Analysis
-
max time kernel
159s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 15:45
Static task
static1
Behavioral task
behavioral1
Sample
45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe
Resource
win10v2004-en-20220113
General
-
Target
45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe
-
Size
701KB
-
MD5
bda635870e7e7ae4945a896bf92a6846
-
SHA1
4a6cfa6767a35010ca9da08789edbf33e81b890d
-
SHA256
45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d
-
SHA512
5b32aadec793816fefe3edbe55b2e39ae0ab24231a1408c425bf28bf23f8c6452742f5b368632fb95144e9151bb47feb6fcb54ea7f1b7089f6ba688ab74ae644
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW_TO_RECOVER_DATA.html
href="mailto:[email protected]">[email protected]</a><br>
href="mailto:[email protected]">[email protected]</a>
http-equiv="X-UA-Compatible"
Signatures
-
Detect Neshta Payload 1 IoCs
Processes:
resource yara_rule C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE family_neshta -
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker Payload 6 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\3582-490\45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe family_medusalocker C:\Users\Admin\AppData\Local\Temp\3582-490\45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe family_medusalocker C:\Users\Admin\AppData\Local\Temp\3582-490\45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe family_medusalocker C:\Users\Admin\AppData\Roaming\svchostt.exe family_medusalocker C:\Users\Admin\AppData\Roaming\svchostt.exe family_medusalocker \Users\Admin\AppData\Roaming\svchostt.exe family_medusalocker -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exesvchostt.exepid process 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 1764 svchostt.exe -
Loads dropped DLL 3 IoCs
Processes:
45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exepid process 1880 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 1880 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 1880 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exedescription ioc process File opened (read-only) \??\T: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened (read-only) \??\W: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened (read-only) \??\Y: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened (read-only) \??\E: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened (read-only) \??\H: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened (read-only) \??\J: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened (read-only) \??\P: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened (read-only) \??\S: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened (read-only) \??\I: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened (read-only) \??\M: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened (read-only) \??\V: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened (read-only) \??\Z: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened (read-only) \??\L: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened (read-only) \??\A: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened (read-only) \??\B: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened (read-only) \??\F: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened (read-only) \??\G: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened (read-only) \??\K: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened (read-only) \??\X: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened (read-only) \??\N: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened (read-only) \??\O: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened (read-only) \??\Q: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened (read-only) \??\R: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened (read-only) \??\U: 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe -
Drops file in Program Files directory 64 IoCs
Processes:
45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exedescription ioc process File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe -
Drops file in Windows directory 1 IoCs
Processes:
45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exedescription ioc process File opened for modification C:\Windows\svchost.com 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 272 vssadmin.exe -
Modifies registry class 1 IoCs
Processes:
45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exepid process 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vssvc.exewmic.exedescription pid process Token: SeBackupPrivilege 2016 vssvc.exe Token: SeRestorePrivilege 2016 vssvc.exe Token: SeAuditPrivilege 2016 vssvc.exe Token: SeIncreaseQuotaPrivilege 392 wmic.exe Token: SeSecurityPrivilege 392 wmic.exe Token: SeTakeOwnershipPrivilege 392 wmic.exe Token: SeLoadDriverPrivilege 392 wmic.exe Token: SeSystemProfilePrivilege 392 wmic.exe Token: SeSystemtimePrivilege 392 wmic.exe Token: SeProfSingleProcessPrivilege 392 wmic.exe Token: SeIncBasePriorityPrivilege 392 wmic.exe Token: SeCreatePagefilePrivilege 392 wmic.exe Token: SeBackupPrivilege 392 wmic.exe Token: SeRestorePrivilege 392 wmic.exe Token: SeShutdownPrivilege 392 wmic.exe Token: SeDebugPrivilege 392 wmic.exe Token: SeSystemEnvironmentPrivilege 392 wmic.exe Token: SeRemoteShutdownPrivilege 392 wmic.exe Token: SeUndockPrivilege 392 wmic.exe Token: SeManageVolumePrivilege 392 wmic.exe Token: 33 392 wmic.exe Token: 34 392 wmic.exe Token: 35 392 wmic.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exetaskeng.exedescription pid process target process PID 1880 wrote to memory of 696 1880 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe PID 1880 wrote to memory of 696 1880 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe PID 1880 wrote to memory of 696 1880 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe PID 1880 wrote to memory of 696 1880 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe PID 696 wrote to memory of 272 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe vssadmin.exe PID 696 wrote to memory of 272 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe vssadmin.exe PID 696 wrote to memory of 272 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe vssadmin.exe PID 696 wrote to memory of 272 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe vssadmin.exe PID 696 wrote to memory of 392 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe wmic.exe PID 696 wrote to memory of 392 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe wmic.exe PID 696 wrote to memory of 392 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe wmic.exe PID 696 wrote to memory of 392 696 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe wmic.exe PID 1904 wrote to memory of 1764 1904 taskeng.exe svchostt.exe PID 1904 wrote to memory of 1764 1904 taskeng.exe svchostt.exe PID 1904 wrote to memory of 1764 1904 taskeng.exe svchostt.exe PID 1904 wrote to memory of 1764 1904 taskeng.exe svchostt.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe"C:\Users\Admin\AppData\Local\Temp\45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\3582-490\45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:696 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:272 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:392
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
C:\Windows\system32\taskeng.exetaskeng.exe {749CA4A5-2D9A-4D6C-B525-914394CBB7D8} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Roaming\svchostt.exeC:\Users\Admin\AppData\Roaming\svchostt.exe2⤵
- Executes dropped EXE
PID:1764
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXEMD5
e08669412bbfbe097b58c306ad6a92e1
SHA1687da428ad04f05b5c444203c633f9a11b309b18
SHA256f9e3111f85c0322020beb51229653e86d9eb26d762e67a17459cdc66f69be2fc
SHA512045f03d38190af93489a2cee783bdd4ff9eebb4d3f61695cecad09720e3ac200efc6fa13d358e62b6e3f18e7b13124d2a0a17ccb72935534c8a177b0aafd13c4
-
C:\Users\Admin\AppData\Local\Temp\3582-490\45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exeMD5
2af97d7e5c6cda7a6c4d0828a23c756b
SHA1334063cb91e86a1f8efd20f3a74a1e2e8eacafc6
SHA256d0d8628b44da07aaac7d2bc0287897b2abaeaaeded1d62cdebb6b71078d82e3e
SHA5126dfec09fb52719a04e5636234969d0c81b06fcc6cf4269f9bd15a675477965fb16e161bb93569bad814ffd69f28c58b6d7ce4b0676b897f1b57d90c28fd271d3
-
C:\Users\Admin\AppData\Local\Temp\3582-490\45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exeMD5
2af97d7e5c6cda7a6c4d0828a23c756b
SHA1334063cb91e86a1f8efd20f3a74a1e2e8eacafc6
SHA256d0d8628b44da07aaac7d2bc0287897b2abaeaaeded1d62cdebb6b71078d82e3e
SHA5126dfec09fb52719a04e5636234969d0c81b06fcc6cf4269f9bd15a675477965fb16e161bb93569bad814ffd69f28c58b6d7ce4b0676b897f1b57d90c28fd271d3
-
C:\Users\Admin\AppData\Roaming\svchostt.exeMD5
2af97d7e5c6cda7a6c4d0828a23c756b
SHA1334063cb91e86a1f8efd20f3a74a1e2e8eacafc6
SHA256d0d8628b44da07aaac7d2bc0287897b2abaeaaeded1d62cdebb6b71078d82e3e
SHA5126dfec09fb52719a04e5636234969d0c81b06fcc6cf4269f9bd15a675477965fb16e161bb93569bad814ffd69f28c58b6d7ce4b0676b897f1b57d90c28fd271d3
-
C:\Users\Admin\AppData\Roaming\svchostt.exeMD5
2af97d7e5c6cda7a6c4d0828a23c756b
SHA1334063cb91e86a1f8efd20f3a74a1e2e8eacafc6
SHA256d0d8628b44da07aaac7d2bc0287897b2abaeaaeded1d62cdebb6b71078d82e3e
SHA5126dfec09fb52719a04e5636234969d0c81b06fcc6cf4269f9bd15a675477965fb16e161bb93569bad814ffd69f28c58b6d7ce4b0676b897f1b57d90c28fd271d3
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEMD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d.exeMD5
2af97d7e5c6cda7a6c4d0828a23c756b
SHA1334063cb91e86a1f8efd20f3a74a1e2e8eacafc6
SHA256d0d8628b44da07aaac7d2bc0287897b2abaeaaeded1d62cdebb6b71078d82e3e
SHA5126dfec09fb52719a04e5636234969d0c81b06fcc6cf4269f9bd15a675477965fb16e161bb93569bad814ffd69f28c58b6d7ce4b0676b897f1b57d90c28fd271d3
-
\Users\Admin\AppData\Roaming\svchostt.exeMD5
2af97d7e5c6cda7a6c4d0828a23c756b
SHA1334063cb91e86a1f8efd20f3a74a1e2e8eacafc6
SHA256d0d8628b44da07aaac7d2bc0287897b2abaeaaeded1d62cdebb6b71078d82e3e
SHA5126dfec09fb52719a04e5636234969d0c81b06fcc6cf4269f9bd15a675477965fb16e161bb93569bad814ffd69f28c58b6d7ce4b0676b897f1b57d90c28fd271d3
-
memory/1880-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB