Analysis
-
max time kernel
190s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
28-11-2021 04:49
Static task
static1
Behavioral task
behavioral1
Sample
e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
Resource
win10-en-20211104
General
-
Target
e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
-
Size
128KB
-
MD5
99e949ddd57dbc19457eba5f235516f3
-
SHA1
99f9270e85ec53b8dada459279d30e8b169462c1
-
SHA256
e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b
-
SHA512
4b4746c6d23be8d445876e5e6931d48ebbac8eca6c4ad545b6dc94c400f768df87ad03984c1c83a7e7d0225fd8cdd6305e4f7ef4d580378b42424288def7fa41
Malware Config
Extracted
C:\Users\Admin\How to decrypt files.txt
targetcompany
http://eghv5cpdsmuj5e6tpyjk5icgq642hqubildf6yrfnqlq3rmsqk2zanid.onion/contact
Signatures
-
TargetCompany
Ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1068 bcdedit.exe 1164 bcdedit.exe -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exedescription ioc process File renamed C:\Users\Admin\Pictures\WriteDisconnect.png => C:\Users\Admin\Pictures\WriteDisconnect.png.brg e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File renamed C:\Users\Admin\Pictures\ImportExit.crw => C:\Users\Admin\Pictures\ImportExit.crw.brg e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File renamed C:\Users\Admin\Pictures\DismountSkip.raw => C:\Users\Admin\Pictures\DismountSkip.raw.brg e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File renamed C:\Users\Admin\Pictures\InstallRegister.tif => C:\Users\Admin\Pictures\InstallRegister.tif.brg e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File renamed C:\Users\Admin\Pictures\ShowSearch.crw => C:\Users\Admin\Pictures\ShowSearch.crw.brg e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File renamed C:\Users\Admin\Pictures\FindMove.tif => C:\Users\Admin\Pictures\FindMove.tif.brg e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File renamed C:\Users\Admin\Pictures\RenameMerge.crw => C:\Users\Admin\Pictures\RenameMerge.crw.brg e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File renamed C:\Users\Admin\Pictures\InitializeAssert.png => C:\Users\Admin\Pictures\InitializeAssert.png.brg e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File renamed C:\Users\Admin\Pictures\TraceFind.raw => C:\Users\Admin\Pictures\TraceFind.raw.brg e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File renamed C:\Users\Admin\Pictures\CheckpointUnpublish.png => C:\Users\Admin\Pictures\CheckpointUnpublish.png.brg e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1736 cmd.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exedescription ioc process File opened (read-only) \??\A: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened (read-only) \??\I: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened (read-only) \??\N: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened (read-only) \??\T: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened (read-only) \??\W: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened (read-only) \??\Z: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened (read-only) \??\B: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened (read-only) \??\E: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened (read-only) \??\L: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened (read-only) \??\O: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened (read-only) \??\S: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened (read-only) \??\V: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened (read-only) \??\H: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened (read-only) \??\K: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened (read-only) \??\Y: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened (read-only) \??\R: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened (read-only) \??\U: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened (read-only) \??\F: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened (read-only) \??\G: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened (read-only) \??\J: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened (read-only) \??\M: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened (read-only) \??\P: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened (read-only) \??\Q: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened (read-only) \??\X: e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe -
Drops file in Program Files directory 64 IoCs
Processes:
e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15132_.GIF e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_zh_CN.jar e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.BusinessData.xml e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.SE.XML e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Magadan e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00483_.WMF e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\JNGLE_01.MID e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\How to decrypt files.txt e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\How to decrypt files.txt e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00525_.WMF e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADVCMP.DIC e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\DELETE.GIF e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101860.BMP e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\How to decrypt files.txt e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianMergeLetter.Dotx e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03451_.WMF e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.RSD e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cancun e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01566_.WMF e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGTOC.DPV e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0324704.WMF e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01040_.WMF e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21399_.GIF e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImagesMask.bmp e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105294.WMF e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMaskRTL.bmp e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00268_.WMF e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0278882.WMF e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN020.XML e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue.css e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15171_.GIF e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\TITLE.XSL e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBHOME.POC e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File created C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\How to decrypt files.txt e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\LINEAR_RGB.pf e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKREQ.CFG e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\TAB_OFF.GIF e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+11 e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00092_.GIF e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03339_.WMF e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106208.WMF e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\How to decrypt files.txt e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Danmarkshavn e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0186348.WMF e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746U.BMP e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL083.XML e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00423_.WMF e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Santiago e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Address.accft e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.jdp_5.5.0.165303.jar e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME24.CSS e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 760 vssadmin.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exepid process 1692 e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exevssvc.exedescription pid process Token: SeTakeOwnershipPrivilege 1692 e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe Token: SeDebugPrivilege 1692 e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe Token: SeBackupPrivilege 816 vssvc.exe Token: SeRestorePrivilege 816 vssvc.exe Token: SeAuditPrivilege 816 vssvc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.execmd.execmd.execmd.exedescription pid process target process PID 1692 wrote to memory of 760 1692 e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe vssadmin.exe PID 1692 wrote to memory of 760 1692 e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe vssadmin.exe PID 1692 wrote to memory of 760 1692 e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe vssadmin.exe PID 1692 wrote to memory of 760 1692 e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe vssadmin.exe PID 1692 wrote to memory of 1040 1692 e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe cmd.exe PID 1692 wrote to memory of 1040 1692 e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe cmd.exe PID 1692 wrote to memory of 1040 1692 e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe cmd.exe PID 1692 wrote to memory of 1040 1692 e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe cmd.exe PID 1692 wrote to memory of 692 1692 e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe cmd.exe PID 1692 wrote to memory of 692 1692 e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe cmd.exe PID 1692 wrote to memory of 692 1692 e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe cmd.exe PID 1692 wrote to memory of 692 1692 e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe cmd.exe PID 692 wrote to memory of 1068 692 cmd.exe bcdedit.exe PID 692 wrote to memory of 1068 692 cmd.exe bcdedit.exe PID 692 wrote to memory of 1068 692 cmd.exe bcdedit.exe PID 1040 wrote to memory of 1164 1040 cmd.exe bcdedit.exe PID 1040 wrote to memory of 1164 1040 cmd.exe bcdedit.exe PID 1040 wrote to memory of 1164 1040 cmd.exe bcdedit.exe PID 1692 wrote to memory of 1736 1692 e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe cmd.exe PID 1692 wrote to memory of 1736 1692 e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe cmd.exe PID 1692 wrote to memory of 1736 1692 e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe cmd.exe PID 1692 wrote to memory of 1736 1692 e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe cmd.exe PID 1736 wrote to memory of 920 1736 cmd.exe PING.EXE PID 1736 wrote to memory of 920 1736 cmd.exe PING.EXE PID 1736 wrote to memory of 920 1736 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe"C:\Users\Admin\AppData\Local\Temp\e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\system32\vssadmin.exe"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:760
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:1164
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:1068
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe" >> NUL2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\system32\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:920
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:816
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\How to decrypt files.txt1⤵PID:1164
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ef0b6f818162e1cb90f601e0d1fbcecf
SHA133fab6593738af52393884c589fb40417d9292aa
SHA2560b2fd826cd23e013dba97e5e398af8992b9b48d69a0bbb6cffa1ea5fa896b4fe
SHA51289c141064843766fbd10fc64e0be403cd40e79788ced2934a99d435ae0643290f6f697ae7214c0f0fb23c62b37d8074ee2bd7881005541e272231dca62849502