3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83

Resubmissions

20/01/2022, 19:26

220120-x5jhrsbcdl 10

17/01/2022, 16:56

220117-vf67esbcd8 10

17/01/2022, 16:16

220117-tqyscsbedr 10

09/12/2021, 23:18

211209-299yqseee9 1

Analysis

max time kernel
1203s
max time network
756s
platform
windows10_x64
resource
win10-en-20211208
submitted
17/01/2022, 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
Size

2.2MB
MD5

aea5d3cced6725f37e2c3797735e6467
SHA1

087497940a41d96e4e907b6dc92f75f4a38d861a
SHA256

3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83
SHA512

5489753ae1c3ba0dbd3e0ce1b78b0ccba045e534e77fb87c80d56b16229f928c46a15721020142bbc6bd4d1ba5c295f4bec3596efa7b46c906889c156dadbd66

Score

10^/10

ransomware

Malware Config

Extracted

Path

\??\Z:\RECOVER-sykffle-FILES.txt

Ransom Note

>> Introduction Important files on your system was ENCRYPTED and now they have have "sykffle" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=GfjBJOpvNRomDHpgsWFmQevkENCHPGoFVXNvOwZ5qtw6SKG8kCp%2FQXB0CKxe6xRLJeFStrmxxrCbQi69Lel21pyJ91hmeQKjk%2Ben10Sqh2b01bhXSjaFMUD0e5%2BXGhwxDwqQoRUyKT7vev%2BM9KxFzS8VnaZiT9nCM3z26ET%2Fd3GfFWYXI3ecK8mMbLKf1%2BWlmff363dOih4kRUyk8hEabXK3EYFMuN5cVuR%2FI3J8sLIeeDJ9DizQRIUd2lRlXAFjX0z6sIOWNrj0YJ7tdcSzU5t2y015GAfb3D4L0XlSBjONqAY%2BwKQqk6XQ3TonZw39LdyjfbJQcyfc6uxssBhoUA%3D%3D

URLs

http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21

http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=GfjBJOpvNRomDHpgsWFmQevkENCHPGoFVXNvOwZ5qtw6SKG8kCp%2FQXB0CKxe6xRLJeFStrmxxrCbQi69Lel21pyJ91hmeQKjk%2Ben10Sqh2b01bhXSjaFMUD0e5%2BXGhwxDwqQoRUyKT7vev%2BM9KxFzS8VnaZiT9nCM3z26ET%2Fd3GfFWYXI3ecK8mMbLKf1%2BWlmff363dOih4kRUyk8hEabXK3EYFMuN5cVuR%2FI3J8sLIeeDJ9DizQRIUd2lRlXAFjX0z6sIOWNrj0YJ7tdcSzU5t2y015GAfb3D4L0XlSBjONqAY%2BwKQqk6XQ3TonZw39LdyjfbJQcyfc6uxssBhoUA%3D%3D

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\DenyStep.tiff => C:\Users\Admin\Pictures\DenyStep.tiff.sykffle	moo.exe
File renamed	C:\Users\Admin\Pictures\DisconnectProtect.tif => C:\Users\Admin\Pictures\DisconnectProtect.tif.sykffle	moo.exe
File renamed	C:\Users\Admin\Pictures\FindSplit.crw => C:\Users\Admin\Pictures\FindSplit.crw.sykffle	moo.exe
File renamed	C:\Users\Admin\Pictures\UnblockConvertFrom.tif => C:\Users\Admin\Pictures\UnblockConvertFrom.tif.sykffle	moo.exe
File opened for modification	C:\Users\Admin\Pictures\UnblockConvertFrom.tif.sykffle	moo.exe
File renamed	C:\Users\Admin\Pictures\AddDisconnect.png => C:\Users\Admin\Pictures\AddDisconnect.png.sykffle	moo.exe
File opened for modification	C:\Users\Admin\Pictures\AddDisconnect.png.sykffle	moo.exe
File opened for modification	C:\Users\Admin\Pictures\DisconnectProtect.tif.sykffle	moo.exe
File opened for modification	C:\Users\Admin\Pictures\FindSplit.crw.sykffle	moo.exe
File renamed	C:\Users\Admin\Pictures\UnprotectLock.raw => C:\Users\Admin\Pictures\UnprotectLock.raw.sykffle	moo.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectLock.raw.sykffle	moo.exe
File opened for modification	C:\Users\Admin\Pictures\DenyStep.tiff	moo.exe
File opened for modification	C:\Users\Admin\Pictures\DenyStep.tiff.sykffle	moo.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	moo.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png"	moo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png"	moo.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\97717462.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\1361672858.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3216	vssadmin.exe
2024	vssadmin.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\WallpaperStyle = "0"	moo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2008	taskmgr.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
384	cmd.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	taskmgr.exe
Token: SeSystemProfilePrivilege	2008	taskmgr.exe
Token: SeCreateGlobalPrivilege	2008	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	1688	WMIC.exe
Token: SeSecurityPrivilege	1688	WMIC.exe
Token: SeTakeOwnershipPrivilege	1688	WMIC.exe
Token: SeLoadDriverPrivilege	1688	WMIC.exe
Token: SeSystemProfilePrivilege	1688	WMIC.exe
Token: SeSystemtimePrivilege	1688	WMIC.exe
Token: SeProfSingleProcessPrivilege	1688	WMIC.exe
Token: SeIncBasePriorityPrivilege	1688	WMIC.exe
Token: SeCreatePagefilePrivilege	1688	WMIC.exe
Token: SeBackupPrivilege	1688	WMIC.exe
Token: SeRestorePrivilege	1688	WMIC.exe
Token: SeShutdownPrivilege	1688	WMIC.exe
Token: SeDebugPrivilege	1688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1688	WMIC.exe
Token: SeRemoteShutdownPrivilege	1688	WMIC.exe
Token: SeUndockPrivilege	1688	WMIC.exe
Token: SeManageVolumePrivilege	1688	WMIC.exe
Token: 33	1688	WMIC.exe
Token: 34	1688	WMIC.exe
Token: 35	1688	WMIC.exe
Token: 36	1688	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1688	WMIC.exe
Token: SeSecurityPrivilege	1688	WMIC.exe
Token: SeTakeOwnershipPrivilege	1688	WMIC.exe
Token: SeLoadDriverPrivilege	1688	WMIC.exe
Token: SeSystemProfilePrivilege	1688	WMIC.exe
Token: SeSystemtimePrivilege	1688	WMIC.exe
Token: SeProfSingleProcessPrivilege	1688	WMIC.exe
Token: SeIncBasePriorityPrivilege	1688	WMIC.exe
Token: SeCreatePagefilePrivilege	1688	WMIC.exe
Token: SeBackupPrivilege	1688	WMIC.exe
Token: SeRestorePrivilege	1688	WMIC.exe
Token: SeShutdownPrivilege	1688	WMIC.exe
Token: SeDebugPrivilege	1688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1688	WMIC.exe
Token: SeRemoteShutdownPrivilege	1688	WMIC.exe
Token: SeUndockPrivilege	1688	WMIC.exe
Token: SeManageVolumePrivilege	1688	WMIC.exe
Token: 33	1688	WMIC.exe
Token: 34	1688	WMIC.exe
Token: 35	1688	WMIC.exe
Token: 36	1688	WMIC.exe
Token: SeBackupPrivilege	1348	vssvc.exe
Token: SeRestorePrivilege	1348	vssvc.exe
Token: SeAuditPrivilege	1348	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe
2008	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 3948	384	cmd.exe	79
PID 384 wrote to memory of 3948	384	cmd.exe	79
PID 384 wrote to memory of 3948	384	cmd.exe	79
PID 384 wrote to memory of 2064	384	cmd.exe	80
PID 384 wrote to memory of 2064	384	cmd.exe	80
PID 384 wrote to memory of 2064	384	cmd.exe	80
PID 384 wrote to memory of 3780	384	cmd.exe	81
PID 384 wrote to memory of 3780	384	cmd.exe	81
PID 384 wrote to memory of 3780	384	cmd.exe	81
PID 384 wrote to memory of 2052	384	cmd.exe	82
PID 384 wrote to memory of 2052	384	cmd.exe	82
PID 384 wrote to memory of 2052	384	cmd.exe	82
PID 384 wrote to memory of 1776	384	cmd.exe	83
PID 384 wrote to memory of 1776	384	cmd.exe	83
PID 384 wrote to memory of 1776	384	cmd.exe	83
PID 384 wrote to memory of 3792	384	cmd.exe	84
PID 384 wrote to memory of 3792	384	cmd.exe	84
PID 384 wrote to memory of 3792	384	cmd.exe	84
PID 384 wrote to memory of 3380	384	cmd.exe	85
PID 384 wrote to memory of 3380	384	cmd.exe	85
PID 384 wrote to memory of 3380	384	cmd.exe	85
PID 384 wrote to memory of 3968	384	cmd.exe	86
PID 384 wrote to memory of 3968	384	cmd.exe	86
PID 384 wrote to memory of 3968	384	cmd.exe	86
PID 384 wrote to memory of 3592	384	cmd.exe	87
PID 384 wrote to memory of 3592	384	cmd.exe	87
PID 384 wrote to memory of 3592	384	cmd.exe	87
PID 384 wrote to memory of 684	384	cmd.exe	88
PID 384 wrote to memory of 684	384	cmd.exe	88
PID 384 wrote to memory of 684	384	cmd.exe	88
PID 384 wrote to memory of 2096	384	cmd.exe	90
PID 384 wrote to memory of 2096	384	cmd.exe	90
PID 384 wrote to memory of 2096	384	cmd.exe	90
PID 384 wrote to memory of 3544	384	cmd.exe	91
PID 384 wrote to memory of 3544	384	cmd.exe	91
PID 384 wrote to memory of 3544	384	cmd.exe	91
PID 384 wrote to memory of 4088	384	cmd.exe	92
PID 384 wrote to memory of 4088	384	cmd.exe	92
PID 384 wrote to memory of 4088	384	cmd.exe	92
PID 384 wrote to memory of 2624	384	cmd.exe	93
PID 384 wrote to memory of 2624	384	cmd.exe	93
PID 384 wrote to memory of 2624	384	cmd.exe	93
PID 384 wrote to memory of 936	384	cmd.exe	94
PID 384 wrote to memory of 936	384	cmd.exe	94
PID 384 wrote to memory of 936	384	cmd.exe	94
PID 384 wrote to memory of 1336	384	cmd.exe	95
PID 384 wrote to memory of 1336	384	cmd.exe	95
PID 384 wrote to memory of 1336	384	cmd.exe	95
PID 384 wrote to memory of 2012	384	cmd.exe	96
PID 384 wrote to memory of 2012	384	cmd.exe	96
PID 384 wrote to memory of 2012	384	cmd.exe	96
PID 384 wrote to memory of 1328	384	cmd.exe	97
PID 384 wrote to memory of 1328	384	cmd.exe	97
PID 384 wrote to memory of 1328	384	cmd.exe	97
PID 1328 wrote to memory of 2708	1328	moo.exe	98
PID 1328 wrote to memory of 2708	1328	moo.exe	98
PID 1328 wrote to memory of 2708	1328	moo.exe	98
PID 2708 wrote to memory of 1688	2708	cmd.exe	100
PID 2708 wrote to memory of 1688	2708	cmd.exe	100
PID 2708 wrote to memory of 1688	2708	cmd.exe	100
PID 1328 wrote to memory of 2260	1328	moo.exe	102
PID 1328 wrote to memory of 2260	1328	moo.exe	102
PID 1328 wrote to memory of 2260	1328	moo.exe	102
PID 2260 wrote to memory of 2780	2260	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe --help
1⤵
PID:3792

