blackmatter | a5cdca5a8120b5532f6de3395b9b6d411ad9234b857ce17bb3cc5747be6a7dd2

General

Target

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Size

80KB
MD5

5c66cd4f21254f83663819138e634dd9
SHA1

6626cae85970e6490b8b0bf9da9aa4b57a79bb62
SHA256

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c
SHA512

093e1fb491d73ee240f1b0084bda233ef272618b56e61ed8602a57dec7b241b3f80a4a1749ff46d141399e71dd6127c9a8893c9d8d24c6aa48b0479a7ab42a2a

Score

10^/10

blackmatter ransomware

Malware Config

Extracted

Path

C:\WRLMMTHME.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen sensitive data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/EWX33VYY3IGOXSG5ZZ2 >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/EWX33VYY3IGOXSG5ZZ2

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\EnterGrant.png.WRLMMTHME	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteLimit.tiff	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
File renamed	C:\Users\Admin\Pictures\CompleteLimit.tiff => C:\Users\Admin\Pictures\CompleteLimit.tiff.WRLMMTHME	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteLimit.tiff.WRLMMTHME	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
File renamed	C:\Users\Admin\Pictures\EnterGrant.png => C:\Users\Admin\Pictures\EnterGrant.png.WRLMMTHME	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

description ioc process

File opened (read-only) \??\Z: 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\system32\eventvwr.msc mmc.exe

description	ioc	process
File opened (read-only)	\??\Z:	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

description	ioc	process
File opened for modification	C:\Windows\system32\eventvwr.msc	mmc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\WRLMMTHME.bmp"	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\WRLMMTHME.bmp"	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

pid	process
2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Control Panel 3 IoCs

evasion

Processes:

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\WallpaperStyle = "10"	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe

Modifies registry class 64 IoCs

Processes:

mmc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	mmc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	mmc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\FFlags = "1092616257"	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\0 = 5c003100000000004e53617211004c49425241527e310000440009000400efbe4e5332724e5361722e0000003254010000000100000000000000000000000000000086e55e004c0069006200720061007200690065007300000018000000	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\0\1	mmc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\0\1\NodeSlot = "3"	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	mmc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\GroupByKey:PID = "0"	mmc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\FFlags = "1"	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\0\MRUListEx = 0100000000000000ffffffff	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	mmc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 = 5c003100000000004e53c37414004d4943524f537e310000440009000400efbe4e5330724e53c3742e0000002b5301000000010000000000000000000000000000002becba004d006900630072006f0073006f0066007400000018000000	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = 00000000ffffffff	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	mmc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\GroupView = "0"	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	mmc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	mmc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\TV_TopViewVersion = "0"	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\0	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\0\0 = 2c013200260800004e5332722000444f43554d457e312e4c49420000920009000400efbe4e5332724e5332722e000000545401000000010000000000000000005800000000004c84690044006f00630075006d0065006e00740073002e006c006900620072006100720079002d006d00730000004000770069006e0064006f00770073002e00730074006f0072006100670065002e0064006c006c002c002d003300340035003700350000001c002a0000000000efbe00000020000000000000000000000000000000000000000000000000010000001c002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc1c002a0000000000efbe00000020000000000000000000000000000000000000000000000000010000001c000000	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	mmc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\LogicalViewMode = "1"	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	mmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\0\0	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	mmc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\GroupByDirection = "1"	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0 = 56003100000000004e533572100057696e646f777300400009000400efbe4e5330724e5335722e0000002c530100000001000000000000000000000000000000ecdf0601570069006e0064006f0077007300000016000000	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	mmc.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	mmc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\Mode = "4"	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\0\1\MRUListEx = ffffffff	mmc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\IconSize = "16"	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 78003100000000005353309c1100557365727300640009000400efbe724a0b5d5353309c2e000000320500000000010000000000000000003a00000000008587910055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 56003100000000004e53307212004170704461746100400009000400efbe4e5330724e5330722e00000029530100000001000000000000000000000000000000709c3e004100700070004400610074006100000016000000	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\0\1 = 02013200260800004e5332722000444f43554d457e312e4c49420000920009000400efbe4e5332724e5332722e000000545401000000010000000000000000005800000000004c84690044006f00630075006d0065006e00740073002e006c006900620072006100720079002d006d00730000004000770069006e0064006f00770073002e00730074006f0072006100670065002e0064006c006c002c002d003300340035003700350000001c002a0000000000efbe00000020000000000000000000000000000000000000000000000000010000001c002a0000001900efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc1c000000	mmc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 50003100000000005353309c100041646d696e003c0009000400efbe4e5330725353309c2e0000001e53010000000100000000000000000000000000000085879100410064006d0069006e00000014000000	mmc.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1864 NOTEPAD.EXE

pid	process
1864	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
520	chrome.exe
520	chrome.exe
1764	chrome.exe
1764	chrome.exe
1044	chrome.exe
1044	chrome.exe
316	chrome.exe
316	chrome.exe
4360	chrome.exe
4360	chrome.exe
4420	chrome.exe
4420	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mmc.exe

pid process

4172 mmc.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

1764 chrome.exe
1764 chrome.exe
1764 chrome.exe
1764 chrome.exe
1764 chrome.exe

pid	process
4172	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exevssvc.exemmc.exe

description	pid	process
Token: SeBackupPrivilege	2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeDebugPrivilege	2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: 36	2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeImpersonatePrivilege	2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeIncBasePriorityPrivilege	2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeIncreaseQuotaPrivilege	2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: 33	2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeManageVolumePrivilege	2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeProfSingleProcessPrivilege	2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeRestorePrivilege	2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeSecurityPrivilege	2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeSystemProfilePrivilege	2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeTakeOwnershipPrivilege	2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeShutdownPrivilege	2680	2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
Token: SeBackupPrivilege	2320	vssvc.exe
Token: SeRestorePrivilege	2320	vssvc.exe
Token: SeAuditPrivilege	2320	vssvc.exe
Token: SeSecurityPrivilege	4172	mmc.exe
Token: 33	4172	mmc.exe
Token: SeIncBasePriorityPrivilege	4172	mmc.exe
Token: 33	4172	mmc.exe
Token: SeIncBasePriorityPrivilege	4172	mmc.exe
Token: 33	4172	mmc.exe
Token: SeIncBasePriorityPrivilege	4172	mmc.exe
Token: 33	4172	mmc.exe
Token: SeIncBasePriorityPrivilege	4172	mmc.exe
Token: 33	4172	mmc.exe
Token: SeIncBasePriorityPrivilege	4172	mmc.exe
Token: 33	4172	mmc.exe
Token: SeIncBasePriorityPrivilege	4172	mmc.exe
Token: 33	4172	mmc.exe
Token: SeIncBasePriorityPrivilege	4172	mmc.exe
Token: 33	4172	mmc.exe
Token: SeIncBasePriorityPrivilege	4172	mmc.exe
Token: 33	4172	mmc.exe
Token: SeIncBasePriorityPrivilege	4172	mmc.exe
Token: 33	4172	mmc.exe
Token: SeIncBasePriorityPrivilege	4172	mmc.exe
Token: 33	4172	mmc.exe
Token: SeIncBasePriorityPrivilege	4172	mmc.exe
Token: 33	4172	mmc.exe
Token: SeIncBasePriorityPrivilege	4172	mmc.exe
Token: 33	4172	mmc.exe
Token: SeIncBasePriorityPrivilege	4172	mmc.exe
Token: 33	4172	mmc.exe
Token: SeIncBasePriorityPrivilege	4172	mmc.exe
Token: 33	4172	mmc.exe
Token: SeIncBasePriorityPrivilege	4172	mmc.exe
Token: 33	4172	mmc.exe
Token: SeIncBasePriorityPrivilege	4172	mmc.exe
Token: SeSecurityPrivilege	4172	mmc.exe
Token: 33	4172	mmc.exe
Token: SeIncBasePriorityPrivilege	4172	mmc.exe
Token: 33	4172	mmc.exe
Token: SeIncBasePriorityPrivilege	4172	mmc.exe
Token: 33	4172	mmc.exe
Token: SeIncBasePriorityPrivilege	4172	mmc.exe
Token: 33	4172	mmc.exe
Token: SeIncBasePriorityPrivilege	4172	mmc.exe
Token: 33	4172	mmc.exe
Token: SeIncBasePriorityPrivilege	4172	mmc.exe
Token: 33	4172	mmc.exe
Token: SeIncBasePriorityPrivilege	4172	mmc.exe
Token: 33	4172	mmc.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

