Analysis
-
max time kernel
149s -
max time network
63s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
04-10-2021 11:00
Static task
static1
Behavioral task
behavioral1
Sample
B06.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
B06.exe
Resource
win10v20210408
General
-
Target
B06.exe
-
Size
4.5MB
-
MD5
49fb0e5a3415155c24d6839250cd7fed
-
SHA1
69fa4c797df21b98740368c268cfd1919bf4a6e0
-
SHA256
f2a155473c06ecad973676f1e2a8d228ab4a8adf32a87477c716f31fddf6cbaf
-
SHA512
4bcf713b36e0c0bd1e12018cc835a988dbbb2d54556531ebddf97435fd430dab0393fe55e16de5b0c894a49fbea7829f2e6cba5214230f4ee70978a6a87ce397
Malware Config
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1272-53-0x000000013FE00000-0x0000000140678000-memory.dmp family_medusalocker -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1348 bcdedit.exe 1592 bcdedit.exe -
Processes:
wbadmin.exewbadmin.exepid process 1828 wbadmin.exe 1244 wbadmin.exe -
Drops file in Drivers directory 12 IoCs
Processes:
B06.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\networks B06.exe File opened for modification C:\Windows\System32\drivers\etc\protocol B06.exe File opened for modification C:\Windows\System32\drivers\etc\protocol.inprocess B06.exe File opened for modification C:\Windows\System32\drivers\etc\protocol.udacha B06.exe File opened for modification C:\Windows\System32\drivers\etc\services B06.exe File opened for modification C:\Windows\System32\drivers\etc\hosts B06.exe File opened for modification C:\Windows\System32\drivers\etc\hosts.inprocess B06.exe File opened for modification C:\Windows\System32\drivers\etc\hosts.udacha B06.exe File opened for modification C:\Windows\System32\drivers\etc\services.inprocess B06.exe File opened for modification C:\Windows\System32\drivers\etc\services.udacha B06.exe File opened for modification C:\Windows\System32\drivers\etc\networks.inprocess B06.exe File opened for modification C:\Windows\System32\drivers\etc\networks.udacha B06.exe -
Modifies extensions of user files 37 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
B06.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExportBlock.png => C:\Users\Admin\Pictures\ExportBlock.png.inprocess B06.exe File renamed C:\Users\Admin\Pictures\ShowOpen.png.inprocess => C:\Users\Admin\Pictures\ShowOpen.png.udacha B06.exe File renamed C:\Users\Admin\Pictures\ExportBlock.png.inprocess => C:\Users\Admin\Pictures\ExportBlock.png.udacha B06.exe File renamed C:\Users\Admin\Pictures\RestartSave.tiff.inprocess => C:\Users\Admin\Pictures\RestartSave.tiff.udacha B06.exe File renamed C:\Users\Admin\Pictures\StartLock.png => C:\Users\Admin\Pictures\StartLock.png.inprocess B06.exe File renamed C:\Users\Admin\Pictures\UndoOpen.png => C:\Users\Admin\Pictures\UndoOpen.png.inprocess B06.exe File opened for modification C:\Users\Admin\Pictures\UndoOpen.png.udacha B06.exe File renamed C:\Users\Admin\Pictures\UnlockBlock.raw => C:\Users\Admin\Pictures\UnlockBlock.raw.inprocess B06.exe File opened for modification C:\Users\Admin\Pictures\ShowOpen.png.inprocess B06.exe File opened for modification C:\Users\Admin\Pictures\StartLock.png.udacha B06.exe File opened for modification C:\Users\Admin\Pictures\UndoOpen.png.inprocess B06.exe File opened for modification C:\Users\Admin\Pictures\JoinOut.tif.udacha B06.exe File renamed C:\Users\Admin\Pictures\RestartSave.tiff => C:\Users\Admin\Pictures\RestartSave.tiff.inprocess B06.exe File renamed C:\Users\Admin\Pictures\StartLock.png.inprocess => C:\Users\Admin\Pictures\StartLock.png.udacha B06.exe File renamed C:\Users\Admin\Pictures\UndoOpen.png.inprocess => C:\Users\Admin\Pictures\UndoOpen.png.udacha B06.exe File opened for modification C:\Users\Admin\Pictures\UnlockBlock.raw.inprocess B06.exe File opened for modification C:\Users\Admin\Pictures\ExitSplit.raw.inprocess B06.exe File opened for modification C:\Users\Admin\Pictures\ExitSplit.raw.udacha B06.exe File opened for modification C:\Users\Admin\Pictures\RestartSave.tiff.inprocess B06.exe File opened for modification C:\Users\Admin\Pictures\RestartSave.tiff.udacha B06.exe File opened for modification C:\Users\Admin\Pictures\ExportBlock.png.inprocess B06.exe File renamed C:\Users\Admin\Pictures\JoinOut.tif => C:\Users\Admin\Pictures\JoinOut.tif.inprocess B06.exe File opened for modification C:\Users\Admin\Pictures\JoinOut.tif.inprocess B06.exe File renamed C:\Users\Admin\Pictures\JoinOut.tif.inprocess => C:\Users\Admin\Pictures\JoinOut.tif.udacha B06.exe File opened for modification C:\Users\Admin\Pictures\PopMerge.png.inprocess B06.exe File renamed C:\Users\Admin\Pictures\PopMerge.png.inprocess => C:\Users\Admin\Pictures\PopMerge.png.udacha B06.exe File opened for modification C:\Users\Admin\Pictures\PopMerge.png.udacha B06.exe File opened for modification C:\Users\Admin\Pictures\ShowOpen.png.udacha B06.exe File renamed C:\Users\Admin\Pictures\ExitSplit.raw => C:\Users\Admin\Pictures\ExitSplit.raw.inprocess B06.exe File opened for modification C:\Users\Admin\Pictures\ExportBlock.png.udacha B06.exe File renamed C:\Users\Admin\Pictures\PopMerge.png => C:\Users\Admin\Pictures\PopMerge.png.inprocess B06.exe File renamed C:\Users\Admin\Pictures\ShowOpen.png => C:\Users\Admin\Pictures\ShowOpen.png.inprocess B06.exe File renamed C:\Users\Admin\Pictures\UnlockBlock.raw.inprocess => C:\Users\Admin\Pictures\UnlockBlock.raw.udacha B06.exe File opened for modification C:\Users\Admin\Pictures\UnlockBlock.raw.udacha B06.exe File renamed C:\Users\Admin\Pictures\ExitSplit.raw.inprocess => C:\Users\Admin\Pictures\ExitSplit.raw.udacha B06.exe File opened for modification C:\Users\Admin\Pictures\RestartSave.tiff B06.exe File opened for modification C:\Users\Admin\Pictures\StartLock.png.inprocess B06.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1244 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
B06.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\B06.exe\" e" B06.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run B06.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
B06.exedescription ioc process File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-3456797065-1076791440-4146276586-1000\desktop.ini B06.exe -
Enumerates connected drives 3 TTPs 41 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
B06.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\X: B06.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\A: B06.exe File opened (read-only) \??\L: B06.exe File opened (read-only) \??\M: B06.exe File opened (read-only) \??\U: B06.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\K: B06.exe File opened (read-only) \??\Q: B06.exe File opened (read-only) \??\V: B06.exe File opened (read-only) \??\W: B06.exe File opened (read-only) \??\G: B06.exe File opened (read-only) \??\J: B06.exe File opened (read-only) \??\P: B06.exe File opened (read-only) \??\Y: B06.exe File opened (read-only) \??\E: B06.exe File opened (read-only) \??\F: B06.exe File opened (read-only) \??\T: B06.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\H: B06.exe File opened (read-only) \??\N: B06.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\O: B06.exe File opened (read-only) \??\R: B06.exe File opened (read-only) \??\S: B06.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\D: B06.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\B: B06.exe File opened (read-only) \??\I: B06.exe File opened (read-only) \??\Z: B06.exe -
Drops file in System32 directory 64 IoCs
Processes:
B06.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 B06.exe File opened for modification C:\Windows\System32\config\SOFTWARE B06.exe File opened for modification C:\Windows\System32\config\RegBack\SYSTEM B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d B06.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor B06.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.udacha B06.exe File opened for modification C:\Windows\System32\config\RegBack\DEFAULT B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c B06.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.udacha B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.udacha B06.exe File opened for modification C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7 B06.exe File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.inprocess B06.exe File opened for modification C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.udacha B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\a18fb1e2-27ff-4f92-867e-e632da9f3bd1.udacha B06.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess B06.exe File opened for modification C:\Windows\System32\config\COMPONENTS B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.udacha B06.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015.inprocess B06.exe File opened for modification C:\Windows\System32\config\RegBack\SAM B06.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 B06.exe File opened for modification C:\Windows\System32\config\SAM B06.exe File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb.udacha B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred.inprocess B06.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor.inprocess B06.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 B06.exe File opened for modification C:\Windows\System32\config\COMPONENTS.udacha B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.udacha B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035 B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\adb8f35b-8802-47f1-9a3c-af076fedb5fa B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.udacha B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess B06.exe File opened for modification C:\Windows\System32\config\BCD-Template.udacha B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\22d1c628-3b2c-4036-bc01-a62eb3e4f9fd.inprocess B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 B06.exe File opened for modification C:\Windows\System32\config\RegBack\SECURITY B06.exe File opened for modification C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.udacha B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\1e582198-061f-43f1-abdf-d4e9b606b035.inprocess B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\adb8f35b-8802-47f1-9a3c-af076fedb5fa.udacha B06.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9.udacha B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 B06.exe File opened for modification C:\Windows\System32\config\BCD-Template.inprocess B06.exe File opened for modification C:\Windows\System32\config\SECURITY B06.exe File opened for modification C:\Windows\System32\config\SYSTEM B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\a18fb1e2-27ff-4f92-867e-e632da9f3bd1 B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\Preferred.udacha B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f22e410f-f947-4e08-8f2a-8f65df603f8d.inprocess B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015.inprocess B06.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9.inprocess B06.exe File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb B06.exe File opened for modification C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb B06.exe File opened for modification C:\Windows\System32\LogFiles\Scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.inprocess B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\22d1c628-3b2c-4036-bc01-a62eb3e4f9fd B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\22d1c628-3b2c-4036-bc01-a62eb3e4f9fd.udacha B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\adb8f35b-8802-47f1-9a3c-af076fedb5fa.inprocess B06.exe File opened for modification C:\Windows\System32\config\COMPONENTS.inprocess B06.exe File opened for modification C:\Windows\System32\config\DEFAULT B06.exe File opened for modification C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.inprocess B06.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 B06.exe File opened for modification C:\Windows\System32\Microsoft\Protect\S-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.inprocess B06.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 B06.exe -
Drops file in Program Files directory 64 IoCs
Processes:
B06.exedescription ioc process File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Montevideo.inprocess B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Cordoba B06.exe File opened for modification C:\Program Files\Java\jre7\lib\tzmappings.inprocess B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7.inprocess B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Inuvik.udacha B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Nicosia.udacha B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cayman B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Halifax.udacha B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg.inprocess B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Paramaribo.udacha B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Tirane B06.exe File opened for modification C:\Program Files\Java\jre7\LICENSE.udacha B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\EST5EDT.inprocess B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Goose_Bay B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Dili.udacha B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Kerguelen.inprocess B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Warsaw B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT.inprocess B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Zurich B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Araguaina B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Currie B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Porto_Velho B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Tallinn B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Rio_Branco B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Juan.inprocess B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cayenne B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Lord_Howe.inprocess B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Chagos B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\New_York B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Kiritimati B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Antigua B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand.inprocess B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6 B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\MST7.inprocess B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vevay B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Pangnirtung.inprocess B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\AST4ADT.inprocess B06.exe File opened for modification C:\Program Files\Java\jre7\lib\security\cacerts.udacha B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Dhaka B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Hovd B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Moncton B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Guadalcanal.inprocess B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Sydney.udacha B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-9 B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Shanghai.udacha B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Tashkent.inprocess B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-8.udacha B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Panama.udacha B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Campo_Grande.inprocess B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Jayapura.inprocess B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Manila.inprocess B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\UCT.udacha B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Beirut.inprocess B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Magadan B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Efate B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center.inprocess B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan.udacha B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Broken_Hill.udacha B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Manila.udacha B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Gambier B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\HST10 B06.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Nauru.inprocess B06.exe -
Drops file in Windows directory 42 IoCs
Processes:
wbadmin.exeB06.exewbadmin.exedescription ioc process File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1cb2 B06.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.inprocess B06.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe File opened for modification C:\Windows\Panther\setupinfo B06.exe File opened for modification C:\Windows\Boot\DVD\PCAT\BCD B06.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\absthr_0 B06.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\absthr_2 B06.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\alloc_3 B06.exe File opened for modification C:\Windows\Boot\PCAT\bootmgr B06.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2cb0 B06.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2th1 B06.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\dewindow B06.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1th1 B06.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state B06.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.udacha B06.exe File opened for modification C:\Windows\Panther\setupinfo.udacha B06.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1cb1 B06.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\Boot\DVD\EFI\BCD B06.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1cb0 B06.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2cb1 B06.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\alloc_0 B06.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\alloc_1 B06.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\alloc_2 B06.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\state.udacha B06.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess B06.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\Panther\setupinfo.inprocess B06.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1th2 B06.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2cb2 B06.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2th0 B06.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\2th2 B06.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\enwindow B06.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.udacha B06.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 B06.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\1th0 B06.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\absthr_1 B06.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 B06.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357.inprocess B06.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 13 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 976 vssadmin.exe 1540 vssadmin.exe 1716 vssadmin.exe 1632 vssadmin.exe 1888 vssadmin.exe 1116 vssadmin.exe 1532 vssadmin.exe 1820 vssadmin.exe 772 vssadmin.exe 1644 vssadmin.exe 1664 vssadmin.exe 1556 vssadmin.exe 236 vssadmin.exe -
Processes:
iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000822253614caeec4e88425137194fa7ab0000000002000000000010660000000100002000000074544fdfd030a326619cbae550f7cf28e6adb1e20d3b81b7737a2481ff17c8dc000000000e8000000002000020000000d48ce8d62b33b50ef8c75b708e6b753c2b4e524af066e154865360013398fb0990000000c9b713b279d234e7ba402e93c172d41c64603bd6c54ddbd3e51ac632dd9239269cbdd27c2c311d3f2bee8c5ef42ae12a0bac1bcb118e31da598250652b9e826c8fcd4c861434f2d81a95820148e8d7f37ede49bc0186dd3586913cd095b844528b9f89453594901b2b047d654564ff17b222376ce3495ddb21608fca74686a4e4d0b75fb2a2bd6ef72a11fcfd2a5380f4000000050cec96af73782ea724797b762a3f4fe5884825363cb5e2ed9c67c378d99e64b659175548720edc91d644b1e6ddcf86b45597a111c3c7611b38778ad99182f23 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5A5234F1-2502-11EC-826A-5A38D35B81CE} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000822253614caeec4e88425137194fa7ab0000000002000000000010660000000100002000000056279a8e2b91acccb12bbfb89c2c1485337c7c5f024a92b318908828f718c84a000000000e800000000200002000000053d477213be839f1e35c2d7b493a85ba8f8601ab8a61b06c5a9411abe3a3c39f20000000555cfc87c16eb12b6b5898499382d1480a1b3ea10914dd324143ea2f1cb4f699400000003995c94839f760b2975e5132fac52b2ebe8941a59a2a4852db506bf199da695843c90d02f9e07c8a5e998ad51ff8efc4f4929999c4c7ca2b37aa7f7d465b39ad iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d045e8320fb9d701 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6BD210B1-2502-11EC-826A-5A38D35B81CE} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE -
Modifies registry class 2 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_Classes\Local Settings rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1372 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
B06.exepid process 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe 1272 B06.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vssvc.exewmic.exedescription pid process Token: SeBackupPrivilege 548 vssvc.exe Token: SeRestorePrivilege 548 vssvc.exe Token: SeAuditPrivilege 548 vssvc.exe Token: SeIncreaseQuotaPrivilege 632 wmic.exe Token: SeSecurityPrivilege 632 wmic.exe Token: SeTakeOwnershipPrivilege 632 wmic.exe Token: SeLoadDriverPrivilege 632 wmic.exe Token: SeSystemProfilePrivilege 632 wmic.exe Token: SeSystemtimePrivilege 632 wmic.exe Token: SeProfSingleProcessPrivilege 632 wmic.exe Token: SeIncBasePriorityPrivilege 632 wmic.exe Token: SeCreatePagefilePrivilege 632 wmic.exe Token: SeBackupPrivilege 632 wmic.exe Token: SeRestorePrivilege 632 wmic.exe Token: SeShutdownPrivilege 632 wmic.exe Token: SeDebugPrivilege 632 wmic.exe Token: SeSystemEnvironmentPrivilege 632 wmic.exe Token: SeRemoteShutdownPrivilege 632 wmic.exe Token: SeUndockPrivilege 632 wmic.exe Token: SeManageVolumePrivilege 632 wmic.exe Token: 33 632 wmic.exe Token: 34 632 wmic.exe Token: 35 632 wmic.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exeiexplore.exepid process 1608 iexplore.exe 1840 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEpid process 1608 iexplore.exe 1608 iexplore.exe 220 IEXPLORE.EXE 220 IEXPLORE.EXE 220 IEXPLORE.EXE 220 IEXPLORE.EXE 1840 iexplore.exe 1840 iexplore.exe 1604 IEXPLORE.EXE 1604 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
B06.exeiexplore.exeiexplore.exedescription pid process target process PID 1272 wrote to memory of 976 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 976 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 976 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1540 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1540 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1540 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1820 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1820 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1820 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 772 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 772 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 772 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1644 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1644 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1644 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1664 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1664 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1664 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1556 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1556 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1556 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1888 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1888 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1888 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1716 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1716 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1716 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1632 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1632 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1632 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1116 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1116 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1116 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1532 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1532 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1532 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 236 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 236 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 236 1272 B06.exe vssadmin.exe PID 1272 wrote to memory of 1348 1272 B06.exe bcdedit.exe PID 1272 wrote to memory of 1348 1272 B06.exe bcdedit.exe PID 1272 wrote to memory of 1348 1272 B06.exe bcdedit.exe PID 1272 wrote to memory of 1592 1272 B06.exe bcdedit.exe PID 1272 wrote to memory of 1592 1272 B06.exe bcdedit.exe PID 1272 wrote to memory of 1592 1272 B06.exe bcdedit.exe PID 1272 wrote to memory of 1828 1272 B06.exe wbadmin.exe PID 1272 wrote to memory of 1828 1272 B06.exe wbadmin.exe PID 1272 wrote to memory of 1828 1272 B06.exe wbadmin.exe PID 1272 wrote to memory of 1244 1272 B06.exe wbadmin.exe PID 1272 wrote to memory of 1244 1272 B06.exe wbadmin.exe PID 1272 wrote to memory of 1244 1272 B06.exe wbadmin.exe PID 1272 wrote to memory of 632 1272 B06.exe wmic.exe PID 1272 wrote to memory of 632 1272 B06.exe wmic.exe PID 1272 wrote to memory of 632 1272 B06.exe wmic.exe PID 1608 wrote to memory of 220 1608 iexplore.exe IEXPLORE.EXE PID 1608 wrote to memory of 220 1608 iexplore.exe IEXPLORE.EXE PID 1608 wrote to memory of 220 1608 iexplore.exe IEXPLORE.EXE PID 1608 wrote to memory of 220 1608 iexplore.exe IEXPLORE.EXE PID 1272 wrote to memory of 1244 1272 B06.exe cmd.exe PID 1272 wrote to memory of 1244 1272 B06.exe cmd.exe PID 1272 wrote to memory of 1244 1272 B06.exe cmd.exe PID 1840 wrote to memory of 1604 1840 iexplore.exe IEXPLORE.EXE PID 1840 wrote to memory of 1604 1840 iexplore.exe IEXPLORE.EXE PID 1840 wrote to memory of 1604 1840 iexplore.exe IEXPLORE.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
B06.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" B06.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\B06.exe"C:\Users\Admin\AppData\Local\Temp\B06.exe"1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Deletes System State backups
- Drops file in Windows directory
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵
- Deletes System State backups
- Drops file in Windows directory
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B06.exe >> NUL2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ReadMe_Instruction.mht1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1608 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ReadMe_Instruction.mht1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1840 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UseMount.mpeg.udacha1⤵
- Modifies registry class
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UseMount.mpeg.udacha2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Music\HideTest.bmp.udacha1⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5A5234F1-2502-11EC-826A-5A38D35B81CE}.datMD5
6ab9527553980003b077e5de90836b95
SHA1cf0038e0bee18fbc1951e4c583d611c01ad72024
SHA25645260f947ac3d6b2071264e0a78913f7f7205d8c00f1b7b8bd386c590e9d203c
SHA512c8f95cd9b27d29ce44a673ec8ee66ef2107088b1346cb4213539f1418c267fa0b056720f2e28e239fe75fdd562e959cb471821953db6a11d7c5c5a0d8af62455
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{69D70280-1A16-11EC-9C67-C222D480BBA6}.datMD5
70c1baae4b60c0b4f93be993dd319c3c
SHA1f8eea14d9fb3d33ff7d973d4de54a782ebb41d14
SHA256f1ee70b65c0d4ddeba97363f042436ab016070f649945d1fbf06bb1187424d98
SHA512d3e8b1c5ab578a22b26a17e9faccc2a65c93deece090880f3ccb1658c031b807f3e31d50295537499e7352a7d023a99aef454ad958667bf8a88e375a656917c7
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{61EFBB11-2502-11EC-826A-5A38D35B81CE}.datMD5
41334ba84202a3ec6f94df41dc687fd2
SHA1447ef04ab707f17e0cdff9b06a9c58cc4ea1c64e
SHA256b94612d984bb2a5a36eb6e0a1905b78ff8a6517f0d1d850d12800b3c5218228d
SHA512333c9a27381aa4227a95d916963e32923b763ee1ba2824bf7a5cb637dd3a28afac665f6888a61817ae8d74215992d18b838093a7c80cc97b2876d8b98a8493d2
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wkz58mr\imagestore.datMD5
fda3094d71751a2b5a95277c398c934c
SHA111411a51cf7a88a280c4bbf6f57409a5c34b562d
SHA256823bd3b3c732fb00af405eb50231d3e26e0024cebb7dbc0d4732d8f74625a6e0
SHA512a7cd53baffb78efa1a86d35fa9b292ed7e75cdef23d6ac84634055657311fc5c96054a9199076567281ccd36fc8374224cefc9316fea35c3aa6153b78e9e31c3
-
C:\Users\Admin\Desktop\ReadMe_Instruction.mhtMD5
f6d3a1509576138c7083e35bedd31032
SHA10bfa0ea13c73a5f1aacf722c7de3ca21352ce2ce
SHA2561ec791f31fe01e688ba0e3f4d0ddc0eeed5d90fec9f3835732afce4c93b5e5f2
SHA5125184bfda955c27d5a8e07fd6c4044219e52d6225afac291c63680d3a094af94878289ee2f19c52392dc0dccd72224525ed8fe99258695ec555d7e936d6dec307
-
C:\Users\Admin\Desktop\UseMount.mpeg.udachaMD5
73120867ccc9985201253a7c453f1a04
SHA14f9f3a0da4497765164f7840f3030b76771d8169
SHA256fa03ee78cc03a1b3151f4062b3c9405b5a3fafafcd807d2c2c0272dc49ff30c9
SHA5129646b1b5f09ffe35efee964fbe44014d0f27e15a8d2760990fbc543ff007c69a385b56c1e966c007cddcf30a21fd32cfd7226130001b19d25f4b6633f2e0a68e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/220-74-0x0000000000000000-mapping.dmp
-
memory/236-66-0x0000000000000000-mapping.dmp
-
memory/632-73-0x0000000000000000-mapping.dmp
-
memory/772-57-0x0000000000000000-mapping.dmp
-
memory/976-54-0x0000000000000000-mapping.dmp
-
memory/1116-64-0x0000000000000000-mapping.dmp
-
memory/1244-71-0x0000000000000000-mapping.dmp
-
memory/1244-76-0x0000000000000000-mapping.dmp
-
memory/1272-53-0x000000013FE00000-0x0000000140678000-memory.dmpFilesize
8.5MB
-
memory/1348-67-0x0000000000000000-mapping.dmp
-
memory/1372-85-0x0000000000000000-mapping.dmp
-
memory/1532-65-0x0000000000000000-mapping.dmp
-
memory/1540-55-0x0000000000000000-mapping.dmp
-
memory/1556-60-0x0000000000000000-mapping.dmp
-
memory/1592-68-0x0000000000000000-mapping.dmp
-
memory/1604-78-0x0000000000000000-mapping.dmp
-
memory/1604-79-0x0000000075331000-0x0000000075333000-memory.dmpFilesize
8KB
-
memory/1632-63-0x0000000000000000-mapping.dmp
-
memory/1644-58-0x0000000000000000-mapping.dmp
-
memory/1664-59-0x0000000000000000-mapping.dmp
-
memory/1716-62-0x0000000000000000-mapping.dmp
-
memory/1820-56-0x0000000000000000-mapping.dmp
-
memory/1828-69-0x0000000000000000-mapping.dmp
-
memory/1828-70-0x000007FEFB931000-0x000007FEFB933000-memory.dmpFilesize
8KB
-
memory/1888-61-0x0000000000000000-mapping.dmp