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:384
- C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
  C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe --help
  2⤵
  PID:3948
- C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
  C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -help
  2⤵
  PID:2064
- C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
  C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -help
  2⤵
  PID:3780
- C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
  C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -help
  2⤵
  PID:2052
- C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
  C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -help
  2⤵
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
  C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe --help
  2⤵
  PID:3792
- C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
  C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe --help
  2⤵
  PID:3380
- C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
  C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -help
  2⤵
  PID:3968
- C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
  C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -u
  2⤵
  PID:3592
- C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
  C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe --ui
  2⤵
  PID:684
- C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
  C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -v
  2⤵
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
  C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe --version
  2⤵
  PID:3544
- C:\Users\Admin\AppData\Local\Temp\moo.exe
  moo -v
  2⤵
  PID:4088
- C:\Users\Admin\AppData\Local\Temp\moo.exe
  moo -h
  2⤵
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\moo.exe
  moo --help
  2⤵
  PID:936
- C:\Users\Admin\AppData\Local\Temp\moo.exe
  moo --ui
  2⤵
  PID:1336
- C:\Users\Admin\AppData\Local\Temp\moo.exe
  moo -V
  2⤵
  PID:2012
- C:\Users\Admin\AppData\Local\Temp\moo.exe
  moo -v -a monkeynuts
  2⤵
  - Modifies extensions of user files
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c "wmic csproduct get UUID"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get UUID
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c "fsutil behavior set SymlinkEvaluation R2L:1"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Windows\SysWOW64\fsutil.exe
      fsutil behavior set SymlinkEvaluation R2L:1
      4⤵
      PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c "fsutil behavior set SymlinkEvaluation R2R:1"
    3⤵
    PID:2220
  - - C:\Windows\SysWOW64\fsutil.exe
      fsutil behavior set SymlinkEvaluation R2R:1
      4⤵
      PID:3628
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"
    3⤵
    PID:2488
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
      4⤵
      PID:3032
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c "vssadmin.exe delete shadows /all /quiet"
    3⤵
    PID:2044
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3216
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c "arp -a"
    3⤵
    PID:1848
  - - C:\Windows\SysWOW64\ARP.EXE
      arp -a
      4⤵
      PID:3784
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c "vssadmin.exe delete shadows /all /quiet"
    3⤵
    PID:3576
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2024

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1996

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1172

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:2440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads