neshta | f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911

Analysis

max time kernel
131s
max time network
130s
platform
windows7_x64
resource
win7-en-20211208
submitted
24-01-2022 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
Size

201KB
MD5

6e64e10abf633d7d99b541819f25f57b
SHA1

71234a62fb0b931103a558e2c34b3cda6a116122
SHA256

f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911
SHA512

a01d438a5289d449758124899989230d5d81930f1787aae90fa962c928ecf433bac7ed37544112199296a37d5f3596c99a099673e55cc21d36d734cc8ba02655

Score

10^/10

neshta sodinokibi 19 312 persistence ransomware spyware stealer

Malware Config

Extracted

Family

sodinokibi

Botnet

Campaign

312

iron-mine.ru

qandmmusiccenter.com

yourhappyevents.fr

enews-qca.com

leadforensics.com

lumturo.academy

lovetzuchia.com

sber-biznes.com

randyabrown.com

penumbuhrambutkeiskei.com

johnsonweekly.com

agriturismocastagneto.it

masecologicos.com

jonnyhooley.com

krishnabrawijaya.com

denverwynkoopdentist.com

enactusnhlstenden.com

uci-france.fr

renderbox.ch

dennisverschuur.com

Attributes

net
true
pid
19
prc
ocautoupds.exe
mysqld_opt.exe
msftesql.exe
xfssvccon.exe
mysqld.exe
oracle.exe
agntsvc.exe
mspub.exe
thebat.exe
ocssd.exe
steam.exe
mysqld_nt.exe
powerpnt.exe
sqlbrowser.exe
tbirdconfig.exe
dbeng50.exe
msaccess.exe
sqbcoreservice.exe
outlook.exe
encsvc.exe
infopath.exe
excel.exe
synctime.exe
sqlwriter.exe
thunderbird.exe
sqlservr.exe
winword.exe
dbsnmp.exe
visio.exe
onenote.exe
thebat64.exe
mydesktopqos.exe
sqlagent.exe
firefoxconfig.exe
ocomm.exe
wordpad.exe
mydesktopservice.exe
isqlplussvc.exe
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
312

Signatures

Detect Neshta Payload 17 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Sodinokibi/Revil sample 5 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3582-490\f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe	family_sodinokobi
C:\Users\Admin\AppData\Local\Temp\3582-490\f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe	family_sodinokobi
\Users\Admin\AppData\Local\Temp\3582-490\f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe	family_sodinokobi
C:\Users\Admin\AppData\Local\Temp\3582-490\f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe	family_sodinokobi
\Users\Admin\AppData\Local\Temp\3582-490\f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe	family_sodinokobi

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exesvchost.com

pid process

964 f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
360 svchost.com

Loads dropped DLL 5 IoCs

Processes:

f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exef8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exesvchost.com

pid	process
960	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
960	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
964	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
360	svchost.com
960	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe

description	ioc	process
File opened (read-only)	\??\O:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened (read-only)	\??\T:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened (read-only)	\??\V:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened (read-only)	\??\W:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened (read-only)	\??\H:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened (read-only)	\??\K:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened (read-only)	\??\R:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened (read-only)	\??\S:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened (read-only)	\??\U:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened (read-only)	\??\X:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened (read-only)	\??\Y:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened (read-only)	\??\F:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened (read-only)	\??\G:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened (read-only)	\??\M:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened (read-only)	\??\N:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened (read-only)	\??\P:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened (read-only)	\??\Q:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened (read-only)	\??\A:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened (read-only)	\??\B:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened (read-only)	\??\E:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened (read-only)	\??\I:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened (read-only)	\??\J:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened (read-only)	\??\L:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened (read-only)	\??\Z:	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.comf8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe

Drops file in Windows directory 64 IoCs

Processes:

f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b40b4fc097a11d8a.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_en-us_a547f57d755ff33d.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.1.7601.17514_none_ae2511475093798f_ole32.dll_e9dcc2e3	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-netapi32_31bf3856ad364e35_6.1.7601.17514_none_8f3b84fe5fd1f73d_netapi32.dll_8b1e859a	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_765b17a2c56f9155_rasctrnm.h_17610c72	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-kernelstreaming_31bf3856ad364e35_6.1.7601.17514_none_b5a6c7c6ac83a58e.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_6.1.7601.17514_de-de_1c083148b78fc347.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d70162d0d613541c.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_953f0977fbbe9530.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-shlwapi_31bf3856ad364e35_6.1.7601.17514_none_57ffb773bb4e758b.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76_base_kor.xml_f4ee1eeb	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3d8bb37f97ba22ff.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1f581fdf87449006.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..d-bootfix.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f5f9d5f8c8d6c6f6.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f067c9d9c2297404_hid.dll.mui_cccd5ae0	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-credui.resources_31bf3856ad364e35_6.1.7601.17514_de-de_174ff4e0ca034447_credui.dll.mui_34721171	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_018b4fa043769680_wer.dll.mui_e68ddae7	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e26822dcb0734f73.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..libraries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0739be3de62b2c98_iphlpapi.dll.mui_9531144c	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76_auxbase.xml_2edbfe7c	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_66e40021f6ac2d53_rasdiag.dll.mui_15cb4ec4	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_nb-no_798b5b93376ffdff_comctl32.dll.mui_0da4e682	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-gautami_31bf3856ad364e35_6.1.7600.16385_none_d7a960cbb5ebb166.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-segoeui_31bf3856ad364e35_6.1.7600.16385_none_2cb0f5602bedb50f_segoeuii.ttf_ea35f432	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-htmlhelp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4013808557fee4b0.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-ws232.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_98d4b6b35beff4c4_ws2_32.dll.mui_f13ef3a5	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f36785427fe61495_scfilter.sys.mui_cebab716	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-imageanalysis_31bf3856ad364e35_6.1.7601.17514_none_4a6381a588654ba6_dbghelp.dll_417263a2	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_6.1.7600.16385_none_db04d3f548508fd9_cvgafix.fon_c20a9ed9	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a18ee5b097220db7_appinfo.dll.mui_cfd93456	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-o..iles-core.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5fa5a6c6f39ec868_cscmig.dll.mui_7e59bd05	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..temclient.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d0b642a01042b922.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3ba84b2bd59394c1_msxml6r.dll.mui_4516d602	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_1423e918b2cd2d4b_rasrqs-repl.man_b28d8556	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8216f269f23254c_oleres.dll.mui_ff00d4cb	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-international-core_31bf3856ad364e35_6.1.7601.17514_none_ebb1ce7438031941_nlscoremig.dll_0ee3acd5	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-ntlanman.resources_31bf3856ad364e35_6.1.7600.16385_de-de_92a7077dbad2d052.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-htmlhelp_31bf3856ad364e35_6.1.7600.16385_none_244ae8599e6d81bb_hh.exe_f87e0044	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_lt-lt_1b4d466a173e8550.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-865_31bf3856ad364e35_6.1.7600.16385_none_2addbcc8b4e24096.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-halftone-ui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_11659fed3eedfa29.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..dem-voice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_49b8f030ce87f986_serwvdrv.dll.mui_6a9f4568	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-cmi_31bf3856ad364e35_6.1.7601.17514_none_abd5b433b8ccf7a4.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-sens-service.resources_31bf3856ad364e35_6.1.7600.16385_en-us_15183a238358cc41_sens.dll.mui_64739194	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c5ebc31e0daac1f4.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f469506f7f6f97f_tcpipcfg.dll.mui_a5479fc1	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-vssapi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_70554f7eaa2b7caa.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-vssapi_31bf3856ad364e35_6.1.7601.17514_none_330ce3bf9861358f_vssapi.dll_51f72c64	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_nl-nl_a60989855737fdee.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_67f0b62b00a7235a_sppc.dll.mui_0a75786d	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-webservices.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b11048a8ca8c8b7d_webservices.dll.mui_eecc809d	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d2c8fba0badc8a46_puiobj.dll.mui_b9c0c4d6	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3f3bc9163ae8cff9.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-raavi_31bf3856ad364e35_6.1.7600.16385_none_a2d43ed8e3097243_raavi.ttf_15141359	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-shruti_31bf3856ad364e35_6.1.7600.16385_none_295c980d6b8c1975_shrutib.ttf_cc31ccfb	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..-encoding.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c464d2bacfbc42a4.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-other.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac553040a56eff44_wshelper.dll.mui_be261ecd	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_zh-tw_c622c1b2dbc95119.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mprmsg.resources_31bf3856ad364e35_6.1.7600.16385_de-de_dbc557144037871f.manifest	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-t..libraries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7c16376770aeada7_iphlpapi.dll.mui_9531144c	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7600.16385_none_cd7aeeff1897d018_perfi.dat_e3a35ecf	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-d..irectdraw.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6e8b9b6cce3abf5f_ddraw.dll.mui_95b8c3ab	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d28dabacfdb4dd1a_winresume.efi.mui_f412814e	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_fi-fi_442e570e6aa0d70c_msimsg.dll.mui_72e8994f	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

876 vssadmin.exe

pid	process
876	vssadmin.exe

Modifies registry class 1 IoCs

Processes:

f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe

pid	process
964	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
964	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1908 vssvc.exe
Token: SeRestorePrivilege 1908 vssvc.exe
Token: SeAuditPrivilege 1908 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1908	vssvc.exe
Token: SeRestorePrivilege	1908	vssvc.exe
Token: SeAuditPrivilege	1908	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exef8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exesvchost.comcmd.exe

description	pid	process	target process
PID 960 wrote to memory of 964	960	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
PID 960 wrote to memory of 964	960	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
PID 960 wrote to memory of 964	960	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
PID 960 wrote to memory of 964	960	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
PID 964 wrote to memory of 360	964	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe	svchost.com
PID 964 wrote to memory of 360	964	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe	svchost.com
PID 964 wrote to memory of 360	964	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe	svchost.com
PID 964 wrote to memory of 360	964	f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe	svchost.com
PID 360 wrote to memory of 1016	360	svchost.com	cmd.exe
PID 360 wrote to memory of 1016	360	svchost.com	cmd.exe
PID 360 wrote to memory of 1016	360	svchost.com	cmd.exe
PID 360 wrote to memory of 1016	360	svchost.com	cmd.exe
PID 1016 wrote to memory of 876	1016	cmd.exe	vssadmin.exe
PID 1016 wrote to memory of 876	1016	cmd.exe	vssadmin.exe
PID 1016 wrote to memory of 876	1016	cmd.exe	vssadmin.exe
PID 1016 wrote to memory of 876	1016	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
"C:\Users\Admin\AppData\Local\Temp\f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\3582-490\f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
5⤵
- Interacts with shadow copies
PID:876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE
MD5
eafb5c9e718ec9f053f0262ab1c9ddd2

SHA1
573d3cd44bbb7863e0ef5226d90cbd2375282f2a

SHA256
56fc9ee5ebfc6b6eec9ef43c21ab24349fc0890eb783b2e1eddaa53770f11877

SHA512
e7d6a5efdb35543e1dc940a198119bd0f3ed9740bc36465232a4f66c03cbecbfe61a109f181b758113ce4c71253766698a493763abccc9fb0ce2c47ff8b31d7a

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe
MD5
3ec4922dbca2d07815cf28144193ded9

SHA1
75cda36469743fbc292da2684e76a26473f04a6d

SHA256
0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801

SHA512
956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe
MD5
693ed385cb9c7d902c9aa4271d345d7e

SHA1
36f512f61342924f3e4ea8d92badfc0e21e7ebe8

SHA256
01e693491511a132443e9aae0b3d8522ff258bb1f47d5d5e9dc0407a24e67eaf

SHA512
f31c5b3b02d698fff2b956850cc0d79bbbf2a083bc82fbd406426eac19a598bb5ebae028aecdaddd7010501237f2422fe4e709be91e18368a78995486cfa5cee

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE
MD5
ad0efa1df844814c2e8ddc188cb0e3b5

SHA1
b1a8a09f2223aab8b8e3e9bc0e58cc83d402f8ab

SHA256
c87fd5b223cb6dc716815b442b4964d4670a30b5c79f4fb9f1c3a65ec9072e5a

SHA512
532cc173d9ef27098ff10b6b652c64231b4a14f99df3b5de2eb1423370c19590e2a6032023d3ed02e2080f2f087b620ebbbd079e4a47a584ef11f3eaa0eb8520

Download Submit
C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE
MD5
92724a039ff89fb4dbf81af8de334fef

SHA1
076c6a350376748aa51d27ca82ee2b9b530d08f9

SHA256
e76511f06efd7f21aebafbbe8bd7deb024b76f10714e06f95b45992df8a847f5

SHA512
c8d8ada1492c2881896662bd1e387c3b6408034f49e078f58d1d5a7476af01433c9e35cf123a91b785d5f0284803631c153e9d26895bb61a1ccd19be267b2631

Download Submit
C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe
MD5
c212b0482724be17efbb38ac9c65f4d0

SHA1
b3417fd84d533516288725139952f79afef770a8

SHA256
6135f77de811a3da2905ecaa066c4e9195d29f6c1dbe3ab22b1fb910ae567492

SHA512
0d30c2b64a8617c1279f0b380dabd2b26400010c26bf757bd131f4eb999ec0fde0e5617d79c910b692227741676ac4c6b5e0d2d077adc09a1098a1f69e8862fe

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE
MD5
67a6e518de5b8401669ccf03059f1bac

SHA1
98ccf378e8c7e3ada48c4f6ca52b9293e141ce84

SHA256
c554dfea900392e9eb4a0ab658f76a5a1de1e41bdce80382b5943dd78fc9516f

SHA512
4e7b1922328d1e05e7faf456f61375df081faacca415c5242e12f081dee4d7f03835a9776295c77e7788984188f27ff358d72bc9100dbb250975aaaf2e95777c

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
MD5
f6636e7fd493f59a5511f08894bba153

SHA1
3618061817fdf1155acc0c99b7639b30e3b6936c

SHA256
61720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33

SHA512
bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
MD5
07e194ce831b1846111eb6c8b176c86e

SHA1
b9c83ec3b0949cb661878fb1a8b43a073e15baf1

SHA256
d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

SHA512
55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE
MD5
fa982a173f9d3628c2b3ff62bd8a2f87

SHA1
2cfb18d542ae6b6cf5a1223f1a77defd9b91fa56

SHA256
bc5d80d05a1bd474cb5160782765bf973ba34ea25dedf7e96dfaf932b9935032

SHA512
95ca9066a2e5272494b8e234220b6028c14892679023ca70801475c38d341032363589375ec6ffc4cde3416dd88d0e3082d315f7beddccdf014122ddd0a90644

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
MD5
7b4c9fa2f95caaf096b15e129623d657

SHA1
b4e253782de542a520b55205a019bd0dd6695ed8

SHA256
6d484c276965970169270302286bad03d5de1966ae4822873dc4fc8ac5aa8980

SHA512
1f0a4287bd10d2915a87cdc921b20ef5ffc9563dd9d774ffe031b35e63158fe61f46df64d712ef8df844119bb1e43ff17b2f377b7a5d1318c6ad6acd41f91a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
MD5
7b4c9fa2f95caaf096b15e129623d657

SHA1
b4e253782de542a520b55205a019bd0dd6695ed8

SHA256
6d484c276965970169270302286bad03d5de1966ae4822873dc4fc8ac5aa8980

SHA512
1f0a4287bd10d2915a87cdc921b20ef5ffc9563dd9d774ffe031b35e63158fe61f46df64d712ef8df844119bb1e43ff17b2f377b7a5d1318c6ad6acd41f91a28

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
MD5
7b4c9fa2f95caaf096b15e129623d657

SHA1
b4e253782de542a520b55205a019bd0dd6695ed8

SHA256
6d484c276965970169270302286bad03d5de1966ae4822873dc4fc8ac5aa8980

SHA512
1f0a4287bd10d2915a87cdc921b20ef5ffc9563dd9d774ffe031b35e63158fe61f46df64d712ef8df844119bb1e43ff17b2f377b7a5d1318c6ad6acd41f91a28

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
MD5
7b4c9fa2f95caaf096b15e129623d657

SHA1
b4e253782de542a520b55205a019bd0dd6695ed8

SHA256
6d484c276965970169270302286bad03d5de1966ae4822873dc4fc8ac5aa8980

SHA512
1f0a4287bd10d2915a87cdc921b20ef5ffc9563dd9d774ffe031b35e63158fe61f46df64d712ef8df844119bb1e43ff17b2f377b7a5d1318c6ad6acd41f91a28

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\f8d022d707843f03a50e7ec12120c51b7f1521b8ae0f3e2138abfceacb122911.exe
MD5
7b4c9fa2f95caaf096b15e129623d657

SHA1
b4e253782de542a520b55205a019bd0dd6695ed8

SHA256
6d484c276965970169270302286bad03d5de1966ae4822873dc4fc8ac5aa8980

SHA512
1f0a4287bd10d2915a87cdc921b20ef5ffc9563dd9d774ffe031b35e63158fe61f46df64d712ef8df844119bb1e43ff17b2f377b7a5d1318c6ad6acd41f91a28

Download Submit
memory/960-54-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download
memory/964-67-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/964-68-0x0000000000120000-0x0000000000126000-memory.dmp

Filesize
24KB

Download
memory/964-65-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/964-64-0x00000000000E0000-0x00000000000EA000-memory.dmp

Filesize
40KB

Download
memory/964-62-0x0000000000380000-0x000000000039F000-memory.dmp

Filesize
124KB

Download
memory/964-61-0x0000000002320000-0x000000000244D000-memory.dmp

Filesize
1.2MB

Download
memory/964-60-0x0000000000AA0000-0x0000000000B3F000-memory.dmp

Filesize
636KB

Download
memory/964-66-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/964-63-0x00000000026D0000-0x00000000027D9000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads