Analysis
-
max time kernel
180s -
max time network
178s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 03:19
Static task
static1
Behavioral task
behavioral1
Sample
9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe
Resource
win10-en-20211208
General
-
Target
9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe
-
Size
73KB
-
MD5
1c021f42e3a138060e1d298726d1579f
-
SHA1
54e3384fb68fde6fc711491e8072781e3910156a
-
SHA256
9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c
-
SHA512
5ee344d17b5e9a2285258b8e16253263ebb856167b36e7679e602c041c2320c10a7182a7cb5c14f59fe3117a981e96fdff6fa7dc2c2194e90a6f659de143c101
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\How_to_recovery.txt
ithelp02@decorous.cyou
ithelp02@wholeness.business
http://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exedescription ioc process File renamed C:\Users\Admin\Pictures\InitializeSet.raw => C:\Users\Admin\Pictures\InitializeSet.raw.farattack 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File renamed C:\Users\Admin\Pictures\MeasureDebug.tiff => C:\Users\Admin\Pictures\MeasureDebug.tiff.farattack 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File renamed C:\Users\Admin\Pictures\SkipPing.tiff => C:\Users\Admin\Pictures\SkipPing.tiff.farattack 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File renamed C:\Users\Admin\Pictures\StartUndo.tiff => C:\Users\Admin\Pictures\StartUndo.tiff.farattack 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File renamed C:\Users\Admin\Pictures\GroupOut.png => C:\Users\Admin\Pictures\GroupOut.png.farattack 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File renamed C:\Users\Admin\Pictures\GrantAssert.crw => C:\Users\Admin\Pictures\GrantAssert.crw.farattack 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Pictures\MeasureDebug.tiff 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Pictures\SkipPing.tiff 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File renamed C:\Users\Admin\Pictures\SetRegister.raw => C:\Users\Admin\Pictures\SetRegister.raw.farattack 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Pictures\StartUndo.tiff 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File renamed C:\Users\Admin\Pictures\UndoRepair.raw => C:\Users\Admin\Pictures\UndoRepair.raw.farattack 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 916 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\LicChk = "C:\\Users\\Admin\\AppData\\Local\\9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe" 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe -
Drops desktop.ini file(s) 38 IoCs
Processes:
9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exedescription ioc process File opened for modification C:\Users\Admin\Documents\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Public\Music\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Links\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Music\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Public\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Public\Documents\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Public\Videos\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exedescription ioc process File opened (read-only) \??\A: 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe -
Drops file in Program Files directory 64 IoCs
Processes:
9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdater.cer 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341561.JPG 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748U.BMP 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File created C:\Program Files\Microsoft Games\Mahjong\en-US\How_to_recovery.txt 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\How_to_recovery.txt 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21330_.GIF 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN110.XML 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZCARD.DPV 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGLINACC.XML 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15172_.GIF 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\STRTEDGE.ELM 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01585_.WMF 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148798.JPG 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01243_.GIF 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18197_.WMF 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\THMBNAIL.PNG 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\SectionHeading.jpg 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\46.png 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\LAYERS.INF 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01074_.WMF 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02278_.WMF 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB7.BDR 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\How_to_recovery.txt 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kolkata 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Kwajalein 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382930.JPG 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01421_.WMF 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0186348.WMF 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File created C:\Program Files\Common Files\System\es-ES\How_to_recovery.txt 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\How_to_recovery.txt 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152690.WMF 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0292152.WMF 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_K_COL.HXK 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\6.png 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Juneau 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02794_.WMF 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\picturePuzzle.js 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\settings.html 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Windows Media Player\fr-FR\setup_wm.exe.mui 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\gradient.png 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\OliveGreen.css 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mscss7cm_en.dub 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_up.png 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Ojinaga 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185790.WMF 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02124_.WMF 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\vlc.mo 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLCPRTID.XML 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1124 vssadmin.exe 676 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1752 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 1480 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
vssvc.exetaskmgr.exe9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exeAUDIODG.EXEdescription pid process Token: SeBackupPrivilege 1736 vssvc.exe Token: SeRestorePrivilege 1736 vssvc.exe Token: SeAuditPrivilege 1736 vssvc.exe Token: SeDebugPrivilege 1480 taskmgr.exe Token: SeIncBasePriorityPrivilege 1580 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe Token: 33 1864 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1864 AUDIODG.EXE Token: 33 1864 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1864 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe 1480 taskmgr.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.execmd.execmd.exedescription pid process target process PID 1580 wrote to memory of 520 1580 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe cmd.exe PID 1580 wrote to memory of 520 1580 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe cmd.exe PID 1580 wrote to memory of 520 1580 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe cmd.exe PID 1580 wrote to memory of 520 1580 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe cmd.exe PID 520 wrote to memory of 676 520 cmd.exe vssadmin.exe PID 520 wrote to memory of 676 520 cmd.exe vssadmin.exe PID 520 wrote to memory of 676 520 cmd.exe vssadmin.exe PID 1580 wrote to memory of 216 1580 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe cmd.exe PID 1580 wrote to memory of 216 1580 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe cmd.exe PID 1580 wrote to memory of 216 1580 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe cmd.exe PID 1580 wrote to memory of 216 1580 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe cmd.exe PID 216 wrote to memory of 1124 216 cmd.exe vssadmin.exe PID 216 wrote to memory of 1124 216 cmd.exe vssadmin.exe PID 216 wrote to memory of 1124 216 cmd.exe vssadmin.exe PID 1580 wrote to memory of 916 1580 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe cmd.exe PID 1580 wrote to memory of 916 1580 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe cmd.exe PID 1580 wrote to memory of 916 1580 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe cmd.exe PID 1580 wrote to memory of 916 1580 9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe"C:\Users\Admin\AppData\Local\Temp\9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" cd %userprofile%\documents\ attrib Default.rdp -s -h del Default.rdp for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" cd %userprofile%\documents\ attrib Default.rdp -s -h del Default.rdp for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe > nul2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\How_to_recovery.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f41⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\How_to_recovery.txtMD5
dc25b9677563088c9f6b8101032b1ff6
SHA17309a759725bda70392eb77cb22d09b498361d57
SHA256e86df8fff4ff879ed1399842a0357dd7baeb97c77226c7b70f564c259b3dbbf3
SHA5129c31b323bdea16ab6374eb32542ebe0a9de79712e1a9cf08a341fe0dcdf4e4c43c3e12c70c78f94359d091d6b8eea832bd9cb415aae1860a26d969129f8b7da3
-
memory/1480-55-0x000007FEFB571000-0x000007FEFB573000-memory.dmpFilesize
8KB
-
memory/1580-54-0x00000000754B1000-0x00000000754B3000-memory.dmpFilesize
8KB