Analysis
-
max time kernel
133s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 21:41
Static task
static1
Behavioral task
behavioral1
Sample
022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe
Resource
win10v2004-en-20220113
General
-
Target
022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe
-
Size
99KB
-
MD5
20abc2fc4ae0ddc631322df67c828c17
-
SHA1
30fc7b84a438df84624e79d5365d4bd959fb5f72
-
SHA256
022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
-
SHA512
cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
http://decrypttozxybarc.onion/6938-6B08-A4FB-0006-4649
Signatures
-
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata: ET MALWARE Ransomware/Cerber Checkin 2
-
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (7)
suricata: ET MALWARE Ransomware/Cerber Checkin M3 (7)
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exemountvol.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\\mountvol.exe\"" 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\\mountvol.exe\"" mountvol.exe -
Executes dropped EXE 6 IoCs
Processes:
mountvol.exemountvol.exemountvol.exemountvol.exemountvol.exemountvol.exepid process 1124 mountvol.exe 288 mountvol.exe 1552 mountvol.exe 844 mountvol.exe 1720 mountvol.exe 1948 mountvol.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
mountvol.exemountvol.exemountvol.exemountvol.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mountvol.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mountvol.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mountvol.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mountvol.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mountvol.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mountvol.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mountvol.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mountvol.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1688 cmd.exe -
Drops startup file 2 IoCs
Processes:
022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exemountvol.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\mountvol.lnk 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\mountvol.lnk mountvol.exe -
Loads dropped DLL 3 IoCs
Processes:
022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exemountvol.exepid process 1536 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe 1536 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe 1124 mountvol.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
mountvol.exe022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\mountvol = "\"C:\\Users\\Admin\\AppData\\Roaming\\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\\mountvol.exe\"" mountvol.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce mountvol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mountvol = "\"C:\\Users\\Admin\\AppData\\Roaming\\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\\mountvol.exe\"" mountvol.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\mountvol = "\"C:\\Users\\Admin\\AppData\\Roaming\\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\\mountvol.exe\"" 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mountvol = "\"C:\\Users\\Admin\\AppData\\Roaming\\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\\mountvol.exe\"" 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run mountvol.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ipinfo.io 16393 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 320 taskkill.exe 2468 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exemountvol.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\\mountvol.exe\"" 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop mountvol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\\mountvol.exe\"" mountvol.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "350865905" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D801F371-86D4-11EC-AB1E-F6A981946521} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f302f7a020b975438ea1f1f995ba978300000000020000000000106600000001000020000000adf60ad8186f8d3f54d096433d587a30e261c0befa3b236d1ed2cb576b3fc212000000000e8000000002000020000000e22de5e1039895efe52d7d0300d0c34448ef9261561f8716f875f23048999e382000000066e86226dd12e568e665a6c2fdfcd961bbced966655ec1031bbcd556241feb0e400000008166bdf902edef6d060b57b0991f1696bc23b522160177140127c3a88e1e37aa48db8c0534c8c673b8d633a019e7d8f053c1614b13fb26c8eccc6bdd5fcb57f1 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40b6cab3e11ad801 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f302f7a020b975438ea1f1f995ba9783000000000200000000001066000000010000200000006a404a0802e3fe4a3726438bdee36b59cf764aa9af880a38336af1317009d490000000000e8000000002000020000000bab11609315d3bcc7f9833fe8c716f4830b3c22d5634445292d10c22309af9e590000000c1a268806c6684742eeb4f6ac67e06a9469c223547da6d1d35334971df08e02104d88e5c6776ba55dc5056b2732abe581bad24c7927f0aa4c660326a627e15c2a408992c79d390b92f1cb3890785ea7190f1cdba0298da8eaca9f335400c2b9fb0911feef68244d170f16bb14a04b79b2c727420fe576f100212343150f102a65265d9213d5353dfd0831eb2fd7d57df400000000a1edd735c420ce2d27dd876fec00de9d83698be3266d4addf4df7273968d7f4e6307cc399910c4eac48499bce290a61d9cf2d8013a66e46825633619f3d9425 iexplore.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes:
mountvol.exemountvol.exemountvol.exemountvol.exepid process 1124 mountvol.exe 1124 mountvol.exe 1124 mountvol.exe 1124 mountvol.exe 1124 mountvol.exe 1124 mountvol.exe 1124 mountvol.exe 1124 mountvol.exe 1124 mountvol.exe 1124 mountvol.exe 288 mountvol.exe 288 mountvol.exe 288 mountvol.exe 288 mountvol.exe 288 mountvol.exe 288 mountvol.exe 288 mountvol.exe 288 mountvol.exe 288 mountvol.exe 288 mountvol.exe 1720 mountvol.exe 1720 mountvol.exe 1720 mountvol.exe 1720 mountvol.exe 1720 mountvol.exe 1720 mountvol.exe 1720 mountvol.exe 1720 mountvol.exe 1720 mountvol.exe 1720 mountvol.exe 1948 mountvol.exe 1948 mountvol.exe 1948 mountvol.exe 1948 mountvol.exe 1948 mountvol.exe 1948 mountvol.exe 1948 mountvol.exe 1948 mountvol.exe 1948 mountvol.exe 1948 mountvol.exe 1124 mountvol.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exemountvol.exetaskkill.exemountvol.exemountvol.exemountvol.exemountvol.exemountvol.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1536 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe Token: SeDebugPrivilege 1124 mountvol.exe Token: SeDebugPrivilege 320 taskkill.exe Token: SeDebugPrivilege 288 mountvol.exe Token: SeDebugPrivilege 1552 mountvol.exe Token: SeDebugPrivilege 844 mountvol.exe Token: SeDebugPrivilege 1720 mountvol.exe Token: SeDebugPrivilege 1948 mountvol.exe Token: SeDebugPrivilege 2468 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1964 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1964 iexplore.exe 1964 iexplore.exe 1756 IEXPLORE.EXE 1756 IEXPLORE.EXE 1756 IEXPLORE.EXE 1756 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.execmd.exemountvol.exetaskeng.exeiexplore.execmd.exedescription pid process target process PID 1536 wrote to memory of 1124 1536 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe mountvol.exe PID 1536 wrote to memory of 1124 1536 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe mountvol.exe PID 1536 wrote to memory of 1124 1536 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe mountvol.exe PID 1536 wrote to memory of 1124 1536 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe mountvol.exe PID 1536 wrote to memory of 1688 1536 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe cmd.exe PID 1536 wrote to memory of 1688 1536 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe cmd.exe PID 1536 wrote to memory of 1688 1536 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe cmd.exe PID 1536 wrote to memory of 1688 1536 022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe cmd.exe PID 1688 wrote to memory of 320 1688 cmd.exe taskkill.exe PID 1688 wrote to memory of 320 1688 cmd.exe taskkill.exe PID 1688 wrote to memory of 320 1688 cmd.exe taskkill.exe PID 1688 wrote to memory of 320 1688 cmd.exe taskkill.exe PID 1688 wrote to memory of 2012 1688 cmd.exe PING.EXE PID 1688 wrote to memory of 2012 1688 cmd.exe PING.EXE PID 1688 wrote to memory of 2012 1688 cmd.exe PING.EXE PID 1688 wrote to memory of 2012 1688 cmd.exe PING.EXE PID 1124 wrote to memory of 288 1124 mountvol.exe mountvol.exe PID 1124 wrote to memory of 288 1124 mountvol.exe mountvol.exe PID 1124 wrote to memory of 288 1124 mountvol.exe mountvol.exe PID 1124 wrote to memory of 288 1124 mountvol.exe mountvol.exe PID 1124 wrote to memory of 1552 1124 mountvol.exe mountvol.exe PID 1124 wrote to memory of 1552 1124 mountvol.exe mountvol.exe PID 1124 wrote to memory of 1552 1124 mountvol.exe mountvol.exe PID 1124 wrote to memory of 1552 1124 mountvol.exe mountvol.exe PID 1700 wrote to memory of 844 1700 taskeng.exe mountvol.exe PID 1700 wrote to memory of 844 1700 taskeng.exe mountvol.exe PID 1700 wrote to memory of 844 1700 taskeng.exe mountvol.exe PID 1700 wrote to memory of 844 1700 taskeng.exe mountvol.exe PID 1124 wrote to memory of 1720 1124 mountvol.exe mountvol.exe PID 1124 wrote to memory of 1720 1124 mountvol.exe mountvol.exe PID 1124 wrote to memory of 1720 1124 mountvol.exe mountvol.exe PID 1124 wrote to memory of 1720 1124 mountvol.exe mountvol.exe PID 1124 wrote to memory of 1104 1124 mountvol.exe NOTEPAD.EXE PID 1124 wrote to memory of 1104 1124 mountvol.exe NOTEPAD.EXE PID 1124 wrote to memory of 1104 1124 mountvol.exe NOTEPAD.EXE PID 1124 wrote to memory of 1104 1124 mountvol.exe NOTEPAD.EXE PID 1124 wrote to memory of 1964 1124 mountvol.exe iexplore.exe PID 1124 wrote to memory of 1964 1124 mountvol.exe iexplore.exe PID 1124 wrote to memory of 1964 1124 mountvol.exe iexplore.exe PID 1124 wrote to memory of 1964 1124 mountvol.exe iexplore.exe PID 1124 wrote to memory of 1956 1124 mountvol.exe WScript.exe PID 1124 wrote to memory of 1956 1124 mountvol.exe WScript.exe PID 1124 wrote to memory of 1956 1124 mountvol.exe WScript.exe PID 1124 wrote to memory of 1956 1124 mountvol.exe WScript.exe PID 1124 wrote to memory of 1948 1124 mountvol.exe mountvol.exe PID 1124 wrote to memory of 1948 1124 mountvol.exe mountvol.exe PID 1124 wrote to memory of 1948 1124 mountvol.exe mountvol.exe PID 1124 wrote to memory of 1948 1124 mountvol.exe mountvol.exe PID 1964 wrote to memory of 1756 1964 iexplore.exe IEXPLORE.EXE PID 1964 wrote to memory of 1756 1964 iexplore.exe IEXPLORE.EXE PID 1964 wrote to memory of 1756 1964 iexplore.exe IEXPLORE.EXE PID 1964 wrote to memory of 1756 1964 iexplore.exe IEXPLORE.EXE PID 1124 wrote to memory of 2432 1124 mountvol.exe cmd.exe PID 1124 wrote to memory of 2432 1124 mountvol.exe cmd.exe PID 1124 wrote to memory of 2432 1124 mountvol.exe cmd.exe PID 1124 wrote to memory of 2432 1124 mountvol.exe cmd.exe PID 2432 wrote to memory of 2468 2432 cmd.exe taskkill.exe PID 2432 wrote to memory of 2468 2432 cmd.exe taskkill.exe PID 2432 wrote to memory of 2468 2432 cmd.exe taskkill.exe PID 2432 wrote to memory of 2512 2432 cmd.exe PING.EXE PID 2432 wrote to memory of 2512 2432 cmd.exe PING.EXE PID 2432 wrote to memory of 2512 2432 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe"C:\Users\Admin\AppData\Local\Temp\022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe"C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe"C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe" -stat -1 -wait "SoR6^pjc f!)lyx*wyJPk331@5cuI"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:288 -
C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe"C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe" -watchdog3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1552 -
C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe"C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe" -stat 1023⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵PID:1104
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1964 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1756 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵PID:1956
-
C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe"C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe" -stat 102 -wait "ahK!%B) !X%&_+(nDH36={6_wgd2m"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948 -
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "mountvol.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe" > NUL3⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\system32\taskkill.exetaskkill /t /f /im "mountvol.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2468 -
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
PID:2512 -
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe" > NUL2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:320 -
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
PID:2012
-
C:\Windows\system32\taskeng.exetaskeng.exe {875B8A62-F1AC-42CA-9C8D-E8C0714B5A21} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exeC:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:844
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵PID:2012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7QQD7BH\json[1].json
MD50aa762bb10362f552b6144794a0d1888
SHA1750eba61c566f9d0c9b2dd997c77f35a95c515b2
SHA2565eafadbd4100539125257b4a3f3c4a8fe4fd33605fc8a9b52050d715475b4de4
SHA51201a293bdfc4beebac42a0fcfb0fb1dfd52613b35b7de50e942c4638e008f8527fe37a29572a7612ead8b65ad41e848e12ec3258ca5c821030cba2b394805da16
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7QQD7BH\json[1].json
MD50aa762bb10362f552b6144794a0d1888
SHA1750eba61c566f9d0c9b2dd997c77f35a95c515b2
SHA2565eafadbd4100539125257b4a3f3c4a8fe4fd33605fc8a9b52050d715475b4de4
SHA51201a293bdfc4beebac42a0fcfb0fb1dfd52613b35b7de50e942c4638e008f8527fe37a29572a7612ead8b65ad41e848e12ec3258ca5c821030cba2b394805da16
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YFMJZ4T6\json[1].json
MD50aa762bb10362f552b6144794a0d1888
SHA1750eba61c566f9d0c9b2dd997c77f35a95c515b2
SHA2565eafadbd4100539125257b4a3f3c4a8fe4fd33605fc8a9b52050d715475b4de4
SHA51201a293bdfc4beebac42a0fcfb0fb1dfd52613b35b7de50e942c4638e008f8527fe37a29572a7612ead8b65ad41e848e12ec3258ca5c821030cba2b394805da16
-
MD5
24a1b6fe028423a64e84fd5aea17d001
SHA145b8eb26b3d4f69a38f52c7469c93cda60d2e299
SHA256e76b79247f3169efda1b2d1f07bf6ce4f33a1b9cc1383840ce190e5e615bef30
SHA5123242f33b629397ce790e114b4dcda71c98906eef170399ff6bbbffefc7dfc237d482281eac9d634c5fb3783fad20fc679b66b55755b9d42c31a0a1f7014b43f5
-
MD5
cb1355820dbefcaded468992d150f690
SHA1a3afc76be32034434574cf15ae20da692a23f76e
SHA25652eae6c2e5f50af8c7c57956c9ff0e43a78d3d05e89c68de2e769da988b3534b
SHA512d8e7187a46fdbd1208aaff3677458343564a704921c37f7fdcdfaf49df810da5532a6d6dcf69eba47e5b9a17a1dfbce0a9381c809e76f2e8330eeda6e60188c8
-
MD5
20abc2fc4ae0ddc631322df67c828c17
SHA130fc7b84a438df84624e79d5365d4bd959fb5f72
SHA256022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
SHA512cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1
-
MD5
20abc2fc4ae0ddc631322df67c828c17
SHA130fc7b84a438df84624e79d5365d4bd959fb5f72
SHA256022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
SHA512cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1
-
MD5
20abc2fc4ae0ddc631322df67c828c17
SHA130fc7b84a438df84624e79d5365d4bd959fb5f72
SHA256022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
SHA512cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1
-
MD5
20abc2fc4ae0ddc631322df67c828c17
SHA130fc7b84a438df84624e79d5365d4bd959fb5f72
SHA256022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
SHA512cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1
-
MD5
20abc2fc4ae0ddc631322df67c828c17
SHA130fc7b84a438df84624e79d5365d4bd959fb5f72
SHA256022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
SHA512cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1
-
MD5
20abc2fc4ae0ddc631322df67c828c17
SHA130fc7b84a438df84624e79d5365d4bd959fb5f72
SHA256022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
SHA512cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1
-
MD5
20abc2fc4ae0ddc631322df67c828c17
SHA130fc7b84a438df84624e79d5365d4bd959fb5f72
SHA256022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
SHA512cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1
-
MD5
b60bd4e2c6625c8ee69e2888802ce0f9
SHA1862c9deb4eac113a8974110c01ca794f950d8df0
SHA256274a2e9b17def721cf6a192933543aafb6ddca3851934bb930edbc75bbe6a6df
SHA5128aa1a48ed634976cd183091254a29f5c748e34d4b3fa667365d29e5f788115310c922417f320f9865525b7dc95933b5195ebcd0ad3dc5caefa45d52e748ee39c
-
MD5
4a0508a7e0d38fdc08fe54e2fb8e6305
SHA19ed16d297dc27eee76712346fad986542314d140
SHA256ea42f094e577953a8596e412555b5192615b2b11cdb6e37ce417811e1448211a
SHA512a8f24cae2780c8d8806bdd1501c2699dbfe65b16c9314d038cdf806fed70cdfbe60ec13f3aa93272a3e2710fa34e7b81e2ccebd539cb7ad0b9fc9ad90dbc9fa2
-
MD5
e9ffd9f618cbf36ad6c910c161bb8080
SHA1a702b4220bbded577b4b699611bb73593b12ae71
SHA256020ca4b4574a40418b8aa4c2d74b0488e9d150e8d3f5e56e5c6dcca6f7dfaaac
SHA512ee87264e384579df7b74d7ac08e9a490495efa34f1a99e2d4949cb76b839c165fbb281aacae25f4ab7e911401c7bfa3fba4b0e59dd492566985fb8dbd1cf1bef
-
MD5
20abc2fc4ae0ddc631322df67c828c17
SHA130fc7b84a438df84624e79d5365d4bd959fb5f72
SHA256022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
SHA512cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1
-
MD5
20abc2fc4ae0ddc631322df67c828c17
SHA130fc7b84a438df84624e79d5365d4bd959fb5f72
SHA256022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
SHA512cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1
-
MD5
20abc2fc4ae0ddc631322df67c828c17
SHA130fc7b84a438df84624e79d5365d4bd959fb5f72
SHA256022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f
SHA512cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1