: SeIncreaseQuotaPrivilege	632	wmic.exe
Token: SeSecurityPrivilege	632	wmic.exe
Token: SeTakeOwnershipPrivilege	632	wmic.exe
Token: SeLoadDriverPrivilege	632	wmic.exe
Token: SeSystemProfilePrivilege	632	wmic.exe
Token: SeSystemtimePrivilege	632	wmic.exe
Token: SeProfSingleProcessPrivilege	632	wmic.exe
Token: SeIncBasePriorityPrivilege	632	wmic.exe
Token: SeCreatePagefilePrivilege	632	wmic.exe
Token: SeBackupPrivilege	632	wmic.exe
Token: SeRestorePrivilege	632	wmic.exe
Token: SeShutdownPrivilege	632	wmic.exe
Token: SeDebugPrivilege	632	wmic.exe
Token: SeSystemEnvironmentPrivilege	632	wmic.exe
Token: SeRemoteShutdownPrivilege	632	wmic.exe
Token: SeUndockPrivilege	632	wmic.exe
Token: SeManageVolumePrivilege	632	wmic.exe
Token: 33	632	wmic.exe
Token: 34	632	wmic.exe
Token: 35	632	wmic.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1608	iexplore.exe
1840	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1608	iexplore.exe
1608	iexplore.exe
220	IEXPLORE.EXE
220	IEXPLORE.EXE
220	IEXPLORE.EXE
220	IEXPLORE.EXE
1840	iexplore.exe
1840	iexplore.exe
1604	IEXPLORE.EXE
1604	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 976	1272	B06.exe	27
PID 1272 wrote to memory of 976	1272	B06.exe	27
PID 1272 wrote to memory of 976	1272	B06.exe	27
PID 1272 wrote to memory of 1540	1272	B06.exe	32
PID 1272 wrote to memory of 1540	1272	B06.exe	32
PID 1272 wrote to memory of 1540	1272	B06.exe	32
PID 1272 wrote to memory of 1820	1272	B06.exe	34
PID 1272 wrote to memory of 1820	1272	B06.exe	34
PID 1272 wrote to memory of 1820	1272	B06.exe	34
PID 1272 wrote to memory of 772	1272	B06.exe	36
PID 1272 wrote to memory of 772	1272	B06.exe	36
PID 1272 wrote to memory of 772	1272	B06.exe	36
PID 1272 wrote to memory of 1644	1272	B06.exe	38
PID 1272 wrote to memory of 1644	1272	B06.exe	38
PID 1272 wrote to memory of 1644	1272	B06.exe	38
PID 1272 wrote to memory of 1664	1272	B06.exe	40
PID 1272 wrote to memory of 1664	1272	B06.exe	40
PID 1272 wrote to memory of 1664	1272	B06.exe	40
PID 1272 wrote to memory of 1556	1272	B06.exe	42
PID 1272 wrote to memory of 1556	1272	B06.exe	42
PID 1272 wrote to memory of 1556	1272	B06.exe	42
PID 1272 wrote to memory of 1888	1272	B06.exe	44
PID 1272 wrote to memory of 1888	1272	B06.exe	44
PID 1272 wrote to memory of 1888	1272	B06.exe	44
PID 1272 wrote to memory of 1716	1272	B06.exe	46
PID 1272 wrote to memory of 1716	1272	B06.exe	46
PID 1272 wrote to memory of 1716	1272	B06.exe	46
PID 1272 wrote to memory of 1632	1272	B06.exe	48
PID 1272 wrote to memory of 1632	1272	B06.exe	48
PID 1272 wrote to memory of 1632	1272	B06.exe	48
PID 1272 wrote to memory of 1116	1272	B06.exe	50
PID 1272 wrote to memory of 1116	1272	B06.exe	50
PID 1272 wrote to memory of 1116	1272	B06.exe	50
PID 1272 wrote to memory of 1532	1272	B06.exe	52
PID 1272 wrote to memory of 1532	1272	B06.exe	52
PID 1272 wrote to memory of 1532	1272	B06.exe	52
PID 1272 wrote to memory of 236	1272	B06.exe	54
PID 1272 wrote to memory of 236	1272	B06.exe	54
PID 1272 wrote to memory of 236	1272	B06.exe	54
PID 1272 wrote to memory of 1348	1272	B06.exe	56
PID 1272 wrote to memory of 1348	1272	B06.exe	56
PID 1272 wrote to memory of 1348	1272	B06.exe	56
PID 1272 wrote to memory of 1592	1272	B06.exe	58
PID 1272 wrote to memory of 1592	1272	B06.exe	58
PID 1272 wrote to memory of 1592	1272	B06.exe	58
PID 1272 wrote to memory of 1828	1272	B06.exe	60
PID 1272 wrote to memory of 1828	1272	B06.exe	60
PID 1272 wrote to memory of 1828	1272	B06.exe	60
PID 1272 wrote to memory of 1244	1272	B06.exe	62
PID 1272 wrote to memory of 1244	1272	B06.exe	62
PID 1272 wrote to memory of 1244	1272	B06.exe	62
PID 1272 wrote to memory of 632	1272	B06.exe	64
PID 1272 wrote to memory of 632	1272	B06.exe	64
PID 1272 wrote to memory of 632	1272	B06.exe	64
PID 1608 wrote to memory of 220	1608	iexplore.exe	69
PID 1608 wrote to memory of 220	1608	iexplore.exe	69
PID 1608 wrote to memory of 220	1608	iexplore.exe	69
PID 1608 wrote to memory of 220	1608	iexplore.exe	69
PID 1272 wrote to memory of 1244	1272	B06.exe	70
PID 1272 wrote to memory of 1244	1272	B06.exe	70
PID 1272 wrote to memory of 1244	1272	B06.exe	70
PID 1840 wrote to memory of 1604	1840	iexplore.exe	74
PID 1840 wrote to memory of 1604	1840	iexplore.exe	74
PID 1840 wrote to memory of 1604	1840	iexplore.exe	74

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	B06.exe

C:\Users\Admin\AppData\Local\Temp\B06.exe
"C:\Users\Admin\AppData\Local\Temp\B06.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1272
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:976
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1540
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1820
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:772
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1644
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1664
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1556
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1888
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1716
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1632
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1116
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1532
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:236
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1348
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1592
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:1828
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:1244
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:632
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B06.exe >> NUL
  2⤵
  - Deletes itself
  PID:1244

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ReadMe_Instruction.mht
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1608 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:220

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ReadMe_Instruction.mht
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1840 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1604

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UseMount.mpeg.udacha
1⤵
- Modifies registry class
PID:436
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UseMount.mpeg.udacha
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1372

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Music\HideTest.bmp.udacha
1⤵
- Modifies registry class
PID:1840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery