c74873d7b8cc622379ed49bd0b0e477167ae176aa329b01338666ec4c1a4426b

Target

manual64.dll
Size

184KB
MD5

d35a5caf8af43432ec2f5a2318b20597
SHA1

8fd8f62a848a1d9c1ff18c7bc16e8a6d2c67c37e
SHA256

c74873d7b8cc622379ed49bd0b0e477167ae176aa329b01338666ec4c1a4426b
SHA512

7de9c021c2e64c564ba8ac5c0f1914718c240a382bc717dd7e93122a0a51c849c263ae0438eae5c324ca1e5c3d346c2a09ab7fc63bbaa598e3973943a5d84263

Score

8^/10

ransomware

Malware Config

Signatures

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\PingUnpublish.tiff => \??\c:\Users\Admin\Pictures\PingUnpublish.tiff.quantum	rundll32.exe
File renamed	C:\Users\Admin\Pictures\UseRequest.crw => \??\c:\Users\Admin\Pictures\UseRequest.crw.quantum	rundll32.exe
File renamed	C:\Users\Admin\Pictures\FormatDeny.tif => \??\c:\Users\Admin\Pictures\FormatDeny.tif.quantum	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\LimitRemove.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\LimitRemove.tiff => \??\c:\Users\Admin\Pictures\LimitRemove.tiff.quantum	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\PingUnpublish.tiff	rundll32.exe

Deletes itself 1 IoCs

pid	Process
940	cmd.exe

Drops desktop.ini file(s) 32 IoCs

description	ioc	Process
File opened for modification	\??\c:\Users\Admin\Favorites\Links for United States\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MHZZT4MQ\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6TGGRK3W\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Videos\Sample Videos\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Music\Sample Music\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\Y8SPHBTY\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JPBNSXHB\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	rundll32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	\??\c:\Program Files\README_TO_DECRYPT.html	rundll32.exe
File created	\??\c:\Program Files (x86)\README_TO_DECRYPT.html	rundll32.exe
File created	\??\c:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\README_TO_DECRYPT.html	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d682b623b6978e4e8d6c7384e2da20760000000002000000000010660000000100002000000016169985aab5b46488c7bd8a351f7645c238ba6ba04a089d7869085068aaa09d000000000e8000000002000020000000347f62694cdcd26986a5a9a8ce29e9058b3053cec462c855c12bb7a77beda9d690000000301dfae811318baa73d4419301a7b9266238536b1c60a0bc49fac754a5132bf345d911f37cdabf6c99a98a6ef091d9e6288c8570afd1fd4879cb8dc2a39cecc702d91d127ed173ef746422d0fcfaf2ce7986e5597a77b3dafe18af63463c423e4e30d7c667ca619b677240e06f651b91586ca69e5b30e7d40a6e0aed487540f144fc0bf6de2ec5ae791f5886842091ea40000000afd22b4fd675dc809f0b12485ed156ea8db07ac8543bb50c5425e4e53ab9f66e12507f09ec3b6514e7a2361acd6dfe363d980f14a235b98692513cf6866c772b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9AE3C831-2D0E-11EC-98EC-4E2873F54638} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\User Preferences\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d682b623b6978e4e8d6c7384e2da207600000000020000000000106600000001000020000000e54bf60a65083b936c7f21a5fe4f24f286d17ef57e00bbb2f7fb99c03713fc94000000000e8000000002000020000000be3e453ecac154398c16c01d9aef8c3732f0feca960f965fc1f904ca608a5e8610000000fe4f180316788643136921041c8be02d40000000be810757890685156ae28fe4bf6667cca520e807ccad8f57ca99bd486ffaab282d52ee63788671d00eee3bc0a12350974da2c6fc8344abeb25b9e4bad72faf62	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B0906D51-2D0E-11EC-98EC-4E2873F54638} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d682b623b6978e4e8d6c7384e2da2076000000000200000000001066000000010000200000008b18d26e487afa9872dee69197e888c89395ed2ef9e2592d6c16d94510db82b0000000000e80000000020000200000005b7988ff8cfd4f1d81aae8047e328af384bc95d9a829f82deb2ec1977adc17ed50000000951549896e50db44bb7d2ce9544d790635caa5dde4e011b838066742f80519abfb817a486f7f8b16d7b421bb663605ba6c7d694f0ad554ea0b37fe3e2477211c3488e1003a1bc123f5497989e47c583640000000361525d6fafb55bb61c44d27b295c28c9dd62fc109fb99a577bcdd11c0458ddaa9d18fc1da6c5721a8b1a2499f62ec098dffcd61130496b52c63f84d757bdae8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d682b623b6978e4e8d6c7384e2da2076000000000200000000001066000000010000200000004a7a469240e104dd29de5dfb74e32407cade98a6a7c8552580966e14b85014a0000000000e8000000002000020000000fea9bb548346d588f9d2f3c30cebfdffc24e1919bea9380c793d16bdacd1c14c200000005450ad50ec2fd4f2ce421a0ba801c7ee8d258bd99a15af8c4665eeab3781a77940000000c7314bef844021f46db8f6603d7dc92c3169dde525c0a11a5f772ff31a9f117fcafb7068d3c7fd246941048e0a920a74cfd2788ae2a0e6a56209469eb6cf259e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{994F1E71-2D0E-11EC-98EC-4E2873F54638} = "0"	iexplore.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\.quantum\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\.quantum\shell\Open	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\.quantum\shell\Open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\.quantum	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2040	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1612	rundll32.exe
1612	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1612	rundll32.exe
Token: SeDebugPrivilege	1612	rundll32.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1740	iexplore.exe
656	iexplore.exe
680	iexplore.exe
1984	iexplore.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
656	iexplore.exe
656	iexplore.exe
1740	iexplore.exe
1740	iexplore.exe
1476	IEXPLORE.EXE
1476	IEXPLORE.EXE
948	IEXPLORE.EXE
948	IEXPLORE.EXE
948	IEXPLORE.EXE
948	IEXPLORE.EXE
1476	IEXPLORE.EXE
1476	IEXPLORE.EXE
680	iexplore.exe
680	iexplore.exe
1648	IEXPLORE.EXE
1648	IEXPLORE.EXE
1984	iexplore.exe
1984	iexplore.exe
1552	IEXPLORE.EXE
1552	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 948	656	iexplore.exe	31
PID 656 wrote to memory of 948	656	iexplore.exe	31
PID 656 wrote to memory of 948	656	iexplore.exe	31
PID 656 wrote to memory of 948	656	iexplore.exe	31
PID 1740 wrote to memory of 1476	1740	iexplore.exe	32
PID 1740 wrote to memory of 1476	1740	iexplore.exe	32
PID 1740 wrote to memory of 1476	1740	iexplore.exe	32
PID 1740 wrote to memory of 1476	1740	iexplore.exe	32
PID 1612 wrote to memory of 940	1612	rundll32.exe	33
PID 1612 wrote to memory of 940	1612	rundll32.exe	33
PID 1612 wrote to memory of 940	1612	rundll32.exe	33
PID 940 wrote to memory of 1412	940	cmd.exe	35
PID 940 wrote to memory of 1412	940	cmd.exe	35
PID 940 wrote to memory of 1412	940	cmd.exe	35
PID 1144 wrote to memory of 680	1144	explorer.exe	38
PID 1144 wrote to memory of 680	1144	explorer.exe	38
PID 1144 wrote to memory of 680	1144	explorer.exe	38
PID 680 wrote to memory of 1648	680	iexplore.exe	39
PID 680 wrote to memory of 1648	680	iexplore.exe	39
PID 680 wrote to memory of 1648	680	iexplore.exe	39
PID 680 wrote to memory of 1648	680	iexplore.exe	39
PID 876 wrote to memory of 2040	876	rundll32.exe	41
PID 876 wrote to memory of 2040	876	rundll32.exe	41
PID 876 wrote to memory of 2040	876	rundll32.exe	41
PID 1984 wrote to memory of 1552	1984	iexplore.exe	46
PID 1984 wrote to memory of 1552	1984	iexplore.exe	46
PID 1984 wrote to memory of 1552	1984	iexplore.exe	46
PID 1984 wrote to memory of 1552	1984	iexplore.exe	46

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1412	attrib.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\manual64.dll,#1
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\\0F76341B.bat" "C:\Users\Admin\AppData\Local\Temp\manual64.dll""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\system32\attrib.exe
    attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\manual64.dll"
    3⤵
    - Views/modifies file attributes
    PID:1412

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1740 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1476

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:656
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:656 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:948

C:\Windows\explorer.exe
"explorer.exe" README_TO_DECRYPT.html
1⤵
PID:1936

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:680 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1648

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UninstallWatch.clr.quantum
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UninstallWatch.clr.quantum
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2040

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\README_TO_DECRYPT.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1552

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/656-55-0x000007FEFC4F1000-0x000007FEFC4F3000-memory.dmp

Filesize
8KB

Download
memory/1612-54-0x0000000001C80000-0x0000000001D72000-memory.dmp

Filesize
968KB

Download