mmc.exe

pid process

4172 mmc.exe
4172 mmc.exe
4172 mmc.exe

pid	process
4172	mmc.exe
4172	mmc.exe
4172	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1764 wrote to memory of 3984	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3984	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 3600	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 520	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 520	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 2196	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 2196	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 2196	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 2196	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 2196	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 2196	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 2196	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 2196	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 2196	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 2196	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 2196	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 2196	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 2196	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 2196	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 2196	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 2196	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 2196	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 2196	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 2196	1764	chrome.exe	chrome.exe
PID 1764 wrote to memory of 2196	1764	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe
"C:\Users\Admin\AppData\Local\Temp\2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WRLMMTHME.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb1ae94f50,0x7ffb1ae94f60,0x7ffb1ae94f70
2⤵
PID:3984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1508 /prefetch:2
2⤵
PID:3600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1740 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2180 /prefetch:8
2⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2704 /prefetch:1
2⤵
PID:1612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
2⤵
PID:1272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
2⤵
PID:2848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4308 /prefetch:8
2⤵
PID:1316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4452 /prefetch:8
2⤵
PID:1196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4460 /prefetch:8
2⤵
PID:2744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4868 /prefetch:8
2⤵
PID:3184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4880 /prefetch:8
2⤵
PID:872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4892 /prefetch:8
2⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:8
2⤵
PID:1276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4480 /prefetch:8
2⤵
PID:804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5464 /prefetch:8
2⤵
PID:2188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4404 /prefetch:8
2⤵
PID:2296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5092 /prefetch:8
2⤵
PID:1916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
2⤵
PID:1316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
2⤵
PID:2292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1484,8703202538949998399,10908484164286453325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=772 /prefetch:8
2⤵
PID:4552

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\WRLMMTHME.README.txt
MD5
896f61d321c4af276b7a80be14715992

SHA1
feca31af9616ac09d73900d32a8dc8d08fce51e6

SHA256
8553b63516ebbad0ce0653b3e21831b5dd114584ec49f6f413ad928ee68e6c21

SHA512
81fd91036800c12a66e9c352a70293734f5d4355c6c2fbf39446602655f596ac3afc150a4c0494c804a4226aba55aa65f031bd0957f79ffd131e5329fb0ec82e

Download Submit
\??\pipe\crashpad_1764_NPJNTXWUFRUZYBSC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2680-116-0x00000000010E0000-0x000000000122A000-memory.dmp

Filesize
1.3MB

Download
memory/2680-115-0x00000000010E0000-0x000000000122A000-memory.dmp

Filesize
1.3MB

Download
memory/4172-121-0x000000001E954000-0x000000001E955000-memory.dmp

Filesize
4KB

Download
memory/4172-120-0x000000001E952000-0x000000001E954000-memory.dmp

Filesize
8KB

Download
memory/4172-119-0x000000001E950000-0x000000001E952000-memory.dmp

Filesize
8KB

Download
memory/4172-122-0x000000001E955000-0x000000001E956000-memory.dmp

Filesize
4KB

Download
memory/4172-123-0x000000001E956000-0x000000001E957000-memory.dmp

Filesize
4KB

Download
memory/4172-124-0x000000001E957000-0x000000001E958000-memory.dmp

Filesize
4KB

Download
memory/4172-125-0x00007FF6B0050000-0x00007FF6B0051000-memory.dmp

Filesize
4KB

Download
memory/4172-126-0x000000001E958000-0x000000001E95A000-memory.dmp

Filesize
8KB

Download
memory/4172-127-0x000000001E95A000-0x000000001E95F000-memory.dmp

Filesize
20KB

Download
memory/4172-128-0x0000000022550000-0x0000000022551000